Baptista Luz

26/06/2026 Estimated reading 3’’

Civil liability of internet application providers: the new framework following STF Binding Theme 987 and Decree No. 12.975/2026

26/06/2026

The Brazilian Supreme Court (STF) concluded its ruling on Binding Theme 987 of general repercussion (RE 1.037.396/SP, Rapporteur: Justice Dias Toffoli), concerning the constitutionality and interpretation of Article 19 of the Internet Civil Framework (Law No. 12.965/2014, “MCI“). The ruling confirmed the partial and progressive unconstitutionality of Article 19 and established its immediate res judicata effect as of June 17, 2026.

The liability of application providers for third-party content, as well as their duties, is now governed by two instruments read together: the STF’s binding thesis and Decree No. 12.975/2026, which amended Decree No. 8.771/2016 and regulated the MCI based on the Court’s parameters. The Decree was issued on May 20, 2026, published in the Official Gazette on May 21, 2026, and enters into force on July 20, 2026.

Although both instruments address the same subject matter, they differ in nature — and that difference shapes what is required of providers. The thesis is interpretive: it establishes how Article 19 of the MCI must be read in the absence of new legislation and sets the civil liability framework to be applied by courts on a case-by-case basis. The Decree is regulatory: it creates conduct standards whose non-compliance exposes providers to administrative sanctions (Article 12 of the MCI: warning, fine, suspension, and prohibition), enforced by the ANPD. As a result, the Decree demands structural compliance — meaning permanent governance, processes, and documentation — not merely a response to specific litigation.

The framework aligns with continuous risk assessment models. The reference to the state of the art and systemic risk management shifts the focus from isolated removal to structural adequacy, making documented governance and audit trails central to a provider’s defense. The burden of proof now lies in demonstrating diligent and timely conduct. For advertisements and boosted content, the presumption shifts the onus to the provider, placing greater weight on prior verification and record-keeping. The concrete risk exposure for each operation results from a combined reading of the thesis and the Decree, calibrated by the provider’s size and type of service. It is in that calibration that each provider’s practical compliance obligations are defined.

The landscape will continue to take shape through ANPD regulation, case law, and potential Congressional action. Until then, the thesis and the Decree form an integrated framework to be applied jointly. Reviewing content moderation policies, notification workflows, and governance structures in light of these parameters is the recommended step to reduce exposure.

Want to know more?

Contact the authors ou Visit the area page Media and Advertising

Most read:

Most recent:

Sign up for our newsletter

Sign up and receive relevant information about the legal scenario, to make decisions that will impact your business.

We respect your privacy and protect you personal data pursuant to our Privacy Policy.

    Baptista Luz