Brazil's online safety conversation has entered a strange interregnum. There is no single new ruling, bill, or scandal driving the headlines this week — and yet the framework underneath everyone's feet has shifted decisively in the past year. The Supremo Tribunal Federal (STF) has reshaped intermediary liability under Marco Civil da Internet. The Autoridade Nacional de Proteção de Dados (ANPD) is steadily expanding its remit. Congress's stalled PL 2630 still casts a long shadow. The temptation now will be to fill the lull with maximalist proposals. Brazilian policymakers should resist it.
The Article 19 Reset
The most consequential change is the STF's 2025 ruling reinterpreting Article 19 of Marco Civil da Internet (Law 12.965/2014). Article 19 had long been Brazil's analogue to Section 230-style intermediary protection: platforms were liable for user content only after a specific court order to remove it. The court's revised reading, building on the joint judgment in RE 1037396 and RE 1057258, narrowed that shield for certain categories of manifestly unlawful content — most notably content involving children, incitement to violence, and coordinated attacks on democratic institutions.
Reasonable people can disagree about whether the court went too far or not far enough. What is harder to dispute is the consequence: platforms operating in Brazil now face a more granular, context-sensitive liability regime than in most of the democratic world. That is a workable outcome — if, and only if, the rest of the regulatory stack remains calibrated.
PL 2630 and the Risk of Layering
The so-called Fake News Bill, PL 2630, has been stuck in the Câmara dos Deputados since 2023. Successive versions have proposed duties of care, traceability obligations for messaging apps, and significant compliance burdens for any platform above a user threshold. The political appetite for revival ebbs and flows.
Reintroducing a maximalist version now would be a mistake. The STF has already done much of the work the bill was meant to address. Layering a broad statutory duty of care on top of a judicially expanded liability regime — without a clear empirical case that the gap remains — risks producing exactly the dynamic Europe is now grappling with under the Digital Services Act: over-removal, opaque appeals, and a chilling effect on smaller Brazilian platforms that lack the legal teams to navigate ambiguous obligations.
Good online safety regulation answers a specific harm with a specific tool. Bad regulation answers a diffuse anxiety with a sweeping statute.
The ANPD Lane
The ANPD has emerged as Brazil's most disciplined digital regulator. Its enforcement of the Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) — including its 2024 intervention pausing Meta's use of Brazilian user data for AI training — has been notable for procedural clarity and proportionality. Decisions have been preceded by consultation, grounded in statutory text, and accompanied by reasoned public communication.
That is the template. Online safety obligations that touch personal data, profiling, or recommender systems should be channelled through the ANPD's existing rulemaking process wherever the LGPD already provides hooks, rather than spun up in parallel statutes. Two regulators racing to define overlapping duties is the fastest route to compliance theatre.
What Proportionate Looks Like
A pro-innovation, pro-speech online safety agenda for Brazil in 2026 should rest on three pillars:
- Narrow categorical rules, not omnibus duties. Where harm is clear and definable — child sexual abuse material, non-consensual intimate imagery, direct incitement — fast notice-and-action with judicial backstop works. Vague "systemic risk" duties do not translate well into a civil-law jurisdiction.
- Differentiated obligations by size and risk. The DSA's tiered approach has flaws, but the underlying instinct — that a 10-person Brazilian startup cannot bear the same obligations as a multinational — is correct. PL 2630's prior thresholds gestured at this; any revival should sharpen it.
- Transparency before sanction. Mandatory transparency reporting, researcher access, and audit rights produce more durable safety gains than headline fines. They also give Congress and the STF the empirical record needed to recalibrate later.
The Cost of Overreach
Brazil's internet economy is one of the largest in the Global South. The Instituto Brasileiro de Geografia e Estatística has reported that a substantial majority of Brazilians aged 10 and over now use the internet, and the country hosts a thriving fintech, creator, and SaaS ecosystem built on the assumption that platform access is durable and rules are predictable. A poorly calibrated online safety regime would not protect users from the harms it nominally targets; it would push smaller domestic platforms toward exit and entrench the incumbents who can absorb compliance cost.
The lesson from a decade of comparative regulation — from Germany's NetzDG to India's IT Rules to the DSA — is consistent: ambitious online safety statutes produce more litigation than safety in their first three years, and their actual harm-reduction record is contested. Brazil has the unusual luxury of watching that experiment play out elsewhere before committing.
A Quiet Moment Is an Opportunity
The absence of a galvanising news event is not a vacuum to be filled. It is space to do the unglamorous work: publish the empirical baseline on takedown volumes, define a clear coordination protocol between the STF, ANPD, and any future online safety body, and resist the urge to legislate around the next viral incident. Brazil's institutions have, on balance, handled the post-Article 19 transition with more care than critics predicted. The next twelve months should consolidate that, not unsettle it.