at a glance
The Brazilian federal government has issued two Executive Orders (“Decrees”) to regulate Law No. 12,965/2014 (“Marco Civil da Internet”, or “MCI”), in the context of the Brazilian Supreme Court (STF) 2025 ruling that held Article 19 of the MCI partially unconstitutional. In that ruling, the Court found that conditioning platform liability on a prior court order is unconstitutional in cases involving seriously unlawful content, such as child pornography, terrorism, and hate speech, imposing on platforms a duty to act without waiting for judicial intervention.
Decree No. 12,975/2026 (“MCI Decree”) amends the regulations of the Marco Civil da Internet and establishes a new compliance framework for digital platforms that host user-generated content. Decree No. 12,976/2026 (“Women’s Protection Decree”) establishes specific rules for the protection of women online and for combating violence against women in the digital environment.
Both Decrees take effect 60 days after publication and have concrete compliance implications for companies operating digital services in Brazil. The Decrees set new compliance standards for digital platforms, though they are expected to prompt debate over the limits of executive regulatory power and the scope of obligations imposed by decrees.
WHO THE DECREE APPLIES TO
The MCI Decree applies to internet application providers, as defined by Article 5(VII) of Law No. 12,965/2014 (the “Marco Civil da Internet”) as the set of features accessible via an internet-connected device. In practice, this covers any internet-accessible digital service, including social networks, video platforms, marketplaces, forums, search engines, and similar services that allow users to publish or circulate content.
|
Out of scope: Email services, interpersonal messaging apps without public broadcast functionality, and videoconferencing or meeting services with pre-authorized participants are not subject to certain obligations under the MCI Decree. |
KEY OBLIGATIONS
→ Local representation and complaint channel. Platforms must maintain a registered office or legal representative in Brazil and provide a permanent, easily accessible channel for receiving reports of unlawful content.
→ Combating artificial distribution networks. Platforms must take active measures to prevent the operation of artificial networks used to distribute unlawful content, including automated amplification schemes for disinformation or illegal material.
→ Transparency and service security. Platforms must implement adequate means to ensure the security and transparency of their services.
KEY CONCEPT: SYSTEMIC FAILURE
|
WHAT IT IS The MCI Decree introduces the concept of systemic failure as a key trigger for platform liability arising from user-posted unlawful content. A systemic failure occurs when a provider fails to demonstrate that it has adopted adequate measures, consistent with the state of the art, to prevent or remove certain categories of criminal content, particularly where such content circulates on a mass scale. In this scenario, the platform is deemed to have breached its duty of care. |
|
Note: the existence of isolated unlawful content does not in itself constitute a systemic failure. Liability requires evidence of a structural problem in how the platform handles unlawful content. |
The duty of care applies to the following categories of content. A repeated failure to take appropriate measures to prevent or remove such content may constitute systemic failure:
- Terrorism
- Inducement to suicide or self-harm
- Incitement to discrimination based on race, color, ethnicity, religion, sexuality, or gender identity
- Crimes against women on grounds of their female sex
- Sexual crimes against vulnerable persons
- Sexual exploitation of children and adolescents
- Human trafficking
- Conduct related to attacks on the democratic rule of law
CONTENT REMOVAL AND LIABILITY
Under the MCI Decree, different obligations now coexist for internet application providers regarding the removal of unlawful user-generated content:
|
NEW REGIME Providers must take down user-generated content that constitutes a crime under Brazilian law, upon notification. |
PRIOR REGIME (ART. 19 MCI) For slander, libel, and defamation, platform liability continues to require a specific court order. |
A provider may only face administrative liability where it fails to act adequately to handle notifications. A standalone decision to keep or remove a specific piece of content is not, in itself, sufficient grounds for a sanction.
UNLAWFUL CONTENT NOTIFICATION PROCEDURE
The MCI Decree sets out how the complaint and content removal process must work:
| 1 |
Notification with minimum required elements The notifying party must identify the alleged unlawful conduct, the specific content to be removed, their own identifying information, and, where applicable, the legal basis for their standing to notify. The regulatory authority may establish eligibility criteria. Incomplete notifications may be rejected by the platform. |
| 2 |
Platform acknowledgment and review The platform must confirm receipt and assess the substance of the notification. |
| 3 |
Decision communicated to both parties The platform must notify both the reporting party and the user who posted the content of its decision: removal, retention, or reconsideration following a challenge. |
| 4 |
Right to appeal The user whose content was removed may challenge the removal decision. The competent authority may regulate the applicable timeframe for such challenges. |
PAID ADVERTISING AND CONTENT PROMOTION
Platforms that offer paid advertising or content promotion tools are subject to additional obligations:
- Adopt measures to prevent the contracting of unlawful content (misleading, abusive, or fraudulent advertising).
- Retain records of ads and advertisers for at least one year from the end of the campaign’s run.
- Remove irregular advertising content upon notification.
DECREE NO. 12,976/2026: PROTECTION OF WOMEN ONLINE
Alongside the MCI Decree, the government also published Decree No. 12,976/2026 – the Women’s Protection Decree – establishing specific rules for the protection of women online and for combating violence against women in the digital environment.
| 1 |
Duty of care and systemic failure Providers that intermediate user-generated content may be held liable for systemic failure to promptly take down content constituting crimes or unlawful acts against women on grounds of their female sex. |
| 2 |
Removal upon notification Providers must remove, in response to notifications, content constituting crimes or unlawful acts against women in the digital environment. |
| 3 |
Non-consensual intimate content The Decree establishes a specific rule for intimate content posted by third parties, which must be taken down within two hours of notification by the victim or their representative. The content must be disabled across the entire platform and digitally marked to prevent re-upload, as further regulated by the competent authority. |
| 4 |
Coordinated attacks In cases of coordinated attacks against women constituting gender-based violence, providers must adopt proportionate technical measures to promptly reduce the reach and visibility of such content. |
| 5 |
AI and intimate content The Decree prohibits the generation or alteration of third-party intimate content using artificial intelligence or equivalent technology. AI-based providers must implement technical and procedural safeguards to identify and block such requests, scaled proportionately to the platform’s volume of access and risk level. |
| 6 |
Response deadlines Pending further regulation by the regulatory authority, providers must remove notified content or inform the notifying party of the reasons for retention and available means of challenge, within: (i) six hours for manifestly illegal content related to the crimes or unlawful acts covered by the Decree; and (ii) twenty-four hours for other cases of violence against women in the digital environment. |
COMPETENT AUTHORITY
The Brazilian Data Protection Agency (Agência Nacional de Proteção de Dados – ANPD) becomes the authority responsible for regulating, supervising, and investigating violations related to user rights and platform obligations under the Decrees.
|
Expressly provided limits: the MCI Decree prohibits the regulatory authority from holding a platform administratively liable based solely on the retention or removal of an isolated piece of notified content. It also bars the authority from ordering the moderation of individual criminal or unlawful content items in isolation. In practice, regulatory enforcement is expected to focus on assessing overall provider diligence and structural failures, rather than reviewing individual content decisions. |
COMMENTARY: LIMITS OF EXECUTIVE RULEMAKING
|
The Decrees introduce a new set of obligations for digital platforms while simultaneously raising important questions about the limits of executive regulatory power. Although framed as implementing regulations of the Marco Civil da Internet, the texts create substantive obligations on sensitive matters, including content removal, risk management, transparency, information sharing with authorities, and rules governing advertising and content promotion.
This is expected to generate debate. While the Decrees already set new compliance rules, their enforcement may be challenged on grounds of insufficient legal basis and the breadth of obligations they impose on platforms. |