Legal Chronicle

January 2026

Index

Corporate Liability in Deep Fake and Misinformation Cases: Legal Risks in the AI Era

1	Introduction
2	Understanding Deep Fake and Misinformation
3	Corporate Involvement: Direct and Indirect Roles
4	Legal Framework Governing Liability in India
5	Key Provisions under the IT Rules, 2021
6	Corporate Governance and Internal Compliance
6	Liability Considerations
6	References
7	Conclusion
8	About Us
9	Our Team

Dear Reader,

The Legal Department at UJA is delighted to impart certain legal knowledge as construed under the Legal Chronicle to keep the readers aware of the recent updates and developments that revolve around various aspects of the law. Our goal is to enable our readers to develop a sense of familiarity with the complexities of Indian as well as international law.

In this edition of Legal Chronicle, we focus on Data Breach Response in India, providing an insight on the CERT-IN Directions under the IT Act and the Digital Personal Data Protection (DPDP) Act, 2023. With the rising frequency of cyber incidents and data breaches, it is crucial for organizations to understand their legal obligations. While the DPDP Act establishes comprehensive personal data protection rules, its operational mechanisms for breach reporting are yet new. Until then, CERT-IN Directions remain the go-to framework, mandating immediate reporting, preservation of logs and technical cooperation. This edition also highlights practical compliance steps, including incident detection, forensic investigation and preparation for future DPDP requirements, ensuring that organizations are both legally compliant today and prepared for tomorrow.

We hope that this edition creates a sense of enthusiasm for our readers and successfully delivers the plethora of legal knowledge as intended. In case you have any feedback or need us to include any information to make this issue more informative, please feel free to write to us at legal@uja.in.

Introduction

Deepfakes are AI-generated videos or images that convincingly mimic real individuals, while misinformation refers to false or misleading information that spreads intentionally or unintentionally. With the rapid advancement of AI tools and the widespread use of digital platforms, both deepfakes and misinformation are becoming increasingly prevalent, posing risks to individuals, brands and society at large. Corporations, whether as creators, hosts or passive enablers of such content, may face legal and reputational consequences if they fail to address these risks. This article will explore how Indian law and global frameworks tackle corporate liability in cases involving deepfakes and misinformation.

Understanding Deep Fakes and Misinformation

Deepfakes refer to AI-generated synthetic media that realistically imitate real individuals, making it increasingly difficult to distinguish between authentic and fabricated content. Misinformation denotes false or inaccurate information shared without harmful intent, whereas disinformation is deliberately created to deceive or manipulate. Recent instances, such as political deepfakes influencing public opinion and fake brand endorsements circulating online, highlight the growing misuse of such technologies. These developments pose significant risks to individuals’ reputations, corporate credibility and overall public trust in digital media, emphasizing the urgent need for stronger regulatory and ethical frameworks.

Corporate Involvement: Direct and Indirect Roles

Corporations can be connected to deepfakes and misinformation both directly and indirectly. Direct involvement arises when a company’s technology, tools or employees are used to create or disseminate manipulated content. Indirect involvement occurs when corporations, particularly digital platforms or intermediaries, host, promote or fail to remove such content despite being aware of it. Additionally, many companies become victims of deepfakes or misinformation that damage their brand reputation, mislead customers or affect stakeholder trust. In all scenarios, corporate accountability and proactive governance play a crucial role in mitigating the legal, ethical and reputational risks associated with such incidents.

Legal Framework Governing Liability in India

Information Technology Act, 2000 (IT Act)

In India, the IT Act addresses various cyber offences, including identity theft, impersonation, privacy violations and publishing or transmitting obscene or sexually explicit content. It also empowers authorities to issue blocking orders to intermediaries and notices for the removal of unlawful content, thereby ensuring accountability of intermediaries in managing digital content.

IT Rules, 2021 (Intermediary Guidelines and Digital Media Ethics Code)

The IT Rules, notified by MeitY and amended in 2022 and 2023, require intermediaries to exercise due diligence and prevent the hosting or transmission of unlawful content, including harms arising from emerging technologies like AI. These rules aim to ensure platform accountability and safeguard users from the misuse of digital platforms.

Digital Personal Data Protection (DPDP) Act, 2023

The DPDP Act ensures that personal data is processed lawfully, with explicit user consent and reasonable security safeguards. Deepfakes or AI-generated content using personal data without consent can attract penalties under this Act, reinforcing individual privacy rights in the digital space.

Bharatiya Nyaya Sanhita (BNS), 2023

The BNS targets misinformation and disinformation. Section 353 penalizes the creation and dissemination of false or misleading statements, rumours or reports that may cause public fear or mischief. Organized cybercrimes involving deepfake content can also be prosecuted under Section 111, strengthening legal recourse against malicious AI-generated content.

Key Provisions under the IT Rules, 2021

Key Provisions under IT Rules, 2021 (Rule 3(1)(b))

The Rules restrict the hosting or transmission of content that is obscene, pornographic, privacy-invasive, or promotes hate or violence. They also cover content that harms children, misleads or deceives (including via deepfakes), impersonates others (including through AI), threatens national security or public order, or violates any applicable law. These provisions ensure that intermediaries exercise due diligence in monitoring and managing unlawful or harmful digital content.

User Awareness Obligations

Intermediaries are required to inform users, via terms of service and user agreements, about the consequences of sharing unlawful content, including content removal, account suspension, or termination, ensuring users are aware of their responsibilities and potential penalties.

Accountability in Content Removal

Intermediaries must act expeditiously to remove unlawful content upon court orders, government notice or user grievances, within prescribed timelines.

Grievance Redressal

Intermediaries must appoint Grievance Officers to address user complaints, ensuring unlawful content is removed within 72 hours and content involving privacy violations, impersonation or nudity is removed within 24 hours of receiving a complaint.

Grievance Appellate Committees (GACs) Mechanism

Users can appeal online if the intermediaries’ Grievance Officers do not address their complaints. GACs ensure accountability and transparency of content moderation decisions.

Corporate Governance and Internal Compliance

Effective corporate governance and internal compliance mechanisms are critical in managing risks associated with deepfakes, misinformation and other digital threats. Companies are expected to establish clear policies, oversight structures and accountability frameworks to ensure ethical use of technology, prevent misuse and respond promptly to incidents. Internal compliance measures, including risk assessments, employee training, reporting channels and audit mechanisms, help organizations meet legal obligations under Indian laws like the IT Act, DPDP Act, POSH Act and other relevant regulations. Strong governance not only mitigates legal and reputational risks but also reinforces trust among stakeholders and promotes responsible corporate conduct.

Liability Considerations

Corporate liability in cases of deepfakes and misinformation depends on the company’s role, awareness and response to the content. Companies may be held accountable if they create, distribute, host, or fail to remove harmful content, or neglect due diligence obligations under laws like the IT Act, DPDP Act, upon being effective and CERT-In Directions. Liability may extend to directors, officers and intermediaries, emphasizing the importance of robust internal controls, monitoring mechanisms and timely compliance to mitigate legal, financial and reputational risks.

Conclusion

Deepfakes and misinformation present significant challenges for individuals, corporations and society at large. Ensuring corporate accountability through robust governance, internal compliance and adherence to legal frameworks both in India and globally is essential. By adopting proactive risk mitigation strategies, ethical practices and timely response mechanisms, organizations can safeguard their reputation, protect stakeholders and navigate the evolving digital landscape responsibly.

Disclaimer

This document is intended to provide general information and is not intended to be substituted for any legal or professional advice. This document is meant exclusively for informational purposes and not for advertising or solicitation. UJA has made significant efforts to ensure that the information contained in this document is accurate and reliable. However, the information herein is provided “as is” without warranty of any kind. UJA hereby disclaims all responsibility and liability, whether stated or implied, for the accuracy, validity, adequacy, reliability or completeness of any information provided under this document. In no event shall UJA be held liable for any losses or damages whatsoever incurred as a result of using this document.

About UJA

The UJA’s team specializes in offering a wide range of legal solutions, ensuring comprehensive support for both businesses and individuals.

Our Comprehensive Services Include:

Legal Advisory
Contract Negotiation & Management
Financial & Legal Due Diligence
Immigration-related Services
Drafting & reviewing of legal documents, policies & Notices
Labour Law
Dispute Resolution & Arbitration
Business & Operational Restructuring for M&A
Trademark Filing & IP-related advisory
Legal Metrology & Related Services

UJA supports businesses in navigating complex regulations, global markets, and GI laws. Operating across France, Germany, Japan, Spain, and more, we specialize in market entry, expansion, and offering tailored solutions for growth. With over 29 years of experience and a team of 170+ experts, we have helped more than 1000 clients from SMEs to MNCs achieve their goals. Headquartered in Pune, we have offices across India – Bengaluru, Gurugram, Mumbai and International Offices in Japan, Italy and France with the representation in Germany, Spain & the UAE.