Federal Government issues Decrees establishing new rules for application providers

In brief

The Brazilian President has issued Federal Decrees No. 12,975 and No. 12,976/2026, published on May 21, 2026, which introduce significant obligations for internet application providers. Many of these obligations relate to the guidance established by the Brazilian Supreme Court in the judgment of Themes 987 and 533, which address the liability of internet application providers for third-party generated content, pursuant to Article 19 of the Brazilian Internet Legal Framework. There are, however, relevant innovations.

The Decrees expand the duties of diligence, transparency, and governance of application providers, detail hypotheses of liability, establish obligations related to content removal and moderation, and reinforce the role of these agents in preventing and combating digital unlawful acts. The Brazilian Data Protection Agency (ANPD) will now exercise regulatory, supervisory, and enforcement functions related to compliance with these obligations. Additionally, a specific regime has been established to address violence against women in the digital environment, imposing specific duties and significantly reduced deadlines for action by application providers.

Background

Federal Decrees No. 12,975 and No. 12,976/2026 implement relevant changes to the legal framework applicable to internet application providers, with direct impact on content moderation practices, risk management, and civil liability.

Decree No. 12,975/2026 amends Decree No. 8,771/2016, which regulates the Internet Legal Framework, introducing new obligations and expanding the duty of care regarding third-party generated content. The text reflects the understanding adopted by the Supreme Court regarding the requirement that every internet application provider establish headquarters and appoint a legal representative in Brazil, with powers to respond administratively and judicially, provide information to competent authorities, comply with court orders, and bear penalties and fines, among other duties. According to the Decree, the representative must necessarily be a legal entity.

The Decree also requires the provision of a permanent and easily accessible channel for the receipt of complaints, going beyond the Supreme Court’s decision by regulating the notice-and-takedown procedure and by establishing minimum – though broad – requirements for the validity of notices. It further imposes the duty to acknowledge receipt of notices, assess their content, and communicate, with reasoning, the decision to remove or maintain the content. In addition, it provides that the competent authority may regulate the forms of notification and appeal, as well as the respective procedures and the deadlines for response and content removal.

In this context, the Decree also reflects a concern with the potential abuse of the expanded notification regime, by allowing the internet application providers to keep the content available when, after a diligent and reasoned analysis, they conclude that there is reasonable doubt as to its unlawful nature. In such cases, providers must consider the proportionality between the identified doubt and the severity of the potential unlawful act and must inform the notifier of the reasons for not making the content unavailable. The Decree further underscores the importance of a contextual analysis of the content to ensure freedom of expression, freedom of religion and belief, as well as any informational, educational, or critical, satirical, or parodic purposes.

With respect to liability, the text incorporates the concept of “systemic failure” mentioned in the Supreme Court’s decision, which may give rise to providers’ liability in the event of omission in the proactive unavailability of unlawful content considered severe, such as those related to terrorism, crimes against children and adolescents, human trafficking, incitement to violence or discrimination, among others. As an innovation in relation to the Supreme Court’s decision, the Decree establishes that the assessment of the occurrence of systemic failure will be carried out by the competent authority, considering the provider’s ability to demonstrate the adoption of appropriate measures for the prevention and mitigation of systemic risks.

On the other hand, the Decree also establishes that, in the assessment of administrative liability, the competent authority must evaluate the provider’s diligent, proportionate, and prompt conduct in handling the notifications received. Liability based solely on the isolated maintenance or removal of content subject to notification is prohibited.

The Decree also provides for hypotheses of presumed liability, notably when unlawful content is disseminated through paid advertisements, boosted content, or artificial distribution networks, allowing for the exclusion of liability upon proof of diligent and timely action. With respect to paid advertisements, application providers that, for remuneration, make available tools for advertising or boosting content, must retain information on each advertisement or boost, as well as on the respective advertisers, for one year counted from the end of the dissemination.

Additionally, an obligation to report unlawful acts to public authorities is established. Upon identifying or concluding that criminal content exists, providers must forward the material and the information necessary to identify authorship and the materiality of the crimes to the competent authorities. The Decree does not specify which entities should receive such data, indicating that this will be regulated by the Secretariat of Justice and Public Security.

In line with the Supreme Court’s decision, the Decree preserves the application of Article 19 of the Internet Legal Framework to crimes and unlawful acts against honor, which remain conditioned, for liability purposes, on the failure to comply with a specific court order. Furthermore, it establishes that, in the event of successive replications of content previously recognized as unlawful by judicial decision, all providers must remove identical content, regardless of new court orders, upon judicial or extrajudicial notice. This is a relevant point, as it impacts the rights of providers that did not participate in the judicial proceedings that originated the removal order.

As another innovation, the Decree imposes on application providers the obligation to retain the logical port of origin associated with the IP address, regardless of prior request, whenever necessary to enable the unequivocal identification of the originating terminal or the next network hop. This is a matter widely debated in case law and not addressed in the Supreme Court’s decision. In addition, the Decree requires the removal of advertising deemed misleading or fraudulent based solely on extrajudicial notice.

Finally, the Decree assigns to the Brazilian Data Protection Agency (ANPD) the competence to regulate, supervise, and investigate violations related to the duties imposed on providers, as well as to require the adoption of self-regulatory mechanisms and the publication of periodic transparency reports. In this context, the ANPD – which has recently been entrusted with overseeing violations of the rights of children and adolescents in the digital environment, under the so-called “Digital ECA” – now accumulates new responsibilities within a short period of time.

Decree No. 12,976/2026, in turn, establishes a specific regime aimed at protecting women against violence on the internet, adopting a broad definition of digital violence, which includes conduct such as harassment, stalking, the disclosure of intimate content without consent – including content generated or altered by artificial intelligence – and gender-based political violence.

The Decree imposes on providers the duty to make unlawful content unavailable upon notification received through an official and dedicated channel made available by the application provider, with reduced response deadlines, including the removal of unauthorized intimate content within up to two hours, and of other infringing content within up to six or twenty-four hours. It also provides for the adoption of technical measures to block the resubmission of such materials.

Additionally, it establishes the obligation of proactive measures to reduce the reach and visibility of coordinated attacks against women, including independently of prior notice in certain cases. The Decree also prohibits the generation or modification of intimate content through artificial intelligence and requires the implementation of technical safeguards to prevent such practices, as well as providing for the creation of institutional mechanisms aimed at prevention, protection, and support of victims.

Both Decrees establish a sixty-day period for their entry into force.

Our team also notes that the Supreme Court has determined that the pending motions for clarification filed against the judgment that partially declared Article 19 of the Internet Legal Framework partially unconstitutional will be heard in a virtual session between May 29 and June 9, 2026. This decision may impact the interpretation of the Decrees at issue.