NAVIGATING THE DEEPFAKE DILEMMA: LEGAL PERSPECTIVES FROM INDIA AND THE EU AI ACT

Introduction

In this digital age, sophisticated technology has led to a new era of information manipulation and deception. Among these, the Deepfakes have emerged as a potential tool that often startles realism. Initially, this was used for entertainment purpose but deepfakes today have raised major concerns.

India being one of the largest consumers of online media, the raise in deepfakes poses unique challenges. From celebrity videos to political misinformation during the recent elections, this technology has raised several legal concerns while the legal framework to address deepfake related offences remains nascent and new.

This blog seeks to explore the current legal landscapes regulating deepfakes and how Digital Personal Data Protection Act, 2023(DPDPA) can be applied for protecting personal data from being misused. The blog also try to bring in a global perspective by incorporating the implications of EU AI act. By intersecting law and technology we focus on mitigating the risks posed by deepfakes.

Rise of Deepfakes

Generative artificial intelligence (generative AI, GenAI, or GAI) is a transformative technology capable of generating text, images, videos, or other data using generative models, often in response to prompts. One prominent application of Generative AI is the creation of deepfakes, which utilize techniques such as Generative Adversarial Networks (GANs). Deepfakes (a portmanteau of "deep learning" and "fake") are synthetic media that convincingly replace one person's likeness with another's. Coined in 2017 by a Reddit user, the term now includes other realistic digital creations, such as lifelike images of human subjects who do not exist in reality. The striking authenticity of deepfakes poses significant consequences, ranging from defamation and privacy breaches to the spread of misinformation, making it a crucial area of concern in the digital age.

Deepfakes have significant negative impacts, particularly in a digitally active country like India. Deepfakes today had major social impacts. It has been a major issue in political realm recently during election campaigning. Beyond politics it can also be used to tarnish the image of individuals and harass them. Women on a large scale have been the victims of such malicious deepfake content. This calls for an urgent need for robust legal framework and technological safeguards.

Understanding the Rules and Regulations Surrounding Deepfakes

India lacks specific laws to regulate Deepfakes and AI related crimes but laws around cybercrimes , privacy and defamation can be applied.

Information Technology Act Provisions

·        Section 66C addresses identity theft by penalizing the fraudulent or dishonest use of another person’s electronic signature, password, or unique identification feature. Offenders can face imprisonment for up to three years and a fine of up to Rs 1 lakh. This section can be applied to cases where deepfakes are used to impersonate someone.

·      Section 66D targets cheating by personating through electronic means. Those found guilty of such acts can be imprisoned for up to three years and fined up to Rs 1 lakh. This provision is relevant when deepfakes are employed to deceive or defraud individuals by pretending to be someone else.

·        Sections 66E, 67, 67A, and 67B cover cyber crimes related to pornography, addressing privacy violations and the dissemination of explicit content electronically. These sections impose significant penalties for offenses, particularly those involving children. These provisions are applicable to deepfakes involving explicit content or violations of privacy.

Indian Penal Code Provisions

·         Section 499 defines defamation as the intentional act of harming another person’s reputation through words, writing, signs, or visible representations. Deepfakes that damage someone's reputation fall under this category and can be prosecuted accordingly.

·         Section 500 outlines the punishment for defamation offenses, which can include imprisonment for up to two years, a fine, or both. This section is used to penalize individuals responsible for creating or distributing defamatory deepfakes.

Application of The Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act (DPDPA) aims to protect the personal data of individuals, known as "Data Principals," from misuse by entities termed "Data Fiduciaries." Data fiduciaries are organizations or entities that determine the purpose and means of processing personal data. They are responsible for ensuring that the data they handle is processed in compliance with legal requirements, including obtaining consent, implementing security measures, and being transparent about their data processing activities. Data principals are individuals whose personal data is being processed. They have specific rights under data protection laws, including the right to access, correct, and erase their personal data, as well as the right to be informed about how their data is being used and the ability to withdraw consent.

The act has wide ranging definition. “Personal Data ” is defined as any data that can identify a person. This broad definition includes not only obviously sensitive data but also subjective information like opinions or media (photos, videos) that can identify an individual.

Section 4 mandates that personal data must be processed lawfully, fairly, and transparently. In the context of deepfakes, this means that the use of an individual's likeness must be lawful and transparent, preventing unauthorized creation and use of deepfakes. Individuals must be informed about how their data, including their likeness, is being used.

Section 8 reinforces that personal data processing must be based on explicit consent, which is essential for deepfakes where an individual's likeness is used to create synthetic media. Consent must be informed, specific, and revocable, ensuring that individuals can deny or withdraw consent for the use of their likeness. This provision empowers individuals to prevent unauthorized deepfake creation and use. There are no specific provisions regarding the duties of a data fiduciary in relation to AI generated media. Yet, this duty set out under section 8(5) can be expanded to make sure that all fake contents made with a data fiduciary’s possession will instantly be deleted as soon as they are detected.

Section 8(5): Obligates Data Fiduciaries to protect personal data from breaches and suggests additional safeguards like restricting the download and sharing of private media. Section 8(6) Requires informing Data Principals immediately upon detecting a breach, enabling them to take protective actions.

Section 8(10) Mandates Data Fiduciaries to establish effective grievance redressal mechanisms, allowing Data Principals to request the removal of misused personal data. Given their potential to cause significant harm, the right to be forgotten is crucial for individuals affected by deepfakes which is envisaged  in section 12 of the act which allows Data Principals to request the removal of their data. While the right to erasure exists, it's not absolute. The Data Fiduciary is not obligated to erase data if it's required for fulfilling a legal obligation, Processing for public interest purposes, Scientific or historical research purposes or statistical purposes.

The DPDPA does not cover deepfakes made by AI in express terms even though it is a rudimentary framework that can be built upon to protect people’s rights, especially their right to privacy. Deepfakes can be counteracted by utilizing the Act’s sections which include personal data lawfulness of processing, data accuracy, consent requirement as well as the right to be forgotten.

However, there are some areas in the DPDPA where its effectiveness against deepfakes needs to be enhanced:

1.      Publicly Available Data Exemption: Section 3(c)(ii) excludes data voluntarily made publicly available from the Act’s protection. This loophole enables people to generate fake videos using public personal data.

2.      No Distinction Between Personal and Sensitive Data: The DPDPA does not differentiate between personal and sensitive personal data, which may lead to inadequate protection for more sensitive information that could be misused in deepfakes.

3.      Personal and Domestic Purpose Exemption: Section 3(c) exempts personal or domestic data processing from the Act without clearly defining 'personal or domestic.' This ambiguity raises questions about whether individuals creating deepfakes can be considered data fiduciaries and held accountable under the Act.

Addressing these gaps by clarifying and expanding the scope of the DPDPA could significantly strengthen protections against the misuse of personal data in deepfakes. Until specific legislation regarding AI and deepfakes is enacted, these modifications are crucial for safeguarding individuals' privacy and ensuring their personal data is not exploited.

EU AI Act and Deepfakes

The EU AI Act specifically addresses deepfakes, a type of AI-generated media that can alter or fabricate content realistically. This is because deepfakes can be misused and pose a threat.

The Act includes several key rules for deepfakes:

1.            Transparency: Those creating or using deepfakes must clearly disclose that the content is AI-generated. This helps people recognize when they're viewing artificial content and reduces the risk of misinformation.

2.            Classification: Deepfakes can be classified as high-risk depending on how they're used. Political manipulation or defamation might be considered high-risk and face stricter regulations.

3.            Traceability: Records of how deepfakes are created and the data used must be maintained. This allows authorities to track the origin of deepfakes if needed.

4.            Prohibited Uses: Certain malicious uses, like deepfakes for social scoring or illegal surveillance, are entirely banned.

Overall, the EU AI Act aims to balance innovation with protecting society from harmful uses of technology like deepfakes. It focuses on high-risk applications to prevent misuse and ensure ethical development of AI.

Conclusion

The rise of deepfakes presents a clear and present danger to our digital landscape. While existing legislation in India like the IPC, IT Act, and DPDPA offer a framework to address some aspects of deepfake misuse, they lack the comprehensiveness to tackle the full scope of the threat. The EU AI Act provides a valuable blueprint for crafting a more robust regulatory environment.

Learning from the EU's approach, India urgently needs to develop a national AI regulation framework. This framework should prioritize transparency and accountability, ensuring clear labeling of deepfakes and establishing mechanisms for tracing their origin. Furthermore, it should explicitly prohibit malicious uses of deepfakes, such as those intended to manipulate elections, spread disinformation, or damage reputations. Additionally, public awareness campaigns can educate citizens on how to identify deepfakes and navigate the increasingly complex digital world. The time to act is now, before the tide of deepfakes washes away the foundations of our digital society.

References

1.      India’s digital personal data protection act: Striking a balance between privacy rights and public data By Lalu John Philip & Krutamana Pisipati https://etinsights.et-edge.com/indias-digital-personal-data-protection-act-striking-a-balance-between-privacy-rights-and-public-data/

2.      Decoding the Digital Personal Data Protection Act , 2023 by Lalit Kalra https://www.ey.com/en_in/cybersecurity/decoding-the-digital-personal-data-protection-act-2023

3.Deepfakes and the digital personal data protection act, 2023: navigating the intersection of technology and privacy law in India by Kulin Dave https://www.linkedin.com/pulse/deepfakes-digital-personal-data-protection-act-2023-navigating-dave-xryuf

4.      The “Deepfake” Conundrum - Can the Digital Personal Data Protection Act , 2023 deal with misuse of Generative AI by Sarvagya Chitranshi https://www.ijlt.in/post/the-deepfake-conundrum-can-the-digital-personal-data-protection-act-2023-deal-with-misuse-of-ge

5.What Are Laws Around Deepfakes And Are They Stringent Enough? By Zaina Azhar Sayeda https://www.outlookindia.com/national/what-are-the-laws-around-deepfakes-and-are-they-stringent-enough-rashmika-mandanna-kajol-katrina-kaif-social-media-laws-news-331892

6.Regulating deepfakes and AI in India by Nitika Gupta https://www.linkedin.com/pulse/regulating-deepfakes-ai-india-nitika-gupta-liccf

7.Legal Implications of Deepfakes and AI-generated Content in India by Manan Mathur https://www.linkedin.com/pulse/legal-implications-deepfakes-ai-generated-content-

8.Deepfakes and the law: Are we protected? By Lexology https://www.lexology.com/library/detail.aspx?g=6de74674-e2d5-4e0c-9e26-33f4d6aadf40

9. EU Strengthens AI Regulations and Targets Deepfakes Amid Rising Concerns by BioID https://www.bioid.com/2024/06/03/eu-ai-act-deepfake-regulations/

10. The AI Act vs. deepfakes: A step forward, but is it enough?By Cristina Vanberghen https://www.euractiv.com/section/artificial-intelligence/opinion/the-ai-act-vs-deepfakes-a-step-forward-but-is-it-enough/