Regulation of Generative AI Platforms: MeitY’s Evolving Advisory Framework and Whether Voluntary Compliance Is Enough

Introduction

The emergence of generative artificial intelligence as a mainstream technology has confronted legal and regulatory systems with questions that existing frameworks were not designed to answer. Large language models capable of producing human-quality text, image generators producing photorealistic synthetic media, and voice cloning tools capable of impersonating identifiable individuals have entered widespread public use in India within a span of a few years, with minimal regulatory structure to govern their deployment, risks, or accountability.

India’s response to this challenge, led by the Ministry of Electronics and Information Technology (MeitY), has been tentative, iterative, and ultimately unsatisfying from a rule-of-law perspective. A March 2024 advisory requiring government permission for AI platform deployment was issued and rapidly retracted in the face of industry criticism. A revised April 2024 advisory imposed labelling and compliance requirements through advisory guidance rather than binding regulation. India remains without a comprehensive AI statute as of early 2026, while the EU AI Act has come into force and China has implemented its own sector-specific AI regulations. This article examines MeitY’s advisory framework, the specific Indian concerns that motivate AI regulation, the comparative regulatory landscape, and the debate between horizontal regulation and sector-specific approaches.

Legal Framework

India’s current legal basis for AI content regulation derives primarily from the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, which impose due diligence obligations on intermediaries including requirements to refrain from hosting certain categories of harmful content. Rule 3(1)(b) requires intermediaries to ensure that users do not host content that is obscene, pornographic, invasive of privacy, harmful to minors, incites violence, or is otherwise unlawful. These obligations apply to AI-generated content as they do to human-generated content, insofar as the intermediary hosts or facilitates the content.

However, the IT Rules 2021 framework was not designed to address the unique characteristics of generative AI: the at-scale, near-instantaneous generation of novel content, the potential for systematic bias, hallucination, manipulation, and impersonation, and the opacity of the underlying models that makes content moderation at the generation stage fundamentally different from content moderation at the hosting stage. A rule requiring that intermediaries not host “fake” content presupposes that falsity can be identified after generation; it provides no framework for governing the design parameters of models that generate content in the first place.

MeitY’s March 2024 advisory, directed at AI platforms, stated that AI models being deployed in India should be tested to ensure they do not generate responses that could be unlawful under Indian law, that platforms should label AI-generated content, and that platforms deploying “under-tested” or “unreliable” AI models should obtain government permission before deployment. The permission requirement was the most controversial element: it implied that the government should have a gatekeeping role over which AI systems may be used in India, a proposition that raises serious concerns about innovation suppression and the appropriate boundaries of executive authority.

The retraction of the March advisory and its replacement in April 2024 with a softer version that dropped the permission requirement and instead required labelling of AI-generated content and compliance with Indian laws reflected the government’s sensitivity to industry concerns and international perceptions of India as a regulatory-hostile environment for technology companies. The April advisory, however, remained advisory in nature, creating expectations of compliance without the force of law or the clarity of enforceable standards.

Judicial Developments

Indian courts have not yet adjudicated comprehensive cases involving generative AI liability, though several pending matters touch on AI-related legal questions. Defamation suits involving AI-generated deepfake videos of public figures have been filed in multiple jurisdictions, raising questions about whether the platform that hosted the deepfake, the tool that generated it, or the user who created it should bear liability. The existing framework under the IT Act, which focuses on intermediary liability for third-party content, is poorly suited to the deepfake context because the harm arises not from the hosting of existing content but from the AI-enabled creation of new harmful content.

The Election Commission of India has issued guidelines on the use of AI in political campaigning ahead of the 2024 general elections, requiring political parties to disclose AI-generated content in their advertising and prohibiting certain uses of AI to create misleading content about political opponents. These guidelines operate through the Model Code of Conduct mechanism rather than through binding law, but they represent the first regulatory acknowledgement at the institutional level of AI-specific electoral risks in India.

The Supreme Court has not directly addressed generative AI in its jurisprudence, but its observations in defamation and privacy cases about the amplified harm caused by digital technologies are relevant by analogy. The reasoning in the Puttaswamy privacy judgment, recognising informational autonomy as a component of the right to privacy, has clear implications for deepfake regulation: using AI to generate false representations of a person’s image, voice, or words without consent is a violation of informational autonomy that the constitutional framework should protect against.

Contemporary Issues and Analysis

India’s specific AI regulation concerns differ in important respects from those driving EU and US regulatory discussions. While the EU’s focus has been on systemic risk, fundamental rights compliance, and product safety analogies, India’s most pressing concerns are more immediate: election integrity threats from AI-generated political misinformation, communal harmony risks from AI-generated content designed to inflame religious or caste tensions, and the use of AI for financial fraud at scale.

The 2024 general election demonstrated the practical dimensions of the AI threat. AI-generated voice clones of political leaders were circulated on social media in the weeks before polling, some endorsed by political parties and some created by opponents to attribute false statements to candidates. The Election Commission’s guidelines, while welcome, had limited reach because they applied to registered political parties’ official advertising rather than to independently created and circulated AI content. The regulatory gap between official political advertising and the vast ecosystem of AI-generated content circulated by supporters, bots, and anonymous accounts remains unaddressed.

The deepfake problem has particular severity in the context of gender-based violence. AI-generated non-consensual intimate imagery, sometimes called deepfake pornography, has been used to harass, blackmail, and silence women journalists, activists, and public figures in India. The IT Act’s existing provisions on obscenity and privacy violations provide some basis for prosecution but are not specifically designed for AI-generated imagery. Section 67A of the IT Act criminalises publishing sexually explicit material in electronic form, and Section 67B addresses child pornography, but there is no specific provision addressing AI-generated non-consensual intimate imagery of adults.

MeitY’s draft Digital India Act, which has been under consultation since 2022 as a potential replacement for the IT Act 2000, has been repeatedly deferred. If and when enacted, it is expected to provide a more comprehensive framework for AI governance, but the timeline for legislative action remains uncertain.

Comparative and International Perspective

The EU AI Act, adopted in June 2024 and entering into force in August 2024, represents the world’s most comprehensive binding legal framework for AI regulation. It takes a risk-based approach, classifying AI systems by the level of risk they pose: unacceptable risk (prohibited), high risk (heavily regulated), limited risk (transparency obligations), and minimal risk (no specific obligations). Generative AI systems are addressed through a specific section requiring providers to comply with transparency obligations, watermark AI-generated content, and demonstrate adequate safeguards for fundamental rights. Foundation model providers (those training large models) face additional systemic risk assessment obligations.

China’s approach, through its Generative AI Interim Measures notified in July 2023, requires AI service providers to conduct security assessments before deployment, label AI-generated content, ensure content compliance with Chinese law and values, and protect the personal information of users. China’s framework is notable for its speed of adoption, having been enacted within months of ChatGPT’s global emergence, though it reflects China’s specific regulatory priorities, including content controls aligned with the Communist Party’s political requirements.

The UK has taken a sector-led approach, declining to enact horizontal AI legislation and instead relying on existing sector regulators (the FCA for financial services AI, the CQC for healthcare AI, Ofcom for media-related AI) to develop AI governance standards within their existing regulatory remits. The UK’s approach has the advantage of preserving regulatory flexibility but risks inconsistent standards and accountability gaps for cross-sectoral AI applications.

The US approach under the Biden administration’s Executive Order on AI (2023) and the National Institute of Standards and Technology (NIST) AI Risk Management Framework is primarily voluntary and guidance-based at the federal level, with sector-specific binding standards emerging in areas like federal government AI procurement.

Practical and Policy Implications

For AI companies operating in India, MeitY’s advisory framework creates a compliance obligation that is real in its expectations but uncertain in its enforcement. The absence of a statutory basis for AI-specific regulations means that enforcement against non-compliant AI platforms must rely on the existing IT Act and Rules framework, which is imperfectly suited to the generative AI context. Companies that label AI-generated content and maintain internal responsible AI policies are in a more defensible compliance position, but the absence of clear standards means that even diligent companies cannot be certain that their practices will satisfy future regulatory expectations.

For Indian users of generative AI tools, the practical risk is that harms caused by AI systems, whether deepfakes, biased outputs, or AI-generated misinformation, lack clear legal redress mechanisms. The DPDP Act’s framework for personal data protection may apply where AI outputs involve personal data, but the broader range of AI harms falls outside its scope.

Suggestions and Reforms

India should enact a dedicated AI Governance Act that adopts a risk-tiered approach broadly aligned with the EU AI Act while reflecting Indian constitutional values and specific risk priorities. The Act should prohibit specific high-risk applications, including real-time biometric surveillance systems in public spaces, AI systems for social scoring, and AI-generated content designed to manipulate electoral outcomes. It should impose transparency and labelling obligations on all generative AI platforms deployed for public use in India. And it should establish a mandatory incident reporting regime for AI-related harms, similar to the CERT-In Directions’ approach for cybersecurity incidents.

For deepfakes specifically, India needs targeted legislation creating criminal offences for the non-consensual creation or distribution of AI-generated intimate imagery, with enhanced penalties where the victim is a minor and where the content is used for harassment or extortion. The existing Section 67A framework should be amended to explicitly address AI-generated content.

On the broader question of horizontal versus sectoral regulation, India’s diverse and rapidly evolving AI landscape argues for a hybrid approach: a horizontal statute establishing foundational principles, prohibited applications, and transparency requirements, supplemented by sector-specific guidelines from SEBI, IRDAI, NMC, and other regulators for AI applications within their respective jurisdictions.

Conclusion

MeitY’s advisory framework for generative AI represents a pragmatic response to the challenge of regulating a technology that evolves faster than legislative processes. However, advisories are not law, and their voluntary character creates an accountability gap that will be exploited by the least responsible actors in the AI ecosystem. India’s specific vulnerabilities, from electoral manipulation to gender-based deepfake violence to AI-amplified communal disinformation, demand more than guidance documents. The window for designing a thoughtful, constitutionally grounded, and internationally coherent AI governance framework is open, but it will not remain open indefinitely as the technology’s capabilities and its social impacts continue to accelerate.

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these