Part 2: IT Intermediary Rules 2025 for AI | CTL Module 1

2.1 Evolution of IT Intermediary Rules

The IT Intermediary Rules have undergone significant evolution to address emerging AI challenges. Understanding this progression is essential for compliance advisory.

Regulatory Timeline

Year	Development	AI Relevance
2011	Original IT Rules (Intermediary Guidelines)	Basic safe harbour; no AI provisions
2021	IT Rules 2021 (Intermediary Guidelines and Digital Media Ethics Code)	Content moderation; due diligence; no specific AI rules
2022	Amendment introducing Grievance Appellate Committee	Appeal mechanism for content decisions
2023	Amendment on fact-checking, misinformation	Fake news provisions applicable to AI-generated content
2024	Draft AI-specific amendments	Deepfakes, synthetic media labeling proposals
2025	IT Intermediary Rules 2025	Comprehensive AI content regulations

Key Drivers for AI-Specific Amendments

Deepfake Crisis: Proliferation of AI-generated fake videos of public figures, celebrities
Election Integrity: Concerns over AI-generated misinformation affecting elections
Fraud Prevention: AI-powered scams, voice cloning, synthetic identity frauds
Consent Violations: Non-consensual intimate imagery using AI face-swapping
Platform Accountability: Need for clear obligations on AI tool providers

💡 Key Insight

The 2025 amendments shift from reactive content moderation to proactive AI governance. Platforms must now implement safeguards before AI-generated content causes harm, not just respond to complaints.

2.2 Key Definitions and Scope

The 2025 amendments introduce critical definitions that determine the scope of AI-related obligations. Precise understanding of these definitions is essential for compliance.

Rule 2(1)(aa) - Artificial Intelligence System New Definition

"Artificial Intelligence System" means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers from the inputs it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

Analysis: This definition aligns with the OECD/EU approach. Key elements: (1) machine-based, (2) autonomy, (3) adaptiveness, (4) inference capability, (5) output generation. Note: Does not require "learning" - rule-based systems may qualify.

Rule 2(1)(sa) - Synthetic Media New Definition

"Synthetic Media" means any image, audio, video, or text content that has been digitally created, modified, or manipulated using artificial intelligence or machine learning technologies, including but not limited to deepfakes, AI-generated images, voice clones, and algorithmically generated text.

Analysis: Broad definition covering all modalities (image, audio, video, text). Includes both creation and modification. The phrase "including but not limited to" ensures future AI capabilities are covered.

Rule 2(1)(da) - Deepfake New Definition

"Deepfake" means synthetic media in which the likeness of a person, including their face, body, or voice, has been digitally manipulated or replaced with that of another person or a computer-generated representation, using artificial intelligence or machine learning, in a manner that could reasonably deceive an ordinary person into believing that the depicted person actually performed the depicted action or spoke the depicted words.

Analysis: Elements: (1) synthetic media, (2) person's likeness, (3) manipulation/replacement, (4) AI/ML technology, (5) deception capability. The "ordinary person" standard is subjective and will require judicial interpretation.

Scope of Application

Entity Type	Rule Applicability	Key Obligations
AI Tool Providers	Full compliance	Labeling, detection, prevention measures
Social Media Intermediaries	Full compliance + SSMI requirements	Content detection, takedown, reporting
Significant Social Media Intermediaries	Enhanced compliance	AI audit, algorithm transparency, dedicated AI team
Enterprise AI Users	User obligations apply	Disclosure when publishing AI content
Individual Users	User obligations apply	Disclosure, no malicious deepfakes

2.3 AI-Specific Obligations

The 2025 amendments introduce specific obligations for AI-generated content that practitioners must understand for effective compliance advisory.

Rule 3(1)(b)(vii) - AI Content Labeling

Mandatory AI Content Disclosure Due Diligence

The intermediary shall inform its users, at least once a year, that in respect of synthetic media or AI-generated content, the user shall ensure that such content is clearly and conspicuously labeled as artificially generated or manipulated, using metadata, watermarks, or visible disclosures, as may be specified.

Labeling Requirements

Visible Disclosure: Clear text label stating "AI-Generated" or "Synthetically Created" visible to viewers
Metadata Embedding: Technical metadata indicating AI origin embedded in file
Watermarking: Digital watermarks for images and videos (C2PA or similar standards)
Audio Disclosure: Audible statement for AI-generated audio content

Rule 3(1)(d)(ii) - Deepfake Prohibition

Prohibition on Malicious Deepfakes User Obligation

The user shall not host, display, upload, modify, publish, transmit, store, update or share any information which... creates or distributes deepfakes of any person without that person's explicit consent, or distributes deepfakes with intent to deceive, defame, harass, or threaten any person.

⚠️ Critical Exception

Exceptions exist for: (1) Parody/satire clearly identifiable as such, (2) Educational content with disclosure, (3) Artistic expression with consent or public interest justification, (4) News reporting in public interest. However, these exceptions are narrowly construed.

Rule 4(1)(e) - AI Detection Mechanisms

SSMI Detection Obligation SSMI Specific

A significant social media intermediary shall deploy technology-based measures, including automated tools utilizing artificial intelligence, to proactively identify synthetic media and deepfakes that violate these rules or the terms of service, and shall take appropriate action including removal, labeling, or restricting distribution.

Detection Requirements for SSMIs

Automated Detection: AI-powered systems to identify synthetic content
Hash Matching: Maintain hash database of known harmful deepfakes
User Reporting Integration: Easy mechanism for users to flag suspected AI content
Human Review: AI detection must be supplemented by human oversight
Accuracy Standards: Detection systems must meet prescribed accuracy thresholds

Rule 4(8A) - Algorithm Transparency

Algorithmic Transparency Obligation SSMI Specific

A significant social media intermediary that uses algorithmic systems for content recommendation, curation, or moderation shall publish, and update at least annually, a transparency report describing: (a) the primary parameters used by such algorithms, (b) options available to users to modify or opt out of algorithmic recommendations, (c) measures taken to prevent algorithmic amplification of harmful content.

⚖️ Practice Advisory

When advising SSMIs on algorithm transparency, recommend a tiered disclosure approach: (1) Public summary for users, (2) Detailed technical documentation for regulators, (3) Audit-ready records for compliance verification. Balance transparency with trade secret protection.

2.4 Safe Harbour Implications for AI

The relationship between AI content and safe harbour protection under Section 79 IT Act has critical implications for platform liability.

Section 79 Safe Harbour: Recap

"An intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him." Section 79(1), IT Act 2000

Conditions for Safe Harbour (Post-2025 Amendments)

Condition	Pre-2025	Post-2025 (AI Context)
Mere Conduit	No initiation, selection, modification	AI curation may affect "modification" analysis
Due Diligence	Observe IT Rules	Must include AI-specific due diligence
Actual Knowledge	Court order/govt notification	AI detection may create constructive knowledge
Expeditious Removal	Upon actual knowledge	Stricter timelines for AI-generated harmful content

When Safe Harbour is Lost

Failure to Label: Not implementing AI content labeling requirements
No Detection Systems: SSMIs without AI detection lose protection for undetected harmful content
Algorithm Amplification: If algorithms actively promote known harmful AI content
Delayed Takedown: Failure to act within prescribed timelines on AI-related complaints
Non-Compliance with Orders: Failure to comply with government blocking orders for AI content

⚖️ Shreya Singhal Implications

Recall that Shreya Singhal v. Union of India (2015) held that "actual knowledge" requires court order or government notification. Question: Does AI detection of violative content create "actual knowledge"? The 2025 amendments suggest yes for SSMIs with detection capability.

AI Tool Provider Liability

A critical question: Are AI tool providers (like ChatGPT, Midjourney) "intermediaries" entitled to safe harbour?

Argument for Safe Harbour: AI tools are conduits processing user prompts, not initiating content
Argument Against: AI generates content, not merely transmits - different from traditional intermediaries
Current Position: The 2025 amendments suggest AI tool providers have obligations regardless of intermediary status

⚠️ Regulatory Uncertainty

The intermediary status of AI tool providers remains legally uncertain. Advise clients to implement safeguards as if safe harbour does NOT apply, while preserving arguments for intermediary status as a fallback defence.

2.5 Compliance Framework

Practitioners must advise clients on implementing comprehensive AI content compliance programs aligned with the 2025 amendments.

Compliance Checklist for AI Tool Providers

Terms of Service Update: Incorporate AI content rules, user disclosure obligations
Labeling Infrastructure: Implement metadata, watermarking, visible disclosure systems
User Agreements: Obtain consent for AI generation, prohibit deepfakes without consent
Content Filtering: Prevent generation of prohibited content (CSAM, terrorism, etc.)
Grievance Mechanism: Establish complaint handling for AI content issues
Record Keeping: Maintain logs of AI generations as required

SSMI-Specific Requirements

AI Detection Deployment: Implement automated deepfake/synthetic media detection
Dedicated AI Compliance Team: Appoint personnel for AI content oversight
Algorithm Transparency Report: Annual publication of algorithmic parameters
User Controls: Provide opt-out mechanisms for algorithmic recommendations
Proactive Monitoring: Regular scanning for violative AI content
Government Liaison: Coordinate with MeitY on AI content issues

Timelines and Penalties

Obligation	Timeline	Non-Compliance Consequence
AI content takedown (upon order)	36 hours	Loss of safe harbour
Deepfake removal (upon complaint)	24 hours	Loss of safe harbour + penalties
Algorithm transparency report	Annual (by March 31)	Show cause notice, potential blocking
Labeling system implementation	Within 6 months of notification	Loss of safe harbour
Detection system (SSMI)	Within 12 months	Enhanced liability for undetected content

✓ Implementation Strategy

Advise clients to: (1) Conduct gap analysis against 2025 requirements, (2) Prioritize high-risk obligations (deepfake detection), (3) Implement phased compliance roadmap, (4) Document good faith compliance efforts, (5) Engage with industry associations on standards.