On December 1, 2026, Chile's Ley 21.719 enters into full force, creating the country's first dedicated data protection authority and a sanctions regime reaching up to 20,000 UTM, close to 1.4 billion Chilean pesos, per gravísima infraction. Five months earlier, Brazil's Congress is racing an electoral calendar that closes its legislative window in August 2026, the deadline by which the Marco Legal da Inteligência Artificial must clear the Chamber of Deputies or slide to 2027. Mexico, meanwhile, has already dissolved its data protection watchdog altogether.

No South American country has a dedicated AI statute in force yet. Brazil's PL 2338/2023 passed the Senate in December 2024 and has been stuck in a Chamber special committee since April 2025. Colombia's PL 043/2025 carries a presidential urgency message and proposes a new AI authority inside MinCiencias, still in committee. Argentina has several competing bills in Diputados, none enacted. That absence of AI-specific law does not mean an absence of exposure: existing data protection statutes, sector circulars and a newly dissolved regulator are already doing the enforcement work, unevenly, country by country.

The result is a region where the five largest jurisdictions move on five different clocks, and where the gap between "no AI law yet" and "no AI-related liability yet" is where most compliance failures happen.

Which South American countries have an AI-specific law already in force?

None of the five largest jurisdictions do, as of mid-2026. Brazil's Marco Legal da Inteligência Artificial, PL 2338/2023, was approved by the Federal Senate on December 10, 2024 by symbolic vote, then sent to the Chamber of Deputies, which created a Special Committee on April 4, 2025 under rapporteur Deputy Aguinaldo Ribeiro. As of mid-2026 the bill is still awaiting the rapporteur's report, and Brazil's presidential election on October 4, 2026 creates a de facto legislative window that closes around August 2026; if the Chamber does not vote by then, observers expect the bill to be deferred into 2027.

Colombia's effort, PL 043/2025 in the Senate and PL 324/2025 in the Chamber, was filed in September and October 2025, with a presidential urgency message attached the same month. It proposes a risk-based classification modeled on the EU AI Act, a regulatory sandbox, and a new Autoridad Nacional para la IA at the Ministry of Science, Technology and Innovation, and remains in the joint Comisiones Sextas of Senado and Cámara. Argentina has multiple parallel proposals, from Senator Silvia Sapag and Deputy Daniel Gollán, classifying AI systems by risk tier and prohibiting social-scoring and manipulative systems, none enacted. Mexico has no AI bill near passage; proposals to amend Article 73 of the Constitution for explicit federal AI legislative authority were introduced in 2025 and remain pending.

What happens when Chile's Ley 21.719 takes full effect on December 1, 2026?

Chile gets its first dedicated, autonomous data protection authority, the Agencia de Protección de Datos Personales, with real sanctioning power over any organization processing the personal data of people in Chile, regardless of where it is based. Ley 21.719 was published in the Diario Oficial on December 13, 2024, after a Comisión Mixta reconciled Senate and Chamber versions, and it carries a 24-month vacatio legis ending December 1, 2026. An interministerial Implementation Advisory Commission created by decree in 2025 has been drafting the Agency's initial binding instructions, and the Directive Council nominated to lead the Agency was still awaiting Senate confirmation as of May 2026, expected to assume office around October 2026, weeks before full enforcement begins.

The sanctions regime is tiered under Articles 34 bis through 35: leve infractions draw a written warning or a fine up to 5,000 UTM; grave infractions, such as processing personal data without a valid legal basis or failing to notify the Agency of a breach within 72 hours, draw up to 10,000 UTM; and gravísima infractions, including processing sensitive data such as health, biometric or union-membership information without a legal basis, draw up to 20,000 UTM. Repeat gravísima violations by larger companies can instead be fined up to 4% of annual Chilean revenue if that exceeds the triple-multiplier cap. For AI specifically, the law adds enforceable rights around automated decision-making and profiling absent from the 1999-era Ley 19.628 it replaces.

What governs AI in Brazil while the Marco Legal is stalled in Congress?

The Lei Geral de Proteção de Dados, principally through Article 20, which gives any data subject the right to request review of a decision made solely through automated processing of personal data, including decisions shaping a person's consumer, credit or professional profile. A 2019 attempt to require that review be conducted by a natural person was vetoed by the president, and Congress narrowly upheld that veto by a single Senate vote on October 2, 2019, so the LGPD does not explicitly mandate human review, though the ANPD and Brazilian courts have generally read Article 20's transparency duties as requiring a meaningful, documented human check rather than a rubber-stamped confirmation.

Enforcement has matured well beyond the ANPD's first public fine in July 2023. Under the dosimetry rules in Resolução CD/ANPD 4/2023, the ANPD can impose a fine of up to 2% of the infringing company's Brazilian revenue in its last fiscal year, capped at 50 million reais per infraction, alongside daily fines for continuing non-compliance. The most common triggers in ANPD proceedings are breach notification failures under Article 48, processing without a valid legal basis under Article 7, and missing a mandatory Data Protection Officer under Article 41. Companies deploying AI in Brazil today are judged against the LGPD's decade-old rulebook, not the risk tiers the Marco Legal would introduce.

How is Colombia regulating AI without a dedicated law yet?

Through the Superintendencia de Industria y Comercio's Circular Externa 002 of August 21, 2024, binding today even though PL 043/2025 is still in committee. The SIC, acting as Colombia's national data protection authority under Ley 1581 de 2012, used the circular to state that Habeas Data principles apply in full to personal data processed inside AI systems, regardless of the underlying technology, and it requires organizations to demonstrate idoneidad, necesidad, razonabilidad and proporcionalidad whenever personal data feeds an AI model or automated decision.

That means a company deploying AI in Colombia already has a documented compliance obligation, sourced from Ley 1581 plus Circular 002/2024, well before PL 043/2025's risk classification and new AI authority arrive. The bill proposes high-risk categories set by intended use and severity of potential harm, plus a regulatory sandbox letting the future Autoridad Nacional para la IA authorize controlled testing. Until it passes, Colombia's enforceable AI-data rulebook is the SIC circular, and it is the one regulators actually apply.

What did the dissolution of Mexico's INAI change for data protection enforcement?

It removed the country's independent, constitutionally autonomous privacy regulator and handed its functions to a body inside the executive branch. A constitutional reform of November 28, 2024 extinguished seven autonomous bodies including the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, and on February 20, 2025 Mexico published new versions of the Ley Federal de Protección de Datos Personales en Posesión de los Particulares and the Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados, both entering into force March 21, 2025. INAI's resources, open proceedings and enforcement functions transferred to the Secretaría Anticorrupción y Buen Gobierno, which now investigates complaints and imposes sanctions under both statutes.

Substantively, the ARCO-rights framework and legal bases for processing carried over largely unchanged, but neither statute was written with automated decision-making, algorithmic opacity or bulk training on public web data in mind, since both descend from 2010 and 2017-era text. Proposals to amend Article 73 of the Constitution to give Congress explicit authority to legislate on AI were introduced in 2025 and remain pending. For now, a company operating AI that touches Mexican personal data answers to a secretariat applying data protection law written before generative AI existed.

How should a compliance team track five uncoordinated regimes at once?

Start by separating "already enforceable" from "pending." Chile's Ley 21.719 becomes enforceable December 1, 2026; Brazil's LGPD Article 20 and the ANPD's dosimetry rules are enforceable today; Colombia's SIC Circular 002/2024 is enforceable today; Mexico's 2025 data protection statutes are enforceable today under a new regulator; and every dedicated AI bill in the region, in Brazil, Colombia and Argentina alike, remains pending.

JurisdictionCurrent AI-relevant instrumentDedicated AI law statusKey 2026 date
BrazilLGPD Art. 20 (automated decisions) + ANPD dosimetry (Res. 4/2023)PL 2338/2023, pending in Chamber committeeLegislative window closes around August 2026
ChileLey 19.628 (until replaced)No dedicated AI bill; data law covers profilingLey 21.719 fully in force December 1, 2026
ColombiaSIC Circular Externa 002/2024 + Ley 1581/2012PL 043/2025S, pending in Comisiones SextasPresidential urgency message active since September 2025
ArgentinaLey 25.326 (2000)Multiple pending bills, none enactedAAIP-aligned reform drafts in Congress through 2026
MexicoLFPDPPP and LGPDPPSO, both in force since March 21, 2025No dedicated AI bill near passageSecretaría Anticorrupción y Buen Gobierno now sole enforcer

Manually, that means reading five official gazettes in parallel and re-checking each one whenever a committee reports out a new bill draft or a regulator issues a new circular. Obsidian's per jurisdiction monitoring was built for that workload: it tracks each official source at the point of publication, flags the specific resolução, circular, ley or decreto touching a framework already on a company's watchlist, and turns five uncoordinated national tracks into one dashboard with dated alerts.

For teams that need the same sourced answer inside a workflow rather than a dashboard, that data is also available through the MCP, so an AI assistant already handling other compliance tasks can confirm whether Chile's Agency has published its first binding instruction yet, without a person re-verifying the source first. Obsidian's AI functions as a regulatory companion in that exchange, never a substitute for the compliance officer who signs off on the answer, it simply gets the sourced fact there before the deadline rather than after.

What should an AI and data governance team do next

Map exposure by instrument, not by country label. A team in Chile needs a Ley 21.719 readiness plan built around the December 1, 2026 enforcement date. A team in Brazil needs an LGPD Article 20 review process that withstands ANPD scrutiny today, regardless of the Marco Legal's fate. A team in Colombia needs to document idoneidad, necesidad and proporcionalidad under Circular 002/2024 now, not once PL 043/2025 becomes law. A team in Mexico needs to know its regulator is now a secretariat inside the executive branch, not an autonomous institute, which changes how a complaint is actually handled.

Obsidian's plans are built for this kind of multi-jurisdiction AI and data governance tracking, official source by official source, so the next ANPD resolution, SIC circular or Agencia de Protección de Datos instruction reaches the compliance team before it reaches a headline.