Twelve Years Later, the Framework Changes
Brazil's Marco Civil da Internet, enacted in 2014, was one of the world's first comprehensive internet rights laws — a landmark statute that many jurisdictions studied as a model for balancing free expression with platform accountability. Its Article 19 gave platforms liability protection conditioned on compliance with judicial removal orders, a design praised at the time for threading the needle between user rights and harm prevention.
That design is now substantially revised. On May 21, 2026, Brazil's executive branch published Decrees 12,975 and 12,976 in the Diário Oficial da União, fundamentally reordering how platforms are held accountable for serious unlawful content. Both take effect July 20, 2026.
The revision did not come from nowhere. In June 2025, Brazil's Supreme Federal Tribunal (STF) ruled that Article 19's judicial notice-and-takedown model was partially unconstitutional as applied to certain categories of grave harm — finding that the prior liability shield was structurally inadequate in an environment of algorithmic amplification. The decrees operationalize that ruling, but they go considerably further than the minimum the court required.
What the Decrees Actually Say
Decree 12,975 introduces a tiered liability structure anchored in a new concept: systemic failure. A platform faces liability not only when it ignores a specific court order but also when it cannot demonstrate that it maintained adequate and proportionate measures to prevent or respond to the spread of enumerated serious crimes. Those categories include terrorism, incitement to suicide or self-harm, hate crimes based on race or sexual orientation, violence against women, sexual crimes against minors, human trafficking, and anti-democratic conduct.
The practical inversion is significant. Under the old Article 19, the burden ran in one direction: plaintiffs had to obtain a court order, then show the platform ignored it. Under the systemic failure standard, platforms must affirmatively prove their moderation architecture meets the required threshold — or absorb liability for failures within those enumerated categories.
Decree 12,976 addresses non-consensual intimate content (NCII), including AI-generated sexual deepfakes. Platforms must remove such material within two hours of notice. After removal, they must apply digital fingerprinting to block automatic reposting — a measure designed to prevent victims from endlessly pursuing the same material across distributed uploads. The National Data Protection Authority (ANPD) is designated as the supervisory and enforcement body across both decrees, consolidating oversight previously fragmented across courts, the consumer protection agency SENACON, and sector regulators.
The Case for the Reform
Proponents make a defensible argument. The notice-and-takedown model was designed for a text-based internet. In a world of algorithmic amplification, viral CSAM, and AI-generated deepfakes, the judicial-order-first framework is functionally inadequate: by the time a court order issues, content may have circulated millions of times. The STF's 2025 ruling reflected exactly this structural gap.
Brazil's Internet Steering Committee (CGI.br) — itself a co-architect of the Marco Civil — issued a public statement acknowledging that the decrees legitimately implement the Supreme Court's decisions and endorsing ANPD as the appropriate consolidated regulator. CGI.br also welcomed the incorporation of its own "Application Provider Typology" into the liability framework. The two-hour NCII removal window has a specific harm-reduction rationale as well: intimate image abuse is disproportionately weaponized against women, and faster takedown meaningfully limits re-victimization.
The Legitimate Concerns
Several provisions are genuinely underspecified. The decrees do not precisely define what constitutes "adequate and proportionate measures" under the systemic failure standard, nor do they fully clarify thresholds for "massive circulation" relevant to certain provisions. This ambiguity invites litigation and may produce inconsistent enforcement — a risk that falls hardest on mid-tier platforms lacking the compliance teams to build out formal risk architectures.
The two-hour removal window is demanding. For a major platform with global-scale moderation infrastructure, two hours is achievable. For a smaller Brazilian-hosted service, it may require staffing investment that effectively concentrates the market toward incumbents. Compliance obligations that scale poorly by firm size tend to calcify market structure rather than just protect victims.
There is also a democratic-process concern worth taking seriously. Within 24 hours of publication, 26 legislative proposals to suspend or amend the decrees were filed in the Chamber of Deputies, primarily by right-wing lawmakers using nearly identical arguments. Reporting from Tech Policy Press (June 2026) characterizes the broader campaign as a coordinated pressure effort that extends beyond conventional lobbying — including geopolitical leverage through U.S. tariff threats citing Brazil's digital regulations. Whatever one thinks of the substantive rules, the procedural pathway matters for long-run legitimacy: regulations that bypass Congress generate fragile buy-in and invite reversal.
What ANPD Consolidation Means
The designation of ANPD as the primary platform enforcement body is arguably the most structurally durable change in the package. Brazil's data protection authority has been building regulatory capacity since the LGPD (General Data Protection Law) took effect in 2021. Consolidating platform governance under ANPD creates a single institutional counterparty for platforms operating in Brazil — more predictable than the prior multi-authority patchwork of courts, SENACON, and ANATEL.
Critically, the decrees prohibit ANPD from directing individual content removal decisions. Its mandate is systemic oversight: does the platform have adequate processes in place? This design is closer to the EU Digital Services Act's systems-audit model than to court-ordered content adjudication. Whether ANPD has the technical capacity and staffing to execute that mandate at scale is an open question, but the institutional design is sound.
The Broader Signal
Brazil is among the world's largest internet markets by users, and its regulatory choices carry weight across Latin America and in multilateral fora. The Marco Civil was globally influential in 2014; these decrees will be watched in Bogotá, Mexico City, and Jakarta as much as in Brussels.
The tension the decrees are navigating — between liability immunities designed for the text-web era and a harm landscape shaped by AI-generated content and algorithmic amplification — is not unique to Brazil. Every major jurisdiction is grappling with the same structural mismatch. Brazil's answer — proactive systemic accountability anchored in a Supreme Court ruling, with consolidated ANPD oversight — is coherent and proportionate in design, even if the implementation details need sharpening through secondary regulation.
The hard part starts July 20.