On May 20, 2026, President Luiz Inácio Lula da Silva signed Decrees No. 12,975 and 12,976, published in the Diário Oficial da União the following day. The pair updates the regulation of the Marco Civil da Internet — Brazil's 2014 internet bill of rights — by rewriting Decree 8,771/2016, the implementing rule that had governed data retention and platform duties for a decade. The headline-grabbing provision is in Decree 12,976: social networks now have two hours to take down non-consensual intimate imagery after a victim's complaint. But the more consequential change for the architecture of state access to data sits in Decree 12,975, and it deserves a sober read.
What changed, precisely
Decree 12,975 obliges connection and application providers to preserve enhanced technical records — explicitly including the logical port of origin — whenever that information is necessary to unequivocally identify the terminal of origin. It requires platforms to maintain a headquarters and a legal representative in Brazil with powers to respond in both administrative and judicial spheres and to furnish competent authorities with the information needed to establish authorship and materiality once illegal content is identified. And it designates the Autoridade Nacional de Proteção de Dados (ANPD) — Brazil's data-protection authority — as the regulator with oversight and sanctioning competence over compliance (gov.br, Casa Civil; Ministério da Justiça).
The decrees are the executive's answer to the Supreme Federal Court (STF) ruling of June 26, 2025, which declared Article 19 of the Marco Civil partially unconstitutional and replaced the court-order-first liability model with a fault-based standard keyed to a platform's "unequivocal knowledge" of illicit content (Tech Policy Press).
The strongest case for the rule
Start with what the government gets right, because the technical premise is genuinely sound. Under carrier-grade NAT (CGNAT), the IPv4 shortage forces thousands of subscribers to share a single public IP address simultaneously. An IP address plus a timestamp — the data Brazilian law historically demanded providers keep — no longer identifies a person; it identifies a crowd. Without the logical port number, a lawful order to attribute a crime to an account is often technically impossible. Requiring providers to log the port of origin closes a real attribution gap that has frustrated legitimate investigations into fraud, child exploitation, and exactly the gendered abuse Decree 12,976 targets. Demanding an in-country legal representative is similarly defensible: years of slow mutual-legal-assistance treaty requests have left Brazilian courts waiting months for data held abroad. On the merits of attribution, the regulators are not inventing a problem.
Where proportionality breaks down
The trouble is that the decrees expand the capacity for state access without building the constraints that make such access legitimate. Three gaps stand out.
First, there is no user-notification floor. Nothing in the framework requires that a person whose data is handed to authorities ever learns of it, even after an investigation closes. The risk is not hypothetical. In April 2026 the Electronic Frontier Foundation asked state attorneys general to investigate Google for quietly downgrading its promise to warn users of government demands — complying with an ICE subpoena and notifying the target only the same day, leaving no window to challenge an overbroad request (EFF). A preservation-and-forwarding regime that says nothing about notice invites precisely that opacity.
Second, the duty to "forward criminal content and the information needed to determine authorship and materiality" asks platforms to make a pre-judicial call about what is criminal. That inherits the vagueness the STF ruling was already criticized for. The Global Network Initiative warned that the Court left core concepts like "systemic failure" and "adequate measures" undefined, and that the category of unlawful content is "so broad that legitimate speech can easily be silenced" (GNI). Bolting a data-forwarding mandate onto an undefined illegality standard pushes private companies to over-report to avoid sanction — the surveillance analogue of over-removal.
Third, the choice of regulator is a mismatch. The ANPD exists to protect personal data from over-collection and misuse. Tasking it with policing platforms' cooperation in handing data to law enforcement points the agency's enforcement muscle in the opposite direction from its founding mandate. A body built to restrain data flows is now charged with compelling them.
There is also a structural concern: these are decrees, executive acts. Reshaping the terms on which the state reaches into private communications is the kind of decision that warrants the deliberation, amendment, and record of the legislative process — not a regulatory rewrite.
A proportionate path exists
None of this requires abandoning the legitimate goals. Port-level retention can be paired with a strict purpose limitation, a defined retention ceiling, and judicial authorization for access — the standard the Marco Civil itself established for stored records. A user-notice requirement, with narrow and time-limited gag exceptions a judge must approve, would let Brazilians contest overbroad demands without tipping off genuine targets. And the determination of what is "criminal" should remain where due process puts it: with courts, not with a platform's risk-management team. Brazil has built real attribution capability. The remaining work is to wrap it in the safeguards that distinguish a rule-of-law data regime from a surveillance one.