From Safe Harbor to State Oversight: How Brazil Is Redrawing the Limits of Online Free Speech
Abstract — This article analyzes the shift in Brazil’s content-moderation regime away from the judicial-order model of Article 19 of Brazil’s Internet Act (Law No. 12,965/14) toward continuous regulatory supervision, following the Federal Supreme Court’s June 2025 ruling and Decrees No. 12,975/2026 and No. 12,976/2026, which impose new obligations and liabilities on digital platforms. It argues that, despite legitimate aims, their institutional design encourages defensive, excessive content removal and raises constitutional concerns about the limits of the Executive’s rule-making power.
Keywords: Brazil’s Internet Act; intermediary liability; content moderation; freedom of expression; platform regulation; ANPD.
Law No. 12,965/14 (known as the “Marco Civil da Internet”, or “Brazil’s Internet Act”) was the product of a broad, intense, and democratic public consultation involving the legislature, civil society, academia, and technology companies, and over the past decade it has established itself as one of the most sophisticated legal frameworks in the world on digital governance. Its greatest merit may have been precisely the institutional balance it struck between freedom of expression, net neutrality, accountability, and legal certainty.
At the center of that architecture has always stood Article 19 of Brazil’s Internet Act, which provided that internet application providers could be held civilly liable for third-party content only if they failed to comply with a specific court order requiring its removal. This principle was meant to prevent censorship from being privatized and to stop platforms from removing content preemptively for fear of being held liable later.
This model reached a significant turning point with the decision of the Federal Supreme Court (Supremo Tribunal Federal - STF), in June 2025, which declared Article 19 of Brazil’s Internet Act partially unconstitutional and began to allow, in certain circumstances, platforms to be held liable even without a prior court order, particularly in cases of inaction following notices regarding unlawful content.
It is true that the STF’s ruling may be understood as an institutional response to the repeated failures of large digital platforms to curb the circulation of manifestly criminal, fraudulent, or seriously harmful content. In a context of expanding disinformation, online scams, digital violence, and abusive content amplified on a large scale, it has become increasingly difficult to sustain an absolute operational neutrality on the part of technology companies.
Nevertheless, by relaxing the requirement of a prior court order as the central condition for the civil liability of providers, the decision ultimately set in motion a gradual erosion of one of the structural pillars of Brazil’s Internet Act itself: the notion that restrictions on the circulation of content should, as a rule, stem from independent judicial decisions, and not from private decisions made under regulatory pressure or the risk of future liability.
This is because the model originally conceived by Article 19 did not seek to protect unlawful content, but rather to prevent digital platforms from being turned into preemptive arbiters of the legality of public discourse. The logic was simple: in cases of doubt, it would fall to the Judiciary — and not to private companies — to define the boundaries between freedom of expression, abuse, unlawfulness, and liability.
By weakening this mechanism, even if out of legitimate concerns, the STF significantly altered the economic and legal incentives that structured digital content moderation in Brazil. The practical consequence was the strengthening of a logic of defensive removal, in which platforms come to take down content in an increasingly broad and preemptive manner in order to avoid regulatory risks, even in situations that are legally controversial or open to interpretation.
It is against this backdrop that the recent presidential decrees published by the federal government represent a new and significant step in the regulatory transformation of the Brazilian digital environment. Issued jointly and published on May 21, 2026, Decree No. 12,975/2026 (which amends Decree No. 8,771/2016 and reforms the general regime of duties and liability of internet application providers) and Decree No. 12,976/2026 (aimed specifically at the protection of women and at countering gender-based violence in the digital environment) together form a coordinated regulatory architecture rather than isolated measures.
Although presented as a mere act of regulation of the STF’s decision, the decrees appear to go beyond simply giving technical effect to the Court’s ruling. In practice, they design a more continuous model of regulatory supervision over the content-moderation activities of digital platforms.
Among the main points of these decrees, the following stand out:
the assignment to the ANPD (National Data Protection Authority) of powers to regulate, oversee, and investigate infractions relating to platforms’ compliance with their duties, particularly as regards the management of systemic risks and the mass circulation of unlawful content;
the expansion of the circumstances in which platforms may be held liable, especially in cases of systemic failure in preventing and mitigating the circulation of criminal content;
the imposition of ongoing duties of prevention, monitoring, transparency, and risk mitigation in the operation of digital services;
the creation of specific obligations for boosted (sponsored) content, paid advertisements, and the retention of records that may assist in identifying fraud and unlawful acts; and
the requirement of prompt removal of certain especially sensitive content, such as non- consensual intimate images and sexual deepfakes.
Undoubtedly, several of the objectives pursued by the decrees are legitimate and socially relevant, particularly tackling digital violence against women, fraud, child sexual exploitation, and other manifestly unlawful content.
The central problem, however, may lie not only in the purpose of the rules, but in the institutional design adopted for their implementation.
From the moment platforms begin to operate under constant regulatory risk, faced with broad legal concepts that are often open to interpretation, a structural incentive is created for preemptive and excessive content removal. In other words: when the legal cost of keeping certain content online becomes significantly higher than the cost of removing it, the market’s natural tendency is to adopt a logic of “defensive removal.”
This effect may be particularly acute in matters involving political speech, institutional criticism, public debate, or content whose unlawfulness turns on complex contextual interpretation.
In addition, there is an inevitable constitutional and institutional discussion about the limits of the Executive’s rule-making power. Defining the scope of freedom of expression, the civil liability of intermediaries, and content moderation has always been a sensitive matter, traditionally reserved for legislative debate and parliamentary deliberation.
For this reason, a significant portion of the technology sector, industry associations, and members of Congress have argued that the decrees would go beyond mere administrative regulation, encroaching on matters still under discussion at the STF and in the National Congress.
At its core, the current debate is not only about how to tackle unlawful content on the internet. What is really being discussed is what model of control over the digital environment Brazil will adopt in the coming years.
On one side, a model emerges in which digital platforms come to be constantly supervised and pressured to monitor and remove content preemptively, under the oversight of State bodies. On the other, there is the view that decisions on content removal and limits to freedom of expression should continue to be made primarily by the Judiciary, on a case-by-case basis, with greater legal safeguards and a lower risk of excessive censorship.
The discussion, therefore, involves a question central to any democracy: how to balance the fight against digital abuses and crimes without compromising freedom of expression and legal certainty in the online environment.
In the end, that is what is at stake: whether Brazil’s Internet Act will remain a landmark for the protection of fundamental rights in the digital environment, or whether it will end up paving the way for a broader and more permanent model of control over what circulates online.
Nevertheless, by relaxing the requirement of a prior court order as the central condition for the civil liability of providers, the decision ultimately set in motion a gradual erosion of one of the structural pillars of Brazil’s Internet Act itself: the notion that restrictions on the circulation of content should, as a rule, stem from independent judicial decisions, and not from private decisions made under regulatory pressure or the risk of future liability.
This is because the model originally conceived by Article 19 did not seek to protect unlawful content, but rather to prevent digital platforms from being turned into preemptive arbiters of the legality of public discourse. The logic was simple: in cases of doubt, it would fall to the Judiciary — and not to private companies — to define the boundaries between freedom of expression, abuse, unlawfulness, and liability. By weakening this mechanism, even if out of legitimate concerns, the STF significantly altered the economic and legal incentives that structured digital content moderation in Brazil. The practical consequence was the strengthening of a logic of defensive removal, in which platforms come to take down content in an increasingly broad and preemptive manner in order to avoid regulatory risks, even in situations that are legally controversial or open to interpretation.
It is against this backdrop that the recent presidential decrees published by the federal government represent a new and significant step in the regulatory transformation of the Brazilian digital environment. Issued jointly and published on May 21, 2026, Decree No. 12,975/2026 (which amends Decree No. 8,771/2016 and reforms the general regime of duties and liability of internet application providers) and Decree No. 12,976/2026 (aimed specifically at the protection of women and at countering gender-based violence in the digital environment) together form a coordinated regulatory architecture rather than isolated measures.
Although presented as a mere act of regulation of the STF’s decision, the decrees appear to go beyond simply giving technical effect to the Court’s ruling. In practice, they design a more continuous model of regulatory supervision over the content-moderation activities of digital platforms.
Among the main points of these decrees, the following stand out: • the assignment to the ANPD (National Data Protection Authority) of powers to regulate, oversee, and investigate infractions relating to platforms’ compliance with their duties, particularly as regards the management of systemic risks and the mass circulation of unlawful content; • the expansion of the circumstances in which platforms may be held liable, especially in cases of systemic failure in preventing and mitigating the circulation of criminal content; • the imposition of ongoing duties of prevention, monitoring, transparency, and risk mitigation in the operation of digital services; • the creation of specific obligations for boosted (sponsored) content, paid advertisements, and the retention of records that may assist in identifying fraud and unlawful acts; and • the requirement of prompt removal of certain especially sensitive content, such as non- consensual intimate images and sexual deepfakes.
Undoubtedly, several of the objectives pursued by the decrees are legitimate and socially relevant, particularly tackling digital violence against women, fraud, child sexual exploitation, and other manifestly unlawful content.
The central problem, however, may lie not only in the purpose of the rules, but in the institutional design adopted for their implementation. From the moment platforms begin to operate under constant regulatory risk, faced with broad legal concepts that are often open to interpretation, a structural incentive is created for preemptive and excessive content removal. In other words: when the legal cost of keeping certain content online becomes significantly higher than the cost of removing it, the market’s natural tendency is to adopt a logic of “defensive removal.” This effect may be particularly acute in matters involving political speech, institutional criticism, public debate, or content whose unlawfulness turns on complex contextual interpretation.
In addition, there is an inevitable constitutional and institutional discussion about the limits of the Executive’s rule-making power. Defining the scope of freedom of expression, the civil liability of intermediaries, and content moderation has always been a sensitive matter, traditionally reserved for legislative debate and parliamentary deliberation.
For this reason, a significant portion of the technology sector, industry associations, and members of Congress have argued that the decrees would go beyond mere administrative regulation, encroaching on matters still under discussion at the STF and in the National Congress.
At its core, the current debate is not only about how to tackle unlawful content on the internet.
What is really being discussed is what model of control over the digital environment Brazil will adopt in the coming years.
On one side, a model emerges in which digital platforms come to be constantly supervised and pressured to monitor and remove content preemptively, under the oversight of State bodies. On the other, there is the view that decisions on content removal and limits to freedom of expression should continue to be made primarily by the Judiciary, on a case-by-case basis, with greater legal safeguards and a lower risk of excessive censorship.
The discussion, therefore, involves a question central to any democracy: how to balance the fight against digital abuses and crimes without compromising freedom of expression and legal certainty in the online environment.
In the end, that is what is at stake: whether Brazil’s Internet Act will remain a landmark for the protection of fundamental rights in the digital environment, or whether it will end up paving the way for a broader and more permanent model of control over what circulates online.
Fernando F. Stacchini
