AI Regulation Tracker / Regional standard
Ibero-America's Shared Privacy Rulebook Just Added AI, Neurodata and Automated-Decision Auditing
Regulatory summary: At the XXII RIPD encuentro in Cartagena de Indias (approved June 15, 2026), Ibero-American data-protection authorities updated the Estandares de Proteccion de Datos Personales para los Estados Iberoamericanos to add AI, automated decisions, biometrics, neurodata, algorithmic governance, human oversight and periodic auditing. It is a nonbinding reference standard, not enforceable.
At the XXII RIPD meeting in Cartagena de Indias, 20-plus Ibero-American data authorities updated the region's common standard to cover artificial intelligence, biometrics, neurodata, algorithmic governance and periodic auditing. It is nonbinding reference law, and it is crystallizing now.
Key takeaways
- The updated standard adds neurodata as a sensitive-data category, broadens automated-decision protection from exclusively automated to exclusively or essentially automated, and requires algorithmic governance, traceability, meaningful human oversight, continuous risk evaluation and periodic auditing for AI and automated processing.
- DPOs, privacy counsel, biometric and health-data controllers, HR teams running automated screening, and neurotechnology and wearable vendors operating across Ibero-America, including organizations regulated by Brazil's ANPD, which assumed the RIPD presidency at this meeting.
- Status: Approved by the RIPD assembly on June 15, 2026 in Cartagena de Indias.
- Map every essentially automated decision in your Ibero-American operations, confirm a qualified human can genuinely override each one, and open an audit trail now so you are ready when a member authority converts the reference standard into enforceable rules.
| Date | Jurisdiction | Rule | Affected professionals | Status or effective date |
|---|---|---|---|---|
| 2026-07-09 | Brazil | The updated standard adds neurodata as a sensitive-data category, broadens automated-decision protection from exclusively automated to exclusively or essentially automated, and requires algorithmic governance, traceability, meaningful human oversight, continuous risk evaluation and periodic auditing for AI and automated processing. | DPOs, privacy counsel, biometric and health-data controllers, HR teams running automated screening, and neurotechnology and wearable vendors operating across Ibero-America, including organizations regulated by Brazil's ANPD, which assumed the RIPD presidency at this meeting. | Approved by the RIPD assembly on June 15, 2026 in Cartagena de Indias. Forwarded to the Secretaria General Iberoamericana (SEGIB) for possible adoption at the Ibero-American Summit of Heads of State and Government. |
Frequently Asked Questions
Is the updated Ibero-American standard legally binding on my company today?
No. The Estandares de Proteccion de Datos Personales para los Estados Iberoamericanos are a nonbinding reference standard. They guide how member authorities write and interpret national law, but they do not create directly enforceable obligations or a compliance deadline on their own.
When and where was it approved?
The RIPD assembly approved the updated standard on June 15, 2026, at the XXII encuentro of Ibero-American data-protection authorities in Cartagena de Indias, Colombia.
What is the single most important operational change?
The shift from protecting against exclusively automated decisions to exclusively or essentially automated ones, paired with a requirement for qualified, significant and effective human intervention. A token human reviewer no longer satisfies the standard.
Does this affect companies regulated by Brazil's ANPD?
Yes, indirectly and increasingly. Brazil's ANPD assumed the RIPD presidency at this meeting, and the network's shared standard is a template ANPD and other members draw on when modernizing national rules. Prepare for convergence.
What should we do first if we operate across Ibero-America?
Map every essentially automated decision, confirm a qualified human can genuinely override each one, extend sensitive-data controls to biometric and neurodata processing, and open auditing and traceability logs now, before provisions harden into national law.
Internal links
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.