Addressing synthetic fraud has led to a complex and challenging legal landscape

DR. PAWAN DUGGAL
CHAIRMAN- INTERNATIONAL COMMISSION ON CYBER SECURITY LAW

“In today’s world, artificial intelligence, data, and cyber security have become critically important subjects. Just six days before the AI Impact Summit, the Government of India made a significant move by notifying the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026. With these new rules, India signaled its intention to chart its own regulatory path, while also introducing a comparatively soft approach toward the regulation of deepfakes and synthetically generated content. However, challenges remain. The rules, which came into effect on 20 February 2026, have already triggered widespread discussion about compliance. The primary concern is the requirement to remove synthetic or fake content within three hours. Service providers are uncertain about how they can realistically meet this tight deadline. From the Indian regulatory perspective, intermediaries are expected to exercise due diligence in fulfilling their legal obligations. Accordingly, they must ensure compliance with the new framework. A significant consequence of non-compliance is the potential loss of statutory safe harbour protections, meaning intermediaries could forfeit their legal immunity.

India’s Information Technology Act, 2000 (IT Act) regulates the use of seven core digital elements: computers, computer systems, computer networks, computer resources, communication devices, as well as data and information in electronic form. However, this 26-year- old legislation was never designed to address artificial intelligence or deepfakes. Technology has evolved so rapidly that today deepfakes can be created using easily accessible, often free, online tools. This technological leap has made it imperative to introduce specific regulations to tackle the growing challenge of synthetic and manipulated data.

The 2024 Pakistan general election had one notable feature—the widespread use of deepfakes. Similarly, the 2024 Indian general election was marked by the significant presence of deepfake content. By 2026, the landscape has changed even more dramatically, turning the issue into an entirely different ball game. As a result, when examining the legal consequences within today’s data ecosystem, one finds themselves confronting a deeply complex and challenging situation. One is expected to jump into molten lava, of trying to protect oneself from the exposure and the heat of molten lava, and also to swim along with the molten lava. That, in a nutshell, encapsulates your current position in the current data ecosystem. It took us a long time in India to come up with a law on data protection. Even today, the data protection law pertaining to protecting my data is still not operational. It comes into operation from 13th November 2026, and final operation from 13th of May 2027.”