Authored By: Aditya Rathi
Sardar Patel Subharti Institute of Law
Introduction
We live in a world where seeing is no longer believing. A video can show a politician confessing to crimes he never committed. A voice note can sound exactly like your bank manager asking for your OTP. A woman can find her face on a pornographic video she never participated in. This is the reality of deepfakes — and Indian law, frankly, is not ready for it.
Deepfakes are AI-generated or AI-manipulated media that realistically depict real people in fabricated scenarios. The technology has evolved at a pace that genuinely frightens anyone who thinks seriously about it. What once required a Hollywood-level studio can now be done by a teenager with a decent laptop and an internet connection. In India, where we added roughly 100 million new internet users in the last few years alone, the potential for harm is staggering — from sexual exploitation of ordinary women, to political disinformation campaigns that could destabilise elections, to financial fraud that bleeds ordinary families dry.
This article attempts to map where Indian law currently stands in responding to deepfake harms, identify where it falls short, and propose what a meaningful legal framework might look like. My argument, put simply, is this: the existing patchwork of the Information Technology Act, 2000 (IT Act)[1], and the Digital Personal Data Protection Act, 2023 (DPDP Act)[2], while not entirely toothless, contains critical gaps that leave victims without adequate remedies. Doctrines like the “right to be forgotten” and “personality rights” — which could do a lot of work here — remain underdeveloped in Indian courts. Meanwhile, global frameworks like the EU AI Act, 2024[3], and the UK’s Online Safety Act, 2023[4], show that a more coherent, rights-based approach is entirely possible. India needs to catch up, and urgently.
Legal Challenges to Privacy in the Deepfake Era
Deepfakes and the Constitutional Right to Privacy
The starting point for any discussion of deepfakes in India has to be Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1[5]. The nine-judge bench’s unanimous recognition of privacy as a fundamental right under Article 21 was a watershed moment. But when the judgment was written, deepfakes as we know them today barely existed. Applying its principles to synthetic media requires some interpretive work.
The Puttaswamy judgment conceptualised privacy across multiple dimensions — informational privacy, decisional autonomy, and dignitary privacy. Deepfakes violate all three. When someone’s facial geometry or voiceprint is scraped from social media and fed into an AI model without consent, that’s an informational privacy violation. When the resulting deepfake is used to make it appear that the person said or did something they never did, their decisional autonomy — the right to control how they appear in public life — is directly attacked. And when that content is humiliating or sexually explicit, the dignitary dimension is shredded entirely.
The IT Act, 2000[6], and the Sensitive Personal Data Rules of 2011 do offer some protection against unauthorised processing of personal data, including biometric information. But these provisions were written with a fairly narrow conception of digital harm in mind. They don’t speak to the specific scenario where someone’s biometric profile is used not just to identify them, but to fabricate an entirely new performance attributed to them. The DPDP Act, 2023[7], is more contemporary in its framing — it requires data fiduciaries to obtain valid, informed consent and maintain reasonable security safeguards when processing personal data, and biometric data is explicitly covered. In theory, this should catch the training and deployment of deepfake systems that use real people’s data.
In practice, though, two problems arise. First, enforcement mechanisms under the DPDP Act are still being set up — the Data Protection Board has not yet become fully operational. Second, and more fundamentally, the Act focuses on data processing but says nothing about the output of that processing. Even if we establish that training a deepfake model on someone’s images without consent violates the DPDP Act, what remedy does the victim have once the deepfake is already circulating online? The Act is silent on that. There’s no provision for damages tailored to reputational harm, emotional distress, or the lasting trauma that victims — disproportionately women — experience.
The Right to Be Forgotten: Promising but Underdeveloped
The “right to be forgotten” — the idea that individuals should be able to demand the removal or de-indexing of certain personal information when its continued presence online is disproportionate to any public interest — has been gaining traction in Indian courts. In Jagdeep Singh v. Union of India, 2023 SCC OnLine Del 4597[8], the Delhi High Court acknowledged that the right to privacy can, in appropriate circumstances, require platforms to take down sensitive or defamatory content. Other courts have followed suit in piecemeal fashion.
For deepfake victims, this doctrine is potentially very powerful. A woman whose face has been placed on a pornographic video has an overwhelming privacy interest in having that content removed; there is no legitimate public interest that could conceivably outweigh it. Similarly, a politician depicted making inflammatory statements they never made has a strong claim to have that video taken down before it spreads further.
The problem is that the right to be forgotten in India remains almost entirely judge-made. There is no statute that sets out when the right applies, what procedure a victim should follow, or what obligations platforms carry when they receive a takedown request. The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, do impose takedown obligations on platforms — they must act on notices within prescribed timeframes — but these rules are framed primarily as a platform-liability shield rather than a victim-facing rights mechanism. The practical experience of many victims is that takedown requests disappear into a bureaucratic black hole, especially when the platform is foreign-based or when the person who created the deepfake cannot be identified.
What’s genuinely needed is a codified right to be forgotten, specifically calibrated to deepfake harms, with mandatory response timelines, an independent appellate mechanism, and real penalties for non-compliance.
Personality Rights: Where Indian Law Lags Behind
Perhaps the most interesting developing area of law in this context is personality rights — the right of individuals, particularly public figures, to control the commercial use of their name, image, likeness, and voice. Indian courts have recognised the existence of these rights under Article 21, typically in the context of celebrity endorsements, but the doctrine has recently been applied to AI-generated content.
In a notable Delhi High Court order in late 2025[9], the court granted an emergency injunction restraining the use of a spiritual leader’s image and voice in AI-generated content — a significant step. The court recognised that the misuse of identifiable personal attributes in deepfakes could constitute an invasion of personality rights, and that the harm was urgent enough to warrant immediate relief without waiting for a full trial. This is exactly the kind of judicial creativity the deepfake era demands.
But compare this to the U.S., where the “right of publicity” has been a well-developed tort for decades. Cases like Midler v. Ford Motor Co., 849 F.2d 460 (9th Cir. 1988)[10] — where Bette Midler successfully sued Ford for using a sound-alike singer to mimic her distinctive voice — and Carson v. Here’s Johnny Portable Toilets, Inc., 698 F.2d 831 (6th Cir. 1983)[11], show how courts can protect the commercial value of a person’s identity even when what’s being appropriated is not a photograph but a voice or a catchphrase. The logic translates naturally to deepfakes: if you can’t use someone’s actual voice to sell cars, you certainly shouldn’t be able to fabricate their voice saying something they never said.
In India, personality rights remain almost entirely case-law-driven. There is no statute that explicitly covers AI-generated likenesses, no clear liability rule for commercial deepfakes, and no statutory definition of what constitutes misappropriation of personality. This leaves a gaping doctrinal hole through which bad actors routinely drive their campaigns of impersonation, fake endorsements, and disinformation. Codifying personality rights — including a specific provision covering synthetic media — is no longer optional; it is overdue.
Who Owns a Deepfake?
This is a question that sounds almost absurd when you first think about it, but it has genuinely serious legal consequences. Under the Copyright Act, 1957[12], a “work” must have human authorship and sufficient originality to qualify for protection. Deepfakes blur this boundary in ways the drafters of the 1957 Act could not have imagined.
When a deepfake is generated, what happens? A human provides prompts or selects source images; an AI model — trained on millions of other people’s images, audio recordings, and videos — produces the output. The creative contribution of the human may be minimal. The U.S. Copyright Office has taken the position that works created without meaningful human authorship are not eligible for copyright registration, and there is no reason Indian courts would see it very differently if pressed. This creates a strange legal vacuum: a deepfake that depicts someone without their consent, causes them real harm, but may itself enjoy no copyright protection.
Why does that matter? Because one practical tool for restraining the spread of harmful content is the copyright infringement claim. If the creator of a deepfake cannot claim copyright in it, they lose one avenue of control over its spread. But conversely, the victim cannot seek an injunction based on copyright either, because neither party owns the copyright. This forces victims to rely entirely on privacy torts, defamation, and personality rights — remedies that exist but are slower and harder to operationalise at the speed at which deepfakes spread online.
Indian courts have not yet articulated a clear threshold for when human involvement in post-processing — editing, selecting, curating — is sufficient to generate a protectible work. This is a gap that needs to be addressed, not just for deepfakes but for AI-generated content generally.
Infringement of Pre-Existing Works
The flip side of the authorship question is the infringement question. Deepfake models are trained on enormous datasets that typically include copyrighted photographs, films, audio recordings, and other media — most of which was scraped from the internet without the copyright holders’ consent. When this training produces a model capable of generating realistic likenesses, is that an infringement of the original works?
Under Indian copyright law, creating an adaptation of a protected work without a licence can constitute infringement, even if the adaptation is not commercially distributed. The challenge is that deepfake models don’t simply copy the original works; they learn patterns from them. The final output may not be “substantially similar” to any single source in the traditional copyright-law sense, even though it would never have been possible without those sources.
This is a problem that courts in the U.S. and Europe are actively wrestling with — several major lawsuits against AI companies have been filed by artists, musicians, and stock-photo agencies whose work was used in training datasets without consent. Indian courts will eventually have to engage with the same question. The likely answer is that traditional “substantial similarity” tests are inadequate for this context, and a new analytical framework is needed — one that considers whether the AI model has effectively substituted for the market for the original work, even if it doesn’t reproduce it verbatim.
Moral Rights and the Dignity of the Depicted Person
Section 57 of the Copyright Act, 1957[13], protects an author’s moral rights — specifically, the right to object to distortion or mutilation of their work that prejudices their honour or reputation. This is a rights-of-authorship doctrine, not a personality-rights doctrine. But there is an argument — made by several scholars — that the underlying values of moral rights law, centred on dignitary protection and narrative autonomy, should be extended to cover non-author individuals whose likenesses are manipulated by AI.
Think about what a deepfake actually does: it takes a person’s identity and attaches it to a performance, statement, or act they never chose to make. It colonises their narrative. The depicted person has no say in what “they” appear to be doing, and the deepfake circulates in their name, potentially destroying their reputation, relationships, and livelihood. This is a harm that goes beyond mere defamation — it is a form of identity theft that conventional legal categories struggle to fully capture.
International scholarship has increasingly used the phrase “digital defamation” to describe deepfake-induced reputational harm, and there is a growing call to expand personality rights and moral-rights-adjacent doctrines to address it. India’s law reform process should take this seriously.
The Regulatory Landscape: India in Comparative Perspective
What Indian Law Currently Offers
India’s primary digital-governance framework — the IT Act, 2000[14], and its subordinate rules — was drafted at a time when “social media” was not yet a mainstream term. The IT Act has provisions dealing with cyberstalking, identity theft, and unauthorised surveillance, but these were written with narrowly defined harms in mind. They don’t map cleanly onto the deepfake scenario.
The DPDP Act, 2023[15], is a more contemporary statute and does better on the data-processing side. Its requirement of lawful, fair, and transparent processing of personal data — including biometric data — is relevant to anyone training a deepfake model on real people’s images and voices. Penalties can go up to ₹250 crore for serious breaches, which is not trivial. But the Act doesn’t mention deepfakes, and it doesn’t address what happens after the harmful content is generated and distributed.
The 2021 Intermediary Guidelines were amended in 2023 to introduce stricter obligations on platforms to detect and remove “fake or misleading” content, including deepfakes, within defined timeframes. This is a step forward. But the practical reality is that these rules are enforced inconsistently. Smaller platforms often lack the technical capacity to detect deepfakes. Foreign-based platforms may not be easily reachable. And when the creator of the deepfake is anonymous, tracing accountability becomes extremely difficult.
What India lacks, and what is most conspicuous by its absence, is a statute that specifically addresses AI-generated synthetic media — defining what deepfakes are, categorising the different types of harm they cause, and providing tailored remedies for each.
What the World Is Doing
The contrast with global frameworks is instructive. The EU AI Act, 2024[16], classifies deepfake-generating AI systems as “high-risk” and imposes mandatory transparency obligations: synthetic content must be labelled, training data must be documented, and deployers must maintain records. Supervisory authorities have real teeth — they can impose substantial fines and require developers to take systems offline if they pose unacceptable risks.
The UK’s Online Safety Act, 2023[17], goes further in some respects by directly criminalising the creation and sharing of deepfake intimate images without consent, placing proactive duties on platforms to prevent their dissemination, and giving regulators strong enforcement powers.
In the United States, there is no comprehensive federal AI statute yet, but the Deepfakes Accountability Act (proposed in 2023) would criminalise non-consensual deepfake pornography and mandate disclosure of AI-generated content in political advertising. Several states have already enacted their own deepfake laws.
The common thread across these approaches is a recognition that deepfake regulation requires: (a) clear labelling and transparency requirements, (b) differentiated treatment of harmful versus satirical or artistic uses, (c) strong platform accountability, and (d) meaningful penalties. India’s current approach scores poorly on all four counts.
The Gaps Nobody Wants to Talk About
Two structural problems deserve more attention than they usually get.
First, there is no legal framework anywhere — including India — that cleanly distinguishes between malicious deepfakes (non-consensual intimate imagery, political disinformation), transformative deepfakes (satire, parody, artistic commentary), and benign deepfakes (visual effects in films, entertainment). Applying the same legal rules to all three categories is both under-inclusive and over-inclusive — it will catch legitimate artistic expression while potentially missing the most sophisticated forms of harmful manipulation. This typological gap is a serious problem.
Second, cross-border enforcement is genuinely hard. The person who creates a deepfake in one country, uploads it to a server in a second country, and targets a victim in a third country is essentially leveraging jurisdictional fragmentation as a shield. National-level remedies, no matter how well designed, cannot fully solve this. India needs bilateral and multilateral agreements that provide for reciprocal recognition of takedown orders and shared technical standards for synthetic media detection.
Proposed Solutions: Toward a Coherent Framework
A Dedicated Deepfake Statute
The most urgent need is a standalone legislative framework specifically addressing AI-generated content and deepfakes. This isn’t a radical proposal — it is something the EU, UK, and several US states have already done in various forms.
Such a statute should, at minimum:
- Codify the right to biometric likeness control, giving every individual explicit legal recourse against the non-consensual use of their face, voice, or gait in synthetic media;
- Establish personality rights in statutory form, explicitly covering AI-generated synthetic media and creating a rebuttable presumption that commercial uses of someone’s likeness lack consent unless the contrary is proved;
- Amend the Copyright Act, 1957[18], to clarify when AI-assisted outputs constitute protectible “works” and to create limited neighbouring rights for individuals and entities whose data was used in training AI models; and
- Supplement the DPDP Act, 2023[19], with deepfake-specific provisions requiring transparency labels, content-provenance records, and opt-in consent for biometric data used in generative AI systems.
Platform Accountability That Actually Works
Intermediaries need to be held to a higher standard, but in a way that is proportionate to their technical capacity. A one-size-fits-all approach will either under-regulate large platforms or destroy small ones. A tiered model makes more sense:
Large platforms with significant user bases should face mandatory watermarking and machine-readable metadata requirements for all AI-generated content they host. They should operate expedited, rights-based takedown procedures with clear appeal mechanisms and real penalties for unjustified delays. For high-risk content categories — election-related deepfakes, intimate imagery, financial fraud deepfakes — they should be required to implement proactive detection systems.
Courts should also develop clearer practice directions for interim relief in deepfake cases. The Delhi High Court’s willingness to grant emergency injunctions in personality-rights cases involving AI content is promising precedent, but it needs to be systematised so that victims across the country have consistent access to emergency remedies and don’t depend on which bench they happen to draw.
Multi-Stakeholder Governance and International Coordination
Regulation by statute alone will never be sufficient in a field that moves as fast as generative AI. What’s needed alongside legislation is a dedicated regulatory body — an AI ethics and deepfake oversight authority with genuine technical expertise, quasi-judicial powers, and the mandate to issue sector-specific guidelines and update them as the technology evolves.
India already has sectoral regulators for telecommunications, securities, pharmaceuticals, and food safety. There is no principled reason why AI and synthetic media should be treated differently. Such a body could work with platform operators, civil society, researchers, and international counterparts to develop detection standards, consent frameworks, and enforcement protocols. It could also serve as India’s point of contact in international coordination efforts — something that will only become more important as deepfake abuse increasingly crosses borders.
Selected Refrence(S):
1. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1
2. Jagdeep Singh v. Union of India, 2023 SCC Online Del 4597
3. Digital Personal Data Protection Act, No. 22 of 2023 (India)
4. Information Technology Act, No. 21 of 2000 (India), §§ 43A, 66A–66E
5. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
6. Copyright Act, No. 14 of 1957 (India), § 57
7. European Union AI Act, Regulation (EU) 2024/1689
8. Online Safety Act 2023 (UK)
9. Midler v. Ford Motor Co., 849 F.2d 460 (9th Cir. 1988)
10. Carson v. Here’s Johnny Portable Toilets, Inc., 698 F.2d 831 (6th Cir. 1983)
11. Delhi High Court order (November 2025) restraining AI-generated impersonation of a public figure (reported in LiveLaw, 26 November 2025)
[1] Information Technology Act, 2000 (IT Act)
[2] the Digital Personal Data Protection Act, 2023 (DPDP Act)
[3] EU AI Act, 2024
[4] UK’s Online Safety Act, 2023
[5] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1
[6] Information Technology Act,2000
[7] Digital Protection Data Personal Act,2023
[8] Jagdeep Singh v. Union of India, 2023 SCC OnLine Del 4597
[9] Delhi High Court order (Nov 2025-AI impersonation case)
[10] Midler v. Ford Motor Co., 849 F.2d 460 (9th Cir. 1988)
[11] Carson v. Here’s Johnny Portable Toilets, Inc., 698 F.2d 831 (6th Cir. 1983)
[12] Copyright Act, 1957
[13] Section 57 of the Copyright Act, 1957
[14] Information Technology (IT) Act, 2000
[15] Digital Personal Data Protection (DPDP) Act, 2023
[16] EU AI Act, 2024
[17] UK’s Online Safety Act, 2023,
[18] Copyright Act, 1957
[19] Digital Personal Data Protection (DPDP) Act, 2023
