Platforms now face direct responsibility for failures to prevent fraud and crime
Brazil has drawn a new line in the long negotiation between digital freedom and digital responsibility, signing a decree that transforms technology platforms from passive conduits into accountable actors under law. President Lula's rewriting of the Marco Civil da Internet places the burden of preventing fraud, exploitation, and intimate image abuse squarely on the companies whose infrastructure enables it. The move reflects a growing global conviction that the scale and profit of Big Tech carry a proportional obligation to the societies they inhabit.
- Brazil's government signed sweeping new rules that make tech platforms legally responsible for digital crimes occurring on their services — a fundamental break from the hands-off model that has long shielded companies from liability.
- Victims of fraud, child exploitation, human trafficking, and non-consensual intimate imagery now have regulatory machinery behind them, with ANPD empowered to enforce compliance and companies required to archive ad data for victim compensation.
- Google and Meta declined to comment, leaving open whether they will quietly adapt or quietly resist — while a two-hour removal deadline for intimate content signals the government's impatience with slow moderation.
- The decree draws a deliberate line between paid advertising, where platforms bear direct responsibility, and organic posts, where notification-based removal offers more flexibility — a legal architecture designed to survive court challenges.
- Brazil is now a test case for whether democratic governments can successfully redirect the infrastructure of Big Tech toward public safety, with the world watching whether ANPD has the will and capacity to enforce what the law demands.
Brazil moved decisively this week to rewrite the terms of its relationship with global technology companies, as President Lula signed a decree reshaping the Marco Civil da Internet — the country's foundational internet law. Taking effect Thursday with publication in the official gazette, the rules shift legal responsibility for digital crimes away from individual users and onto the platforms themselves, treating companies not as neutral spaces but as accountable actors with obligations to prevent harm.
The regulations target specific categories of damage with concrete requirements. Platforms that sell advertising must now archive data on those ads, creating a legal paper trail for fraud liability and victim compensation. For paid content, companies face direct responsibility when criminal material slips through; for organic posts, they retain more flexibility, required to act upon notification rather than to police proactively.
A companion decree focuses on protecting women in digital spaces, mandating that platforms combat non-consensual intimate imagery — including AI-generated deepfakes — through accessible reporting channels and a strict two-hour removal window. The speed requirement reflects the government's recognition that such images spread faster than conventional moderation can contain. Beyond intimate imagery, companies must also work to suppress content related to terrorism, child sexual exploitation, human trafficking, and self-harm.
Google and Meta declined to comment, leaving their compliance strategies opaque. Their silence underscores the central question the decree raises: whether Brazil's National Data Protection Agency, the ANPD, will enforce these rules with enough force to make the cost of non-compliance real. Brazil is wagering that platforms possess both the technical means and the financial motivation to prevent crime on their services — and that accountability will prove more effective than chasing individual perpetrators after the fact.
Brazil's government moved decisively this week to reshape how technology companies operate within its borders, signing a decree that fundamentally shifts responsibility for digital crimes from users to the platforms themselves. The changes take effect Thursday, May 21st, when they are published in the official government gazette, and they represent one of the most aggressive regulatory moves against Big Tech that the country has attempted.
President Luiz Inácio Lula da Silva signed the decree on Wednesday, and it rewrites the Marco Civil da Internet—Brazil's foundational internet law—to hold companies accountable for fraud, exploitation, and abuse happening on their services. The shift is significant: rather than treating platforms as neutral conduits for user speech, the new rules treat them as responsible actors with obligations to prevent harm. The National Data Protection Agency, known as ANPD, will oversee compliance.
The decree targets several categories of harm with specific requirements. Companies that sell advertising must now archive data about those ads, creating a paper trail that can be used to hold them liable and compensate victims if violations occur. When paid advertisements contain fraud or criminal content, platforms face direct responsibility for failures to prevent it. For organic content—posts that users share without paying to amplify them—companies have more flexibility; they can remove material after being notified of a violation rather than being required to police it proactively.
A second decree signed simultaneously focuses specifically on protecting women in digital spaces. It requires platforms to take concrete steps against non-consensual intimate imagery, including deepfakes and AI-generated sexual images created without a woman's permission. Companies must establish easily accessible reporting channels where users can flag such content, and they have just two hours to remove it once notified. The speed requirement signals how seriously the government views the harm: intimate images shared without consent cause immediate, cascading damage that spreads faster than traditional moderation can contain.
The regulations also expand the categories of content platforms must actively work to suppress. Beyond non-consensual intimate images, companies must prevent the spread of material related to terrorism, child sexual exploitation, human trafficking, self-harm, and violence against women. The breadth reflects a government determination to use platform infrastructure as a tool for public safety, not merely a space where harm happens to occur.
Google and Meta, which owns Facebook, Instagram, and Threads, declined to comment on the new rules when contacted by CNN Brasil. Their silence suggests either that they are still assessing the compliance burden or that they are choosing not to engage publicly with regulations they may view as overreach. Either way, the companies now face a choice: build systems to meet Brazil's standards or risk legal liability and potential enforcement action.
The decree represents a philosophical break from the hands-off approach that has long governed internet regulation in many democracies. Brazil is betting that platforms have both the technical capacity and the financial incentive to prevent crime on their services—and that holding them accountable will work better than relying on law enforcement to chase individual perpetrators. Whether that bet pays off will depend on how aggressively ANPD enforces the rules and whether platforms actually implement the safeguards the law demands.
Notable Quotes
Google and Meta declined to comment on the new rules when contacted— CNN Brasil reporting
The Hearth Conversation Another angle on the story
Why did Brazil decide now was the time to do this? What triggered such a dramatic shift in how they regulate tech?
The decree addresses years of accumulating harm—sexual exploitation of children, non-consensual intimate imagery spreading at scale, fraud schemes using platform advertising. At some point, the government decided the platforms had the tools to stop it but weren't motivated to do so without legal pressure.
So this is saying the platforms are responsible for what happens on them. Isn't that a huge burden? How do they even police everything?
They don't have to police everything. The decree is strategic about it. Paid ads get strict liability because platforms profit from them and can verify what they're selling. Organic content gets a notification-based system. It's trying to match the rule to the platform's actual control.
The two-hour removal deadline for intimate images—that's extremely fast. Can platforms actually do that?
They can if they build the systems for it. The tight deadline is intentional. Non-consensual intimate images cause damage in real time as they spread. The law is saying: if you're going to host this content, you need infrastructure that matches the speed of the harm.
What happens if Google or Meta just ignore this? They're huge companies. Can Brazil actually enforce it?
That's the real question. ANPD has authority, but enforcement depends on whether they have resources and political will. Companies could face fines, but the bigger threat might be operational restrictions—being forced to change how they operate in Brazil or losing access to the market.
Does this set a precedent for other countries?
Almost certainly. If Brazil successfully implements this and platforms comply, other governments will watch closely. It's a test case for whether you can hold tech companies accountable through regulation rather than hoping they self-regulate.