Authored By: Meghna Choudhary
Chanakya National Law University, Patna
- INTRODUCTION
This rise in AI technology has seriously undermined the digital era’s foundational truths about evidence and reputation. Deepfakes, created by superimposing individuals’ faces or voices onto fabricated media, mark a critical development in cyber law. Deeptrace reported, in 2019, that the number of deepfake videos online had increased massively by almost double in 12 months, and the vast majority were non-consensual pornography.[1] Their rapid proliferation, often involving non-consensual content, is exacerbated by Generative Adversarial Networks (GANs) and diffusion models, which make creation easy.[2] India’s experience, exemplified by the Rashmika Mandanna incident in November 2023[3], prompted a government advisory requiring intermediaries to remove reported deepfakes within 36 hours.[4]
This highlighted a fundamental legislative inadequacy, as existing Indian law does not explicitly address synthetic media as a distinct harm. The current legal framework, designed before the AI era, inadequately addresses abuses of consent in synthetic media forgery. Issues of mens rea, jurisdictional ambiguity, and electronic anonymity further compound challenges in establishing criminal liability. This article critically assesses India’s Information Technology Act, 2000; Bharatiya Nyaya Sanhita, 2023; and Digital Personal Data Protection Act, 2023, to determine their efficacy against deepfake-related harms and the potential necessity of specialized legislation.
- UNDERSTANDING DEEPFAKES AND SYNTHETIC MEDIA
Deepfakes are AI-generated media in which an individual’s likeness (face, voice, or even a physical portrayal) is digitally superimposed on already existing or manufactured content without their permission or consent. It refers to a wide variety of synthetic media created using machine learning, such as face-swapping, voice cloning, and full-body synthesis. Examples of widely used, benign media include aspects of the movie-wonder world produced by cinematic visual effects, satirical video parodies that criticize politics, and speech synthesis for accessibility. Therefore, there is a need to distinguish them from weaponised deepfakes used in sexual harassment, disinformation or blackmail.
The consequences of harmful deepfakes are complicated. Non-consensual intimate imagery (NCII) is the common form of abuse, typically suffered by women. Politically motivated disinformation uses a head of state, an electoral candidate, or an army leader to fabricate statements to manipulate the public discourse. Financial, corporate, or legal deepfakes are perpetrated using one of the people’s voices. Deepfakes of identity make it easy to create an online presence. Every category suggests a different legal interest, like dignity, autonomy, democratic integrity, and financial security, but nothing is specified in India’s law to address the intensity of the specific interests suggested by these terms.
- CONSENT, PRIVACY AND DIGITAL AUTONOMY
Deepfakes that are not consensual should not only be considered a reputation crisis; they are a direct violation of a person’s autonomy and informational self-determination. Controlling one’s own image and voice is inherent in the larger concept of privacy that was acknowledged by the Supreme Court of India in Justice K S Puttaswamy v Union of India.[5] In this landmark case, the Court declared privacy as an integral part of Article 21, which guarantees the right to life and personal liberty. J. Chandrachud clearly stated that there was an interest in informational privacy, which meant restricting the dissemination of information about oneself, a protected constitutional interest.[6]
Deepfakes directly affront this interest. Such appropriation of a person’s biometric likeness into the generation of consensually unwarranted sexual and political imagery constitutes a non-reputational harm, the person’s identity is being weaponised against them. The constitutional framework of Article 21 is flexible enough to include such violations, but without a statutory right to one’s digital likeness, the constitutional protection becomes an ideal construct in the context of ‘deepfakes’.
The existing cyber law provisions about consent are insufficient for AI manipulation. Consent to original content does not imply consent to its synthetic manipulation, as it is not explicitly provided in the IT Act. The act does not expressly mention that consent to original content means consent to its synthetic manipulation. This gap is crucial. A deepfake can be made from completely public and consensual pictures, but the image fabricated is entirely non-consensual. Presently, this distinction is not explicitly outlined in the law as it stands today.
- CRIMINAL LIABILITY UNDER INDIAN LAW
- The Information Technology Act, 2000.
Section 66C of the IT Act makes identity theft punishable by the use of a person’s electronic signature, password, or unique identifying characteristic.[7] Cheating by impersonation through communication devices or computer resources is covered in section 66D.[8] Although these provisions could cover deepfakes in financial fraud or targeted impersonation, they require evidence of a fraudulent intent with a view to an economic or material gain. In most cases, deepfakes used for reputational harm, sexual humiliation or political disinformation do not have this mens rea, and therefore Sections 66C and 66D are not applicable.
Section 67 imposes penalties for the publication of obscene material, and Section 67A imposes penalties for the publication of sexually explicit content that is published in electronic form.[9] These provisions may apply to non-consensual deepfakes of pornography. However, there are three weaknesses. Firstly, they are publication-oriented, not creation-oriented, so the act of fabrication is under-addressed. Secondly, they are contextually imprecise in the case of wholly fabricated content. And thirdly, both provisions have evidentiary problems in establishing the liability of the specific individual who created the synthetic content, not merely disseminated it.
- Bill of Rights – The Bharatiya Nyaya Sanhita, 2023
The BNS, an amendment of the Indian Penal Code 1860, includes defamation, impersonation, obscenity, cheating, and some types of harassment.[10] These crimes, which could indirectly include some harm from deepfakes, do have one drawback in common. No crime was specifically written for the use of synthetic media. The offence of making, publication, or circulation of any statement, rumour, or report under the BNS is an offence by inserting false content or knowingly both false and misleading content, and it remains difficult to prove the intent to cause mischief in the case in which the actor is behind layers of digital anonymity. While defamation rules mandate imputation regarding a specific entity. This is satisfied with deepfakes. The evidence for the falsity of AI-generated content is hard to prove in courts unequipped with digital forensic tools.
- The Digital Personal Data Protection Act, 2023
The DPDPA brings in a consent-based system for the processing of personal data. It mandates that data principals should give their personal data for processing only when they do so freely, specifically, after being informed and when no conditions have been imposed upon them, and the nature of the consent is quite clear.[11] Biometric data, including geometry data of faces and voiceprints used for making a deepfake, are personal data, according to the Act. In practice, the DPDPA might be able to control the gathering and use of such data to create deepfakes. However, the mechanisms for the enforcement of the Act are in their infancy. There is no Act yet that is completely operational, and the use of synthetic media as a result of illegal data processing is not expressly mentioned in the Act.
- Intermediary Liability
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 impose upon these important intermediaries the obligations to acknowledge and address grievances at stipulated timelines.[12] In December 2023, the Ministry of Electronics and Information Technology (MeitY) advised the platforms to take prompt steps to remove deepfake content.[13] The legal framework of Section 79 (safe harbour for intermediaries) of the IT Act, however, reduces the responsibility of the platforms.[14] Supreme Court curtailed the ambit of losing “safe harbour” immunity in Shreya Singhal v Union of India.[15] With no proactive responsibility to identify and remove non-consensual deepfakes, platforms are encouraged to respond after the damage has already been done, meaning harm is cumulative and delayed until a takedown process is done.
- Enforcement and Evidentiary Challenges
Enforcement faces systemic issues in all relevant provisions. Jurisdictional complexity is found when the deepfakes are made in one jurisdiction, stored on servers in a different jurisdiction, and viewed in India. However, to hold individuals criminally liable, it must be established that they created the content, which will require a digital forensic investigation, for which most state police departments are under-equipped. With all the evidence spread out in real time via encrypted messaging apps, evidence preservation gets much harder. The anonymity and automation of AI generation make it difficult to determine the mens rea in making the determination. The depersonalised and automated nature of AI generation makes mens rea determination, especially the specific intent necessary for higher penalties, difficult.
- COMPARATIVE AND INTERNATIONAL PERSPECTIVES
A comparative survey shows that technologically advanced jurisdictions have noted that general cyber laws are insufficient and have passed or proposed technologically specific legislation on deepfakes. The Disrupt Explicit Forged Images and Non-Consensual Edits (DEFIANCE) Act of 2024 establishes the United States’ first federal civil rights law for victims of non-consensual intimate imagery created by artificial intelligence.[16] The European Union’s Artificial Intelligence Act (2024) requires providers of AI systems for general use to ensure that the use of AI-generated content is clearly documented and that subjects are clearly notified when that content is created with the use of deepfakes.[17]
The most “prescriptive” way is undertaken by China with its provided 2023 Deep Synthesis Internet Information Service (DSIIS) provisions, which mandate that deep synthesis content have watermarks, do not produce news events or consent-less public figures, and require identities to be verified.[18] In the 2020 revision of the Act on Special Cases Concerning the Punishment of Sexual Crimes, South Korea expressly criminalised the production, circulation and keeping of deepfakes of sexual content, irrespective of whether it is actually meant to be distributed.[19]
They share some common characteristics. They are clear as to synthetic content and as to what constitutes content generated by AI systems, including disclosure and watermarking requirements, consent-based bans on appropriation of likeness, proactive obligations for platforms and dedicated criminal and/or civil remedies. India does not have any of these in a holistic statutory framework, leaving it far behind the curve of regulation.
- THE CASE FOR REFORM
The foregoing analysis demonstrates that India’s current regime of laws is reactive, heightened, and very imprecise to counter the harms caused by synthetic media. A well-thought-out reform program should go on several fronts.
First, there should be an IT Act-specific law on synthetic media, or a comprehensive draft amendment to the IT Act that would be able to clearly define what synthetic media are, identify permissible and impermissible applications, and develop categories of offences commensurate with the type of harm that the evidence of a fake is causing sexual exploitation, political disinformation, fraud, and harassment. The Parliamentary Standing Committee on Communications and Information Technology had pointed out earlier the inadequacy of current protections for new technology.[20]
Second, content generated by AI content generation tools ought to be required to include a watermark and/or declaration of provenance, aligning with the method used in the EU AI Act for disclosure and mandatory watermarking. This would help with forensic attribution and establish a chain of evidence for enforcement.
Third, the law should explicitly make clear that the use of source material does not imply that someone gave consent to its synthetic manipulation, thus closing the doctrinal gap identified above.
Fourth, intermediary liability needs to be updated to make it more proactively liable and accountable to those with significant influence and reach on social media regarding deepfakes that have been verified as such. There should be a fast-track court system (akin to the injunctive relief system of trademark law) in place for victims of reputational or sexual harms between parties involved in deepfakes.
Fifthly, the DPDPA needs to be amended and clarified to explicitly define an AI-derived ‘biometric inference’ as sensitive personal data and impose stricter consent requirements and data processing limitations on such inferences.
Finally, there is a need to enhance provisions on jurisdiction to cover the creation and dissemination of deepfake(s) concerning Indian persons and some provisions to make mutual legal assistance arrangements effective in the cross-border enforcement. The reforms should be backed by investment in the capacity of the digital forensic service providers and educating the courts to ensure that the law is complied with in court proceedings.
- CONCLUSION
This article has shown that the existing set of laws in India is structurally weighed down when it comes to tackling the multi-faceted harms of synthetic media technology and deepfakes. Consent issues are unique to the technology of fabrication and creation of likenesses, and the current provisions of the IT Act regarding identity theft, obscenity, and impersonation were formulated for earlier technology. The same restrictions apply to the BNS. In principle, the DPDPA is plausible, yet currently, it is not a well-defined technology or set of technologies and, therefore, does not possess an operational architecture that could capably manage synthetic media outputs.
Intermediary liability does not provide an incentive for proactive actions, but rather for reactive actions. The answer to the research question, “Does India need a dedicated regulatory framework for deepfakes?” is a ‘yes. In fact, the comparative evidence from the United States, the European Union, China, and South Korea shows that general cyber laws are not the answer and that targeted laws such as concretely defining the term, providing consent-based protections, requiring platforms to take responsibility, and establishing dedicated enforcement bodies are possible and essential. This is the least that should be done in the Constitution of India, guaranteeing the right to privacy of a citizen under Article 21. Not simply a technical/criminal law issue but a constitutional issue. In line with the protection afforded to the person in Puttaswamy, this protection from violation of digital identity, dignity, and autonomy also demands a legal mechanism that is dynamic enough to keep pace with technology. Without a dedicated reform, the framework that India has in place will continue to be a collection of general rules coming together in relation to a harm that cannot be addressed via these rules in isolation. In today’s era, where fact and fiction, as produced by artificial intelligence, are becoming hard to tell apart, the need for legislative action is foreboding.
BIBLIOGRAPHY
Cases
Shreya Singhal v Union of India AIR 2015 SC 1523 (Supreme Court of India)
Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 (Supreme Court of India)
Legislation
Indian Statutes
Bharatiya Nyaya Sanhita 2023
Digital Personal Data Protection Act 2023
Information Technology Act 2000
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021
Foreign Statutes and Instruments
Act on Special Cases Concerning the Punishment of Sexual Crimes 2010 (South Korea, as amended 2020)
Disrupt Explicit Forged Images and Non-Consensual Edits Act 2024, S 3696, 118th Congress (United States)
Provisions on the Administration of Deep Synthesis Internet Information Services 2022 (China)
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [2024] OJ L2024/1689
Journal Articles
H Farid, ‘Creating, Using, Misusing, and Detecting Deep Fakes’ (2022) 1(4) Journal of Online Trust and Safety 1
Reports and Web Sources
H Ajder and others, The State of Deepfakes: Landscape, Threats, and Impact (Deeptrace 2019) <https://regmedia.co.uk/2019/10/08/deepfake_report.pdf\> accessed 20 May 2026
Ministry of Electronics and Information Technology, Advisory to Intermediaries and Platforms on Compliance with IT Rules in Relation to Deepfakes (MeitY, 26 December 2023) <https://www.meity.gov.in/content/advisory-deepfakes\> accessed 20 May 2026
Parliamentary Standing Committee on Communications and Information Technology, Safeguards Against Unethical Use of Emerging Technologies Including Deepfakes (Lok Sabha 2023) <https://loksabha.nic.in\> accessed 20 May 2026
‘Deepfake Video of Actress Rashmika Mandanna Goes Viral; IT Minister Calls It Concerning’ The Hindu (New Delhi, 7 November 2023)
[1] H Ajder and others, The State of Deepfakes: Landscape, Threats, and Impact (Deeptrace 2019) <https://regmedia.co.uk/2019/10/08/deepfake_report.pdf> accessed 20 May 2026.
[2] H Farid, ‘Creating, Using, Misusing, and Detecting Deep Fakes’ (2022) 1(4) Journal of Online Trust and Safety 1
[3] Deepfake Video of Actress Rashmika Mandanna Goes Viral; IT Minister Calls It Concerning’ The Hindu (New Delhi, 7 November 2023)
[4] Ministry of Electronics and Information Technology, Advisory to Intermediaries and Platforms on Compliance with IT Rules in Relation to Deepfakes (MeitY, 26 December 2023) <https://www.meity.gov.in/content/advisory-deepfakes\> accessed 20 May 2026
[5] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 (Supreme Court of India)
[6] ibid [645] (Chandrachud J concurring)
[7] Information Technology Act 2000 (India) s 66C
[8] Information Technology Act 2000 (India) s 66D
[9] Information Technology Act 2000 (India) ss 67 and 67A.
[10] Bharatiya Nyaya Sanhita 2023 (India) ss 294, 317, 318, 356
[11] Digital Personal Data Protection Act 2023 (India) s 4
[12] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (India) r 4(2)
[13] Ministry of Electronics and Information Technology, Advisory to Intermediaries and Platforms on Compliance with IT Rules in Relation to Deepfakes (MeitY, 26 December 2023) <https://www.meity.gov.in/content/advisory-deepfakes\> accessed 20 May 2026.
[14] Information Technology Act 2000 (India) s 79
[15] Shreya Singhal v Union of India AIR 2015 SC 1523 (Supreme Court of India)
[16] Disrupt Explicit Forged Images and Non-Consensual Edits Act 2024, S 3696, 118th Congress (United States)
[17] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [2024] OJ L2024/1689, art 50
[18] Provisions on the Administration of Deep Synthesis Internet Information Services 2022 (China) art 6
[19] Act on Special Cases Concerning the Punishment of Sexual Crimes 2010 (South Korea, as amended 2020) art 14-2
[20] Parliamentary Standing Committee on Communications and Information Technology, Safeguards Against Unethical Use of Emerging Technologies Including Deepfakes (Lok Sabha 2023) <https://loksabha.nic.in\> accessed 20 May 2026





