Brazil advances platform regulation following the supreme court’s ruling on the Brazilian internet bill of rights
The new rules strengthen notice-and-action mechanisms, duty of care obligations, and the ANPD’s regulatory role, while still raising important questions regarding scope and implementation.
The publication of Decrees No. 12,975/2026 and No. 12,976/2026 represents one of the first concrete regulatory moves by the Brazilian Executive Branch following the Brazilian Supreme Federal Court’s (STF) ruling on Article 19 of the Brazilian Internet Bill of Rights (Marco Civil da Internet). The new rules seek to establish operational standards for internet application providers in areas such as content moderation, risk management, handling of notices, digital advertising, and protection against online violence.
Against a backdrop of increasing regulatory pressure on digital platforms and the absence of comprehensive legislative reform by Congress, the decrees appear to operationalize part of the constitutional and regulatory discussions consolidated during the STF proceedings, particularly regarding platform liability and the strengthening of preventive obligations.
At the same time, the new framework still raises important questions regarding the limits of the Executive Branch’s regulatory authority, the scope of the so-called “duty of care,” the criteria for characterizing “systemic failure,” and the balance between content moderation and freedom of expression.
What changes for digital platforms
The new decrees introduce significant obligations for internet application providers, especially those involved in the intermediation of third-party content.
Topic | Previous framework | New regulatory framework |
| Platform liability | Predominantly based on Article 19 of the Marco Civil, centered on court orders | Expansion of preventive obligations and liability linked to systemic failure |
| Content moderation | Primarily reactive approach | Introduction of risk management and duty of care obligations |
| Notifications | No detailed infralegal procedural framework | Formalized notice-and-action structure |
| Criminal content | Removal generally tied to judicial proceedings | Possibility of removal following notification in several cases |
| Advertising and promoted content | Fragmented regulation | Presumed liability in certain circumstances |
| Transparency | Limited obligations | Expanded documentation, transparency, and governance duties |
| Enforcement | Fragmented institutional competences | Strengthened regulatory role of the ANPD |
| Online violence against women | Protection based on scattered legal provisions | Specific framework imposing operational obligations on platforms |
Comparative overview: what changes for digital platforms.
The decrees also formalize the obligation for certain providers to appoint a legal representative in Brazil, an issue previously discussed by the STF in other contexts.
The new framework further reinforces the concept of a “duty of care,” particularly regarding content related to terrorism, child sexual exploitation, crimes against women, discrimination, human trafficking, and attacks against the democratic rule of law.
Notice and action: a new regulatory workflow for notifications
The decrees consolidate a more detailed regulatory structure for handling extrajudicial notifications involving potentially unlawful or criminal content.
Expected workflow for handling notifications
Platforms must provide a permanent and easily accessible reporting channel
The provider must confirm receipt to the reporting party
- potential illegality
- legal qualification
- severity
- and the existence of any “reasonable doubt”
- removal
- maintenance of the content
- reduction of reach or visibility
- adoption of additional preventive measures
- the grounds for removal or maintenance
- available appeal mechanisms
- and any reconsideration procedures
Users may challenge the decision, with the possibility of reassessment by the platform.
Although the decrees preserve the requirement for judicial orders in certain situations, especially defamation-related offenses, the new model brings Brazil closer to international notice-and-action and preventive risk management frameworks.
Protection of women in the digital environment
Also enacted on the same date as part of Brazil’s broader platform regulation agenda, although not directly linked to the Marco Civil da Internet, Decree No. 12,976/2026 establishes a specific framework to address online violence against women, including measures aimed at expedited removal of intimate content, mitigation of coordinated attacks, and combating AI-generated intimate deepfakes.
The decree addresses issues such as:
Among the key measures introduced by Decree No. 12,976/2026 are:
Measure | Description |
| Expedited removal | Intimate content must be removed within 2 hours following notification |
| Re-upload blocking | Intimate content must be digitally tagged to prevent further circulation |
| Reach mitigation | Platforms must reduce visibility of coordinated attacks |
| Proactive action | Measures may be adopted even without prior notice |
| Enhanced protection | Priority treatment for cases involving political violence or women with public exposure |
| Intimate deepfakes | Prohibition on the generation and modification of intimate content through AI |
| Technical safeguards | AI tools must implement blocking and prevention mechanisms |
| Dedicated reporting channel | Mandatory permanent, free, and dedicated channel for victims |
The decree also establishes specific obligations for providers offering AI-based functionalities, including technical safeguards designed to prevent prohibited content generation requests.
How the decrees relate to the STF ruling
The decrees appear to operationalize part of the discussions developed by the STF in the Article 19 case, particularly regarding the need for more effective responses to the mass circulation of unlawful content and the expectation of diligent conduct by digital platforms.
STF debate | Reflection in the decrees |
| Insufficiency of a purely judicial Article 19 model | Expansion of notice-and-action mechanisms |
| Need for diligent platform conduct | Consolidation of the “duty of care” |
| Mass circulation of unlawful content | Introduction of the “systemic failure” concept |
| Protection of vulnerable groups | Specific framework for women |
| Liability linked to monetization and promoted content | Rules on advertising and sponsored content |
| Platform governance | Strengthening of the ANPD’s role |
At the same time, the decrees do not settle the legal debates initiated by the STF. Relevant uncertainties remain regarding:
These debates are likely to become even more relevant given that the STF ruling has not yet become final and binding, while part of the new framework appears to administratively translate constitutional discussions that are still evolving.
ANPD and the expansion of digital Governance
The decrees also reinforce the institutional role of the Brazilian Data Protection Agency (ANPD), granting it regulatory, supervisory, and enforcement powers related to the obligations imposed on digital platforms.
In practice, the new framework brings together data protection, platform governance, content moderation, and digital risk management, signaling the possible consolidation of a cross-sector digital regulator in Brazil.
Next steps for companies
In light of the new regulatory landscape, digital platforms and companies operating online should consider:
The decrees mark a new stage in Brazilian digital regulation and signal a significant movement by the Executive Branch toward a more active platform governance model in the post-STF landscape.
Although the new rules reinforce duty of care mechanisms, risk management obligations, and protections for vulnerable groups, the regulatory environment remains under development. Questions related to the scope of platform liability, the extent of the ANPD’s authority, and the limits of infralegal regulation will likely remain at the center of Brazil’s legal and regulatory debates in the coming months.
This analysis was prepared by our Technology, Innovation and Data Protection specialist, Danilo Roque.
