Segurança Legal Podcast, Episode #419 — Atualização do MCI. This article is derived from episode #419 of the Segurança Legal podcast, hosted by Guilherme Goulart and Vinícius Serafim, and was produced with AI assistance. Watch the full episode on YouTube.
Decree 12,975/2026, published on May 20, 2026, amends Decree 8,771/2016 to implement the ruling by Brazil's Supreme Court (STF) that found Article 19 of the Marco Civil da Internet (Brazil's Internet Civil Rights Framework) unconstitutional. In practice, it expands the duties to retain records — which now include the source logical port — and imposes active obligations of moderation, transparency, and removal of criminal content on connection and application providers.
For anyone operating an internet service in Brazil, two points demand immediate attention: the technical logging of records and the new moderation regime. Below is what each one means in practice.
Log retention gains a technical layer: the logical port
Article 15-A now requires that the duty to retain records also cover the source logical port, whenever it is necessary to identify the source terminal or the next network hop. The reason is technical. The exhaustion of IPv4 forced providers to share a single public IP among many customers via NAT (CGNAT). When several subscribers reach the internet under the same address, the IP alone may no longer adequately identify a terminal.
Disambiguation now depends on the port. TCP and UDP have 65,536 ports (0 to 65,535), and the provider's equipment dynamically maps each connection to one of them. To comply with Article 15-A, this link (IP, port, timestamp, and customer) must be logged connection by connection.
The operational problem is volume. A single browser opens multiple connections; a typical household combines phones, TVs, cameras, IoT devices, and computers, all generating connections continuously. This record must exist across the entire chain: at the connection provider and also at the application provider delivering the service at the edge. And when smaller providers are served by larger ones, NAT may occur more than once, multiplying the points where the log must exist.
Content moderation: the end of “no duty of active monitoring”
The second front is moderation. The decree establishes general duties — among them maintaining a registered office and a legal representative in the country with powers to provide information — and creates obligations for complaint handling, rules on profiling, reporting channels, and active transparency reports.
The paradigm shift is here. The 2014 Marco Civil was celebrated for not imposing active monitoring. Article 16-B now lists seven groups of content deemed criminal (terrorism; inducement or incitement to suicide and self-harm; incitement to discrimination based on color, race, and ethnicity; crimes against women; sexual crimes against vulnerable persons; human trafficking; and conduct related to scams) that must be removed both upon notice and as a proactive duty.
The absence of adequate prevention measures may characterize a systemic failure: the provider must identify, assess, and manage the systemic risks of its operation. The concept is not a national invention; it comes from the European Digital Services Act (DSA).
Two relevant differences from the European Digital Services Act (DSA)
The European model applies these rules only to very large platforms and search engines (above 45 million users; in 2023 the European Commission identified 19 platforms meeting that criterion). The Brazilian decree makes no distinction by size. It only opens the possibility for the ANPD (Brazil's Data Protection Authority) to define differentiated criteria for small providers (Article 16-P, which uses “may,” not “shall”), a concrete concern for smaller operations.
On the other hand, the decree is less strict than the DSA on one point: crimes against honor remain under the previous model, without automatic removal upon notice.
Operational risk: detection and the gray zone
There are two sensitive points in enforcement. The first is the removal of content identical to material already recognized by a court order. Hash-based identification breaks with the change of a single bit, and AI tools make it possible to alter content so as to escape exact matching. Viable detection tends to rely on AI — feasible for large platforms and costly for the rest.
The second is interpretive margin. For flagrant content, such as child sexual abuse material, there is no debate. But categories like inducement or discrimination have a gray zone. Speech that comments on a discriminatory fact can be mistaken for the practice itself. The incentive to remove as a precaution can pose a real risk to freedom of expression.
One caveat is worth noting: the decree's effectiveness depends on the institutional capacity of the ANPD, which now accumulates data protection regulation, the Digital ECA (Child and Adolescent Statute), and now the oversight of this regulation. Without concrete enforcement and prompting, the risk is a rule that is neither applied nor adjusted.
Frequently asked questions
Does Decree 12,975/2026 require my service to retain port logs?
If you are a connection or application provider, Article 15-A now requires logging the source logical port whenever it is necessary to identify the terminal. Services that already retained IP logs should check whether they are also recording the port associated with the connection.
How long must these records be kept?
The decree regulates the Marco Civil, which sets one year for connection records (Article 13) and six months for application access records (Article 15). The logical-port duty follows the record to which it is tied.
Do small providers also have to comply with the moderation rules?
Yes. Unlike the European DSA, the decree does not distinguish by platform size. Article 16-P allows the ANPD to define differentiated criteria for small providers, but it uses “may.” There is no obligation to do so.
What is a “systemic failure” in the context of the decree?
It is the characterization applied when the provider cannot demonstrate that it adopted measures to identify, assess, and manage the risks of its operation related to the listed criminal content. The concept is inspired by the European Union's Digital Services Act.
Do I need a court decision to remove content now?
For the list of crimes in Article 16-B, no. The central change is removal upon notice and as a proactive duty, reversing the burden that previously fell on the injured party to seek the courts. Crimes against honor still follow the previous regime.
How BrownPipe can help
Adapting to this new scenario starts with a concrete technical question: do your log records today capture what the decree now requires, and for how long? We can assess your logging architecture and retention controls from a compliance perspective. Talk to BrownPipe about an adequacy assessment.
BrownPipe has worked in information security and data protection since 2012. This content was produced with AI assistance and is derived from episode #419 – Atualização do MCI of the Segurança Legal podcast, hosted by Guilherme Goulart and Vinícius Serafim. Watch the full episode on YouTube: youtube.com/watch?v=KTQeLJhUaJM.