Nearly a decade after Brazilian magistrates first ordered WhatsApp blocked for refusing to hand over message contents it could not technically read, the country's encryption question remains officially unresolved. The Supreme Federal Tribunal (STF) has been deliberating two consolidated cases — ADPF 403 and ADI 5527 — since 2017, with several justices already on record favouring strong protections for end-to-end encryption but a final, binding judgment still pending. As Brazil layers new platform-regulation, AI, and child-safety proposals on top of the Marco Civil da Internet, lawmakers and courts will eventually have to settle whether mathematics that protects more than 200 million users can be ordered to bend.
The legal baseline: a privacy-forward constitution and an internet bill of rights
Brazil's encryption landscape rests on three statutory pillars. Article 5, XII of the 1988 Federal Constitution guarantees the inviolability of communications, with telephone interceptions allowed only by judicial order for criminal investigation. Law 12.965/2014, the Marco Civil da Internet, codifies network neutrality, due-process safeguards for content removal, and explicit duties to protect personal data. Law 13.709/2018, the Lei Geral de Proteção de Dados (LGPD), then operationalised data-protection rights and created the Autoridade Nacional de Proteção de Dados (ANPD).
None of these instruments mandates encryption, but together they make it the default expectation for any service that handles personal data. Under LGPD Article 46, controllers must adopt technical measures capable of protecting data from unauthorised access and unlawful destruction. ANPD's information-security guidance explicitly lists strong cryptography among those measures.
The unfinished STF judgment
The pending Supreme Court cases were triggered by 2015 and 2016 first-instance rulings that blocked WhatsApp nationwide after Meta's predecessor argued it could not surrender plaintext messages it never possessed. Rapporteurs Edson Fachin (ADPF 403) and Rosa Weber (ADI 5527) voted in 2020 to declare such blocks disproportionate and incompatible with the Marco Civil and the Constitution. Several colleagues followed, but the trial was suspended for further review and has not yet produced a binding final ruling.
That limbo has had a chilling effect that goes well beyond messaging apps. Without a definitive precedent, lower courts retain wide discretion to demand cryptographic capabilities providers cannot lawfully or technically deliver. Each new policy initiative — the long-running PL 2630/2020 disinformation bill, AI legislation under PL 2338/2023, fresh child-safety proposals — risks reopening encryption-undermining provisions in markup when judges cannot point to a clear constitutional ceiling.
Why backdoors flunk a proportionality test
From a pro-innovation, evidence-based vantage point, mandated exceptional access fails on three counts. First, it does not work as advertised. The technical literature has been consistent for a decade — from the 2015 Keys Under Doormats report by leading cryptographers to subsequent analyses by Brazil's own Núcleo de Informação e Coordenação do Ponto BR (NIC.br) — that any third-party access mechanism creates exploitable systemic weakness.
Second, the costs land unevenly on Brazilian small businesses, journalists, civil-society groups, indigenous communicators, and millions of users in regions where police abuse and political surveillance remain documented problems. The UN Special Rapporteur on freedom of expression has repeatedly underlined that strong encryption is a precondition, not an enemy, of Article 19 rights.
Third, mandates would push frontier technology offshore. Brazil already hosts a globally significant developer base, a thriving fintech sector built around the Central Bank's Pix infrastructure, and a growing privacy-tech industry. Forcing local providers to weaken cryptography while foreign rivals refuse to comply — or simply withdraw — would erode competitiveness without producing an investigative dividend.
What proportionate regulation looks like
Rejecting backdoors does not mean rejecting law enforcement. A coherent Brazilian approach can rest on four pillars:
- Targeted lawful access. Judicially supervised metadata orders, account-preservation requests under Marco Civil Articles 13–15, and device-level investigations remain available and effective.
- Transparency and oversight. Mandatory transparency reporting, independent auditing of intercept requests, and ANPD coordination would build public trust while keeping investigative tools sharp.
- Capacity-building. Investing in the Federal Police's cyber units, mutual legal assistance modernisation, and Brazil's engagement with the Budapest Convention's Second Additional Protocol would produce more evidence than any technical mandate.
- Statutory clarity. Congress can codify what the STF rapporteurs already articulated: that blocking decisions, capability mandates, and 'traceability' requirements must satisfy strict necessity and proportionality, with appellate review.
The 2026 stakes
Brazil sits at an unusual policy juncture. The country is finalising secondary regulation under LGPD, debating how to align platform liability with the STF's recent rulings on Marco Civil Article 19, and shaping its AI governance regime. Each track touches encryption: AI safety frameworks rely on confidential computing, platform liability rules can inadvertently mandate content scanning, and child-safety bills routinely propose client-side scanning regimes that would unravel end-to-end guarantees.
The cleanest path forward is for the STF to finish the judgment it began nine years ago, providing the constitutional anchor that legislators, regulators, and lower courts now lack.
A Brazil that protects its cryptographic baseline will not be one that shields criminals — it will be one that preserves the conditions for digital trust, economic dynamism, and the constitutional privacy promise of 1988. The longer the verdict waits, the more space opens for fragmentary, technically incoherent rules that everyone — users, builders, and investigators alike — will eventually regret.