Decrees update Brazil’s Internet Bill of Rights and liability rules for ISPs and platforms

On May 21, 2026, Brazil’s President published Decree No. 12,975/2026 and Decree No. 12,976/2026 to amend existing regulations under the country’s Internet Bill of Rights  (Marco Civil da Internet – Law No. 12,965/2014) and establish new guidelines for how internet service providers and online platforms must operate in Brazil. Among other topics, the rules address data retention obligations, transparency, content moderation, and procedures for dealing with illegal content on digital platforms.

The decrees follow a landmark (though not yet final) ruling by Brazil’s Federal Supreme Court (STF), which declared Article 19 of the Internet Bill of Rights partially and progressively unconstitutional. Article 19 had shielded internet application providers from civil liability for third-party content unless they failed to comply with a specific court order directing removal.

In its decision, which established binding precedents under general repercussion Themes 987 and 533, the STF imposed a duty of care on application providers where serious illegal content circulates at scale. Under this framework, a provider is liable when a ‘systemic failure’ leads it to leave up content that constitutes one of the serious criminal offenses on a defined list. The ruling also establishes presumed liability when illicit content is disseminated through paid advertisements, algorithmic boosting, or coordinated inauthentic behavior. However, as the STF has yet to rule on pending motions for clarification, the decision may still be adjusted.

At the time of the ruling, the STF called on Brazil’s Congress to pass legislation on the matter, acknowledging that comprehensive regulation should come through the ordinary legislative process. Against that backdrop, the Executive Branch’s decision to regulate these issues by decree (in the absence of congressional action) may face challenges on constitutional and statutory grounds. Beyond the issues that were addressed by the STF, the decrees also introduce new rules on logging logical ports, restrictions on the use of artificial intelligence, and specific mechanisms to protect women from online violence.

The decrees also confer specific new powers on the Brazilian Data Protection Agency (ANPD), broadening its regulatory role in the digital sphere.

Decree No. 12,975/2026: updated regulation of the Internet Bill of Rights

Decree No. 12,975 amends Decree No. 8,771/2016 (the original regulatory decree implementing Brazil’s Internet Bill of Rights) with detailed platform obligations, liability mechanisms, and governance standards, including:

Local presence requirements

In line with the STF’s ruling, the decree establishes general requirements for providers to maintain a physical headquarters and a legal representative in Brazil. The representative must be authorized to respond to administrative and judicial proceedings, pay any penalties or fines imposed on the platform, and provide the relevant authorities with information about how the provider operates – including its rules and internal procedures.

Moderation, removal, and liability for third-party content

Consistent with the STF’s reasoning, Decree No 12,975/2026 updates the liability framework for platforms that host or intermediate user-generated content and lays out procedures for notifications, reviews, and the handling of unlawful or criminal content.

Providers that host or intermediate third-party content are subject to a duty of care, and may be found to have committed a ‘systemic failure’ if they do not promptly take down content involving specific categories of crimes – including terrorism, incitement to suicide or self-harm, hate crimes and discrimination, crimes against women, crimes against children and adolescents, human trafficking, and anti-democratic acts.

A systemic failure is tied to the provider’s inability to demonstrate that it adopted adequate measures to prevent or remove such content. The ANPD will assess compliance through oversight mechanisms and periodic reviews. The mere existence of isolated illegal content does not, by itself, amount to a systemic failure.

In addition to moderation obligations, platforms must maintain a permanent, easily accessible channel through which users can report unlawful or criminal content with specific identification of the material at issue. Upon receiving a valid notification, platforms must take down third-party content that constitutes a crime under Brazilian law. Platforms must consider the context of the posts, freedom of religion and belief, and whether the content serves informational, educational, or critical purposes – including satire and parody. Note that an exception applies to crimes against personal honor (such as defamation and slander under Brazil’s Penal Code) – for such offenses, a platform becomes liable only if it fails to comply with a specific court order directing removal.

The ANPD may issue further regulations covering operational details such as response deadlines, contestation procedures, and the categories of parties with standing to report illegal content.

Content-monitoring and moderation obligations under the decree do not apply to e-mail services, interpersonal instant-messaging communications, or restricted-access audiovisual communication services designed for meetings or interactions in controlled environments. Providers of these services are liable only if they fail to comply with a court order directing removal.

Advertisements, content boosting, and misleading, abusive or fraudulent advertising

Providers that offer paid advertising or content-boosting tools must take appropriate steps to prevent the placement of advertisements that constitute a crime or an unlawful act. They must also retain (for one year) information on each advertisement or boosted post, as well as the identity of the corresponding advertiser. A provider may be presumed liable for unlawful content disseminated through paid ads, paid boosting, or artificial distribution networks (e.g., bot networks), regardless of whether the platform received prior notification. However, a platform may avoid liability by demonstrating that it acted diligently within a reasonable time to take the content down.

Logical port logging

Decree No. 12,975/2026 provides that an existing obligation for internet service providers and platforms to retain IP address records now also encompasses the origin logical port (the numerical identifier that, when combined with an IP address, enables tracing internet activity to a specific device, which is particularly important when multiple users share the same IP address). This applies whenever the port number is necessary to identify the source terminal or the next network link, subject to the Internet Bill of Rights’ existing rules on judicial and administrative access to such data.

Decree No. 12,976/2026: protections against digital gender-based violence

Decree No. 12,976/2026 establishes guidelines and rules specifically aimed at protecting women online, with a focus on combating digital violence. Key provisions include:

Liability for systemic failures

Providers that host third-party content will be held liable for systemic failure if they do not immediately take down content that constitutes crimes or unlawful acts committed against women on the basis of their sex.

Notification and response timelines

Upon receiving a notification, platforms must remove:

• Content constituting crimes or unlawful acts against women in a digital environment within six hours if the content is manifestly illegal under the categories listed in the decree, or within 24 hours in other cases; and
• Non-consensual intimate images within two hours.

The ANPD may issue additional regulations governing these procedures.

Content produced or modified by digital technologies

Decree No. 12,976/2026 addresses intimate content that has been generated, altered, or disseminated through digital technologies, including artificial intelligence (e.g., deepfakes). Although neither the Brazilian Internet Bill of Rights nor the prior regulatory decree that implemented it contained such provisions, the new decree requires platforms that rely on AI functionalities or similar technologies to implement technical and procedural safeguards to identify and block requests to generate non-consensual intimate content.

Both Decree No. 12,975/2026 and Decree No. 12,976/2026 take effect 60 days from the date of publication (i.e., July 20, 2026).

For more information on this topic, please contact Mattos Filho’s Litigation & Arbitration and Technology practice areas.