Key Takeaways
- LGPD (Lei nº 13.709/2018) is Brazil's data protection law, effective September 2020 and enforced from August 2021; the regulator is the ANPD.
- A FGV study found all seven major cloud AI platforms (ChatGPT, Gemini, Claude, Copilot, Grok, DeepSeek, Meta AI) fail full LGPD compliance across 14 criteria.
- A common cloud failure: privacy policies not available in Portuguese, a clear LGPD requirement.
- Cloud AI typically transfers data outside Brazil at inference time — LGPD restricts international transfers without safeguards.
- Running LLMs locally keeps data in-country at inference time, addressing the transfer issue at its root.
- Local AI is not a compliance silver bullet: you still need lawful basis, data-subject processes, and a DPO where required.
- This is informational, not legal advice. Consult a DPO or lawyer for your specific situation.
What Is the LGPD?
The LGPD (Lei Geral de Proteção de Dados, Lei nº 13.709/2018) is Brazil's general data protection law. It took effect in September 2020, with administrative sanctions enforceable from August 2021. The regulator is the ANPD (Autoridade Nacional de Proteção de Dados).
The LGPD applies to any organization that processes the personal data of individuals in Brazil, regardless of where the organization itself is located. Like the EU's GDPR, it has extraterritorial reach.
Core obligations relevant to AI use: a lawful basis for every processing activity, data-subject rights (access, correction, deletion, portability), data minimization, and restrictions on international data transfers without adequate safeguards. A privacy policy must be available in Portuguese.
Penalties reach up to 2% of the company's revenue in Brazil, capped at R$ 50 million per violation, alongside warnings, data-processing suspension, and public disclosure of the infraction.
📍 In One Sentence
The LGPD (Lei nº 13.709/2018) is Brazil's data protection law, enforced by the ANPD, requiring a lawful basis, data-subject rights, and restrictions on transferring personal data outside Brazil.
💬 In Plain Terms
The LGPD is Brazil's version of a privacy law like Europe's GDPR. If your company handles personal information about people in Brazil — names, emails, documents, anything that identifies someone — the LGPD says you must have a legal reason to do it, let people see and delete their data, and be careful about sending that data to other countries. The watchdog that enforces it is called the ANPD. Fines can reach 2% of your Brazilian revenue, up to R$ 50 million per violation.
Why Cloud AI Struggles with LGPD
A study from the Center for Technology and Society at FGV Direito Rio (part of its Platform Governance and Data Regulations project) assessed how major generative AI platforms meet LGPD obligations. It examined 14 criteria across ChatGPT, Gemini, Claude, Copilot, Grok, DeepSeek, and Meta AI — and found that none fully complied. Gemini, Claude, and Meta AI scored best, each meeting 10 of 14 criteria.
The most consistent failure was transparency: many platforms do not make their privacy policies available in Portuguese, which directly contradicts an LGPD requirement. The ANPD has also published a preliminary study on generative AI, signalling regulatory attention to the sector.
A second structural problem is data location. When you send a prompt to a cloud AI service, that data typically leaves Brazil and is processed on servers abroad. The LGPD restricts international transfers of personal data unless specific safeguards apply — so routine use of foreign cloud AI for personal or sensitive data carries transfer risk.
This is not legal advice. The table below summarizes publicly observable risk factors; consult a DPO or lawyer before relying on any platform for regulated data.
| Cloud AI Platform | Privacy Policy in PT? | Data Leaves Brazil? | LGPD Risk |
|---|---|---|---|
| ChatGPT | No | Yes | High |
| Gemini | Partial* | Yes | High |
| Claude | Partial* | Yes | High |
| Copilot | Partial* | Yes | High |
| DeepSeek | No | Yes | High |
| Grok | No | Yes | High |
| Meta AI | Partial* | Yes | High |
*"Partial" reflects mixed or incomplete Portuguese-language coverage at the time of the FGV study; verify the current status directly with each provider. All seven platforms had failures across the 14 LGPD criteria examined. This table summarizes risk factors and is not legal advice.
How Local AI Addresses Data Sovereignty
Running an LLM locally means inference happens on hardware you control — a laptop, a workstation, or an on-premise server. The prompts you send, the documents you feed in, and the responses generated never leave your infrastructure. There is no international data transfer at inference time, which removes the single largest LGPD friction point with cloud AI.
For a quick local setup, Ollama runs models with a single command on Windows, macOS, or Linux. For CPU-only servers or air-gapped environments, llama.cpp gives you fine-grained control. Both keep all processing local.
Local AI is not a complete compliance solution on its own. You still need a lawful basis for processing personal data, processes to honour data-subject rights for any data you store in logs or databases, a data-retention policy, and internal data governance. Where your scale and data types require it, you still need a DPO. What local inference removes is the cross-border transfer problem — it does not remove your other LGPD obligations.
This is informational, not legal advice. A local deployment should be reviewed by your DPO or legal counsel as part of an overall compliance program.
Recommended Setup for Brazilian Business
A practical, LGPD-friendly local AI stack for most Brazilian businesses combines an easy runtime with a capable Portuguese-language model. For the model side specifically, see our companion guide on the best local LLMs for Brazilian Portuguese.
- Runtime — Ollama (recommended): one-command install and model management on Windows, macOS, or Linux. Best starting point for most teams.
- Runtime — LM Studio: a graphical interface for non-technical users; supports loading GGUF models directly.
- Model — Qwen3 8B: strong Brazilian Portuguese, runs on 8GB VRAM. `ollama run qwen3:8b`.
- Model — Qwen3 14B: higher quality for nuanced Portuguese, needs ~9GB VRAM. `ollama run qwen3:14b`.
- Model — Llama 3.1 8B: competitive Portuguese alternative, also on Ollama. `ollama run llama3.1:8b`.
- Hardware: any machine with 8GB+ RAM runs small models CPU-only; 16GB RAM (or 8GB+ VRAM GPU) gives usable interactive speed for 8B models; 16GB+ VRAM for 14B models.
Cloud AI vs Local LLM for LGPD
The comparison below focuses on the LGPD-relevant differences between using a foreign cloud AI service and running a local LLM on your own infrastructure.
| Factor | Cloud AI (ChatGPT/Gemini/Claude) | Local LLM (Ollama + Qwen3) |
|---|---|---|
| Data location | Servers abroad | Your own hardware in Brazil |
| Privacy policy in Portuguese | Often missing or partial | You control documentation |
| International transfer risk | High (data leaves Brazil) | None at inference time |
| Inference data control | Provider-controlled | Fully yours |
| Implementation cost | Low setup, per-use fees | Hardware upfront, no per-use fees |
| ANPD audit exposure | Higher (transfer + transparency gaps) | Lower for data residency |
| DPO oversight needed | Yes | Yes (local AI does not remove this) |
Local deployment reduces data-residency and transfer risk but does not, by itself, deliver full LGPD compliance. This table is informational, not legal advice.
FAQ
Does running a local LLM make my company LGPD compliant?
No — not by itself. It helps significantly with data residency, because data never leaves your infrastructure at inference time. But you still need a lawful basis for processing, data-subject rights processes, data-retention policies, and a DPO where required. This is informational, not legal advice.
Is it illegal for Brazilian companies to use ChatGPT or Gemini?
Not automatically. Using cloud AI is not banned, but organizations may face ANPD scrutiny — especially when processing sensitive personal data through services that transfer data abroad without adequate safeguards or lack a Portuguese privacy policy. Assess the risk with your DPO.
What data stays local when I run an LLM locally?
Everything involved in inference: the prompts you send, any documents you feed the model, and the responses it generates. None of this leaves your machine or server during processing.
Do I still need a DPO if I use local AI?
It depends on your processing scale and the types of data you handle. Local AI simplifies the data-residency picture but does not remove DPO obligations. Confirm your specific requirement with legal counsel.
Which local LLM model works best for Portuguese?
Qwen3 8B is the strongest practical choice for most users, with Sabiá-3 from Maritaca AI offering the highest Portuguese quality. See our companion guide: best local LLMs for Brazilian Portuguese.
Can I run local AI on a standard business laptop?
Yes. Qwen3 8B runs on a machine with 16GB RAM at roughly 2–4 tokens/sec CPU-only via Ollama. With a GPU (8GB+ VRAM), interactive speed jumps to 15–20 tokens/sec.
What is the ANPD?
The ANPD (Autoridade Nacional de Proteção de Dados) is Brazil's national data protection authority, established under the LGPD to oversee and enforce the law. Official guidance is at gov.br/anpd.
Is the FGV study official government guidance?
No. The study comes from the Center for Technology and Society at FGV Direito Rio, an academic institution. For official guidance, consult the ANPD at gov.br/anpd.
What about LGPD for HR and employee data in AI tools?
Employee and candidate data is personal data under the LGPD, and HR processing often involves sensitive categories. Feeding such data into cloud AI raises transfer and lawful-basis questions; local AI keeps it in-house, but you still need governance. Review with your DPO.
How does the LGPD compare to the GDPR?
They share a structure: both grant data-subject rights, require a lawful basis, and restrict international transfers. LGPD penalties reach up to 2% of Brazilian revenue, capped at R$ 50 million per violation — lower nominal caps than GDPR, but enforced by Brazil's ANPD.
Sources
- FGV Direito Rio, Center for Technology and Society. "Study assesses how generative AI platforms fulfill legal obligations in the processing of personal data." Platform Governance and Data Regulations project — https://portal.fgv.br/en/noticias/study-assesses-how-generative-ai-platforms-fulfill-legal-obligations-processing-personal
- ANPD (Autoridade Nacional de Proteção de Dados). Preliminary study on generative AI — referenced via Future of Privacy Forum analysis, fpf.org
- Brazil. Lei nº 13.709/2018 (Lei Geral de Proteção de Dados Pessoais — LGPD). Official text — planalto.gov.br