Brazil encryption policy

Brazil's Platform Decrees Shield Encrypted Messaging on Constitutional Grounds While Pushing Social Networks Into Fault-Liability Territory

Decrees 12,975 and 12,976 take effect July 20, 2026, exempting messaging and email from proactive moderation mandates while imposing strict removal timelines on social platforms.

Brazil's Platform Decrees: Key Numbers People of Internet Research · Brazil 148M Brazilian WhatsApp users Brazil is the world's 2nd-largest … 2 hours Intimate content deadline Social platforms must remove non-c… 60 days Compliance window Decrees published May 21 take effe… 24 hours General removal window Platforms have 24 hours to remove … peopleofinternet.com

Key Takeaways

A Decade After Marco Civil, Brazil Redraws the Platform Liability Map

For more than a decade, Article 19 of Brazil's Marco Civil da Internet (Law 12,965/2014) functioned as a near-absolute liability shield: platforms could not be held responsible for user-generated content unless they ignored a specific court takedown order. On June 26, 2025, that architecture was dismantled. Brazil's Supreme Federal Court (STF) ruled Article 19 partially unconstitutional, replacing the notice-and-takedown model with a fault-based regime in which platforms face civil liability for content they 'unequivocally knew' about and negligently failed to remove.

Decrees 12,975 and 12,976, signed by President Luiz Inácio Lula da Silva on May 20, 2026, and published in the Diário Oficial da União the following day, operationalize that ruling — and in places go further. Both take effect July 20, 2026, giving platforms a 60-day window to retool moderation pipelines, legal structures, and reporting channels. The more consequential architectural decision embedded in these decrees is one that digital rights advocates should credit: encrypted messaging, email, and videoconferencing services are left out of the new liability framework entirely.

The Encryption Carve-Out: Sound Principle, Imprecise Edges

Decree 12,975 states explicitly that 'private messaging, e-mail, and videoconferencing services are not subject to the new rules on the circulation of unlawful content, in light of the constitutional confidentiality of communications.' For these services, liability remains conditional on a court order — the original Article 19 standard, preserved in full.

The legal foundation is Article 5, XII of Brazil's Federal Constitution, which protects 'the secrecy of correspondence and telegraphic, data, and telephone communications, except, in the latter case, by court order.' The government's position is coherent: compelling a service that mediates private, sealed communications to proactively scan and moderate content is constitutionally impermissible. End-to-end encryption is not merely a product feature but an engineering reality — a service that cannot read message content cannot be expected to moderate it, and mandating backdoors or client-side scanning to make compliance possible would hollow out the constitutional guarantee the exemption is meant to honour.

In practical terms, this means WhatsApp — used by approximately 148 million Brazilians, making Brazil the second-largest WhatsApp market globally — operates under a fundamentally different legal regime than Facebook or YouTube. The exemption is consistent with the STF's 2017 cases ADPF 403 and ADI 5527, which established that Brazilian law does not authorise courts to order platform-side decryption. The new decrees build on, rather than contradict, that line of precedent.

What Public-Facing Platforms Must Now Do

For social networks, video platforms, and search engines, the obligations are substantial:

The ANPD (National Data Protection Authority) is empowered to supervise compliance and investigate systemic infractions — not individual posts, but patterns of platform conduct.

The Steelman: Why a Fault Standard Was Warranted

Before assessing the risks, the regulatory case deserves a fair hearing. The categories of content targeted by systemic failure liability — CSAM, terrorism, trafficking — are not edge cases. Brazil's digital landscape has seen social media weaponised for coordinated violence, electoral interference, and large-scale fraud. The STF's June 2025 ruling followed years of judicial frustration with platforms that responded sluggishly even to explicit court orders. A duty-of-care standard modelled loosely on the EU's Digital Services Act (Regulation 2022/2065) addresses genuine harms that reactive notice-and-takedown demonstrably failed to prevent.

Decree 12,976 addresses a specific failure mode: violence against women in digital spaces. The two-hour removal deadline for non-consensual intimate content responds to documented patterns in which images spread virally while takedown requests stalled for days. These are targeted, harm-specific interventions, not blanket speech controls.

The Risks That Remain Unresolved

The problem is not the principle — it is the precision. Legal scholars have flagged that terms like 'systemic failure' and 'adequate measures' carry no statutory definitions in the decrees. Whether ten violating posts constitute a systemic failure or whether a thousand do is currently a question each judge can answer differently. That ambiguity creates powerful incentives for platforms to over-remove borderline content to avoid liability — exactly the chilling effect Article 19 was originally designed to prevent.

The decrees also extend into territory the STF never analysed: new requirements covering AI-generated intimate content, logical port-level data retention for user identification, and content watermarking go beyond what the Court's June 2025 judgment addressed. These extensions may face their own constitutional challenges.

A Durable Framework Requires Legislative Follow-Through

The encryption carve-out reflects a coherent constitutional logic: sealed communications receive a different standard from public broadcasts, and that distinction should survive any content moderation law. But the broader liability framework needs what executive decrees cannot supply — a statutory definition of 'systemic failure' with clear thresholds, a safe harbour for good-faith moderation errors, and meaningful procedural protections for users whose content is removed without notice.

Brazil's Congress has been debating comprehensive platform legislation since before the STF ruled. The July 20 deadline now gives that debate an operational urgency. A decree that implements a court ruling is a beginning; a parliament that codifies clear standards is the only durable end.

Sources & Citations

  1. Casa Civil — Official Decree Announcement
  2. ANPD — Note on Marco Civil Decrees
  3. Licks Attorneys — Platform Rules Analysis
  4. TechPolicy.Press — STF Platform Liability Ruling
  5. GNI / InternetLab — From Shield to Scrutiny