Deepfakes And Dignity – Why Indian Laws Need Reform Against Non-Consensual AI-Generated Content Beyond Section 67A

Written by Princy Sawant & Aakash Atwal (National Law University, Jodhpur)

1. THE EFFECT OF DEEPFAKES ON DIGNITY AND PRIVACY

Deepfake technology has turned the fear of online harassment into a daily reality in India. The concern has shifted beyond mere fake news, it now centers on the explicit usage of AI-generated content to produce fake images without consent. The recent deepfake video that went viral, depicting actor Rashmika Mandana is an example of how readily available tools like a smartphone and basic AI can produce realistic synthetic media.

These technologies affect not only public figures but also everyday people, including students, activists and professionals, often leading to increased levels of gender-based abuse in a socio-cultural environment where women’s reputations are linked closely to their perceived ‘honour.’

Deepfake technologies also take advantage of a vulnerability in the area of consent within the digital realm, as there is no mechanism through which a person can give or withhold permission to use his/her likeness in a fraudulently created representation prior to that use occurring. Thus, deepfake technologies and their uses contradict the essentials of privacy and autonomy identified in Article 21 of the Constitution of India. This very dimension of privacy was interpreted in Justice K.S. Puttaswamy v. Union of India, where the Court recognized the right to informational self-determination and stressed on the importance of self-dignity. The Delhi High Court in the cases of Aishwarya Rai Bachchan and Anil Kapoor, applied personality rights to protect against deepfakes because the damage was focused on personality misrepresentation rather than physical harm.    

2. CONSENT AND IDENTITY IN THE AI ERA

   
   

Generative Artificial Intelligence (AI) is trained to create hyper-realistic images and videos without taking consent from the person being shown, thereby undermining established principles of informed consent. According to Section 6 of the Digital Personal Data Protection Act 2023 (DPDP), consent needs to be informed, specific and limited to the purpose of data processing. Consent has to be a clear affirmative action and cannot be presumed or implied. However, AI technologies are capable of deriving data from public databases and this data can be repurposed as non-consensual explicit content. This violates the very requirement of informed consent and breaching the principles of purpose limitation and data minimisation, integral for valid consent     

To better explain how generative AI creates a conflict between consenting parties, unlike traditional non-consensual pornography, these tools don’t just create a new copy of the original. Instead, the final output is a pixel-based fabrication - not a recording of a real world act. As a result, defence lawyers often exploit this distinction and argue that final output is an animation and hence are not subject to prohibited pornography laws. In the case of R. Rajagopal v. State of Tamil Nadu, the High Court held that the right to protect one’s personality rights was violated when a person’s likeness was exploited without permission. These rights provide case specific relief against identity misuse, but do not address nor impose obligations on AI developers or platforms that misuse the public data. Hence, it would be naïve to apply the DPDP Act to generative AI by only relying on existing personality rights protections.

The DPDP Act reads very narrowly regarding personal data processing when implicating identifiable outputs. However, since deepfake videos are created with a composite of generated data, this means that this aspect of the DPDP Act would not apply to the generation of deepfake videos. The question, therefore, is whether or not the obligations within the DPDP Act, as well as the Information Technology Act of 2000, can be used to create proactive protections against identity theft due to AI technology.

3. GAPS IN SECTION 67A AND RELATED FRAMEWORKS

   
   

Section 67A of the Information Technology Act, 2000 prohibits the transmission of sexually explicit materials; however, its focus on the terms “distribution or dissemination” allows for a gap in legislation when dealing with materials that are generated by artificial intelligence, where there was no actual human activity involved. In some cases, this gap has been highlighted in litigation, where defence attorneys have claimed  that synthetic media should not be considered obscene under Section 294 of the Bharatiya Nyaya Sanhita, 2023 and should instead be classified as artistic fantasies, rather than an exploitative work. Treating deepfakes as “obscene” misses the essence of the harm inflicted. As the problem is not obscenity, but the fact that the person never consented to being depicted in it. The 2025 amendments to the IT Rules require platforms that receive reports about deepfakes to remove them within 36 hours, as well as to label any content made with A.I.. However, these provisions still operate on a re-active basis, through the lens of public morality, and treat the offenses as crimes against society, rather than private harms to an individual’s dignity. Such views do not take into account the agency of victims, as shown by the emphasis placed in the Bharatiya Nyaya Sanhita on “decency”alongside individual rights. The controversy surrounding      X’s Grok AI tool has only highlighted this gap in legislation; the current rules and regulations surrounding the creation and usage of high-risk A.I. systems are only concerned with events that occur after the media has been created, there are no set regulations in place for monitoring high-risk A.I. systems prior to the creation of such materials.

Unlike the European Union’s A.I. Act, which categorizes A.I. based on risk levels and requires transparency measures such as labelling of AI generated and user notifications ,India’s framework treats A.I. as a neutral technology. Although Section 79 of the IT Act offers immunity to intermediaries, it doesn’t state that intermediaries must create, by design, a method for collecting user consent; therefore, the platform is free from any liability. Judicial interpretation could bridge this by applying the mischief rule from Heydon’s Case.  Under this rule, courts could determine that the real “mischief” targeted by the statute is the non-consensual violation of dignity and explicit misrepresentation of a person’s identity, irrespective of whether the content depicts a real act or is fabricated by AI.

3.1 Judicial Foundations for a Dignity-Based Deepfake Framework

Firstly, R. Rajagopal v. State of T.N. (1994) provides the primary constitutional anchor: privacy under Article 21 includes the individual’s control over the use of their “name or likeness,” and the Court framed privacy as a “right to be let alone.” In the deepfake setting, that principle is critical because the wrong is not merely obscenity or falsity, but the non-consensual appropriation of identity itself.

Secondly, Justice K.S. Puttaswamy v. Union of India (2017) constitutionalised this logic by holding that “informational privacy is a facet of the right to privacy” and that privacy harms may arise not only from the State but also from non-State actors. That makes Puttaswamy especially relevant to generative AI, where identity misuse is usually produced through private platforms, scraped datasets, and automated systems rather than direct State action.

Thirdly, Anil Kapoor v. Simply Life India (Delhi High Court, 2023) is the closest Indian judicial engagement with AI-enabled persona misuse. The Court expressly recognised that tools “including Artificial Intelligence” can be used to imitate a person’s identity and accepted that such misuse implicates privacy and the “right to live with dignity,” thereby moving the inquiry beyond a narrow obscenity framework.

Finally, internationally, Reklos and Davourlis v. Greece (ECtHR, 2009) is a landmark because it held that a person’s image is “one of the chief attributes” of personality and that legal protection must begin at the stage of capture itself, not merely publication. Its importance for deepfakes is doctrinally significant: if image-based harm begins at collection and retention, Indian law should likewise regulate the upstream pipeline of scraping, storage, and synthetic generation, not only post-publication dissemination under Section 67A.

4. ALGORITHMIC HARMS, BIAS, AND EQUALITY

   
   

Deepfake technology  not only violates the principles of consent, but also raises substantial concerns of equality and  as protected under Article 14 and Article 15 of the Constitution. AI algorithms are trained on biased datasets which can perpetuate gender, caste, or religious prejudices, and disproportionately target marginalized groups. The DPDP Act 2023, evolved from its draft by removing a clear and broad definition of “harm” that included reputational injury and mental agony. The enacted DPDP Act, 2023 focuses primarily on promoting the technical security safeguards set out in Section 9 rather than establishing protections to prevent unfairness or bias arising from AI and automated decision-making. Without a clear statutory definition of “harm,” the Act offers little scope to tackle reputational, emotional, or discriminatory damages caused by such acts.      

The absence of a clearly defined standard for defining the concept of harm, in terms of how we would be able to challenge an output as being discriminatory, reflects the same patterns of failure that were raised about due process in cases like State v. Loomis, where the court examined whether the harm was being defined in a way that allowed for identification of algorithmic bias and to evaluate whether the output should be considered harmful or not. In Indian jurisprudence, Anuj Garg v. Hotel Association of India mandates preventing not only direct discrimination but also indirect discrimination indirect discrimination caused due to biases or stereotypes. Likewise, Navtej Singh Johar v. Union of India emphasizes substantive equality, meaning real and effective equality that respects dignity and promotes inclusion, rather than just treating everyone the same on paper. These rulings support a broader reading of the      DPDP Act and IT Act where courts could expand ‘harm’ to include dignitary losses from biased AI outputs. This aligns with Puttaswamy’s proportionality test which declared privacy a fundamental right linked to life, liberty, and dignity under Article 21 and introduced a proportionality test to check if any restriction on rights is fair and justified. Until legislative reforms, Courts need to step in and demand human oversight and clear explanations from tech companies, and  treat deepfake creation as a violation of informational privacy and equality.

5. THE REFORMS NEEDED TO ADDRESS THE GAPS

   
   

To fix these issues, a fresh perspective is needed from our courts. They should recognise ‘Digital Bodily Integrity’ (DBI) as an extension of Article 21 rights, similar to bodily autonomy as recognised in Common Cause v. Union of India. This would criminalize unauthorized use of digital likenesses, regardless of realism, shifting from a ‘decency’ to a ‘dignity’ model.

At the source, impose ‘Consent by Design’ obligations on AI developers, mandating guardrails like digital watermarks and metadata provenance, enforceable under expanded fiduciary duties in Section 10 of the DPDP Act. To address the  dissemination, establishing a Rapid Block System via a National AI Safety Clearinghouse is proposed. This mechanism would extend the existing 36-hour removal obligation by incorporating file hashing which will enable the detection and blocking of known harmful synthetic media within a few minutes, thereby reducing the harm caused by limiting the viral spread. The GDPR’s Article 22 requires human intervention in automated decisions; similarly, in Canada The federal Directive on Automated Decision-Making mandates human intervention in high-risk automated systems, requiring that humans make the final decision or provide meaningful review. By using current laws as guides, Indian courts may be able to reach similar conclusions. 

6. CONCLUSION

   
   

While the DPDP and IT Acts are important, they don’t fully protect against deepfakes. Following the example of Maneka Gandhi v. Union of India, courts should treat privacy and dignity laws as “living” tools. By evolving our legal interpretation and adopting reforms like the EU AI Act, India can ensure that technology respects constitutional values and provides real protection for digital citizens.