Regulation August 14, 2024

Deepfake laws: Global regulations in the digital age

profile picture Amba Karsondas 12 min read
Image of a person whose face is being checked to see whether or not it is a computer generated image

If someone said the word ‘deepfake’ just a decade ago, nobody would know what they were talking about. The term hadn’t been coined and the technology as we know it hadn’t yet been created. Fast forward to the present day and it seems as though deepfakes are everywhere.

However, their explosive and widespread prevalence has highlighted some serious problems. In response, regulatory bodies are beginning to pass laws to combat these issues, but they’re competing against the rapid evolution of the technology.

This article gives a snapshot of some of the laws around the world aiming to regulate the creation and deployment of deepfakes.

 

What are deepfakes?

Deepfakes are digitally altered photos, videos or audio that appear incredibly realistic. They’re designed to make it seem as though someone is saying or doing something that they never actually said or did.

The process of creating a deepfake involves feeding a computer program with existing images, videos or audio of a particular person. The program uses this data to analyse the person’s facial expressions, movements and voice patterns. Once the program has enough data, it can create new photos or videos of that person that appear real.

 

Why are deepfakes being regulated?

In some cases, deepfakes can be harmless. A video of your dog talking is bound to be entertaining. On a more serious note, they can be used in medical research, to help deliver educational lessons or to assist people in expressing themselves through avatars.

However, they can also be used for malicious purposes such as:

  • spreading misinformation
  • manipulating political events or speeches
  • stigmatising already marginalised communities
  • creating fake videos of people engaging in unethical or illegal activities
  • harassing or demeaning individuals
  • exploiting people, such as through the creation of revenge porn
  • impersonating influential figures to spread hate speech

Since deepfakes are so realistic, they’re often very difficult to detect. And the increasing availability of deepfake technology is making it easier for individuals with harmful intentions to create convincing fake content. There have been several stories of people falling victim to deepfakes, such as an employee who was tricked into sending $25 million to fraudsters. They’re also being used to generate explicit content of people without their consent as well as produce child sexual abuse imagery

This poses a serious threat to society as it becomes harder to distinguish between what’s real and what’s fake. In turn, this raises concerns about the potential impact of deepfakes on our trust in media, politics and society as a whole.

As a result, regulatory bodies around the world are racing to introduce effective legislation – but this isn’t without challenges.

 

Why are deepfakes hard to regulate?

  • Definition – It’s difficult to create a distinction between editing media using photo-editing tools (such as de-aging software) and using AI to generate realistic but fictional images.
  • Technological complexity – Deepfakes are created using advanced AI algorithms that can generate highly realistic videos or images. This technology is constantly evolving, making it tough for regulators to keep up with new developments.
  • Difficulty of detection – Deepfakes are becoming increasingly difficult to detect. Often, they’re almost indistinguishable from genuine videos or images. This makes it difficult to identify and remove deepfakes from online platforms.
  • Lack of universal standards – There are currently no universal standards or guidelines for the creation and dissemination of deepfakes. This lack of regulation makes it difficult to establish clear rules for how deepfakes should be used and shared.
  • Global nature of the internet – The internet allows deepfakes to be shared and disseminated across borders. Therefore, it’s challenging for national regulators to enforce deepfake laws on a global scale.

Here’s some deepfake laws that have been passed so far.

 

How are deepfakes being regulated?

Deepfake laws: United States

Federal laws

In the US, there are currently no federal laws that comprehensively regulate AI or deepfakes. There are some federal laws, such as the National AI Initiative Act of 2020, which regulate the use of AI in particular industries, but these have very limited applications.

 

State laws

As a result, some, but not all, states have attempted to fill the regulatory void by enacting state-level initiatives. Since each state passes its own laws, there is significant variation in what constitutes an offence, when the use of deepfakes is prohibited and the penalties for non-compliance.

Notably, California passed AB 602, which addresses non-consensual deepfake sexual content. The law, which went into effect in 2022, states that a person can take action against a person who:

  • creates and intentionally discloses sexually explicit material where the person knows or reasonably should have known the depicted individual did not consent to its creation or disclosure
  • intentionally discloses sexually explicit material that the person did not create if the person knows the depicted individual did not consent to its creation

This includes content which has been digitally manipulated. 

Earlier this year, the Colorado AI Act was signed into law. It’s the first law in the US to comprehensively impose obligations on developers and deployers of AI systems. “High-risk AI systems” and deepfakes are amongst some of the concerns addressed by the Act.

Other states such as Louisiana and Florida have criminalised deepfakes that show minors engaging in sexual conduct. States such as Oregon require a disclosure of the use of synthetic media in election campaign communications. Alternatively, Tennessee and Mississippi have legislated more broadly against “the unauthorised creation and distribution of a person’s photograph, voice, or likeness”.

Alongside these laws which explicitly mention deepfakes, some states may have existing defamation and privacy laws. For example, California’s Right of Publicity Law protects against the implicit use of an individual’s name or likeness but only when it is used for commercial purposes. Though this may be relevant in some cases, it does not cover non-commercial uses of deepfakes such as revenge porn or election communications.

State-level defamation laws may also be able to provide some recourse for victims of deepfakes. However many defamation laws in the US rely on the victim being able to prove that the false information – in this case, the deepfake – has been presented as a fact. Additionally, it should be noted that many defamation laws only refer to false statements, rather than false images or videos. Defamation laws also rely on the victim being able to demonstrate that their reputation has been harmed.

 

Deepfake laws: EU

This month, the EU’s AI Act entered into force. Hailed as a landmark piece of legislation, the Act is the first of its kind in the world to address AI systems. The Act splits AI systems into four risk categories: unacceptable risk, high-risk, limited risk and minimal or no risk.

The AI Act does not ban deepfakes completely but instead places obligations on providers and users of AI systems. This includes those concerning transparency, which ensure that the origins of deepfakes are traceable. For example, providers must maintain records of their processes and data when generating deepfakes. Providers are also required to make users aware of when they’re interacting with AI content.

In certain high-risk contexts, such as those that have a “significant impact” on individuals, AI systems may be subject to more stringent legislation. One example is a prohibition on using deepfakes to facilitate illegal surveillance.

The AI Act applies to almost all sectors across the EU. It affects all parties involved in the development, usage, import, distribution or manufacturing of AI systems in the EU. However, some individual countries within the EU have also passed their own laws.

Similarly to the UK, the EU’s GDPR plays a significant role in regulating deepfakes. If a person’s personal data, which includes images of them, is processed without their consent, then this could be considered a violation of the legislation.

 

Deepfake laws: France

Alongside the various laws passed by the EU, France is one example of a country which has passed additional national legislation.

In May this year, France passed the SREN law which supplements Article 226-8 of the French Criminal Code. The law aims to regulate the digital environment, protect children from online pornography and combat online fraud. As part of the SREN Law, France explicitly prohibits the non-consensual sharing of deepfake content unless it’s obvious that the content is artificially generated.

France has also updated its Criminal Code to include clauses about deepfakes. Though revenge porn was already outlawed in France, the new provisions specifically criminalise the sharing of non-consensual pornographic deepfakes.

 

Deepfake laws: United Kingdom

As it stands, the UK does not have any specific laws about deepfakes. However, some existing laws may be applicable to resolve disputes concerning deepfakes.

Under UK GDPR and the Data Protection Act 2018, a person could claim that their personal data has been misused. ‘Personal data’ means any information relating to an identified or identifiable natural person. Therefore, an image of a person is classed as personal data because a person can be identified through it.

If this data has been ‘processed’, then a deepfake could fall foul of this data protection legislation. ‘Processing’ is defined as any operation or set of operations which is performed on personal data, including “adaptation or alteration”.

Alternatively, a person whose likeness is used to create a deepfake may feel that their reputation has been damaged. If so, they may be able to sue the person responsible under the Defamation Act 2013. The ‘person responsible’ could be the creator of the deepfake but also the editor, publisher or printer. However, since deepfakes are often posted anonymously, finding the person responsible is often a very difficult, if not impossible, task. Additionally, under the Defamation Act 2013, there is only a case if “serious harm” is caused to the individual’s reputation. 

The Online Safety Act, passed earlier this year, contains provisions to tackle revenge porn. It makes the sharing of non-consensual intimate images an offence. This includes images which have been digitally altered.

96% of deepfake material online is pornographic and the overwhelming majority of non-consensual pornography targets women and girls. The newly-elected UK government has announced that they will “provide a stronger, specialist response to violence against women and girls”. They have also announced that they are working on legislation to regulate AI models to improve AI safety.

It’s worth noting that at the time of writing, the new government has only just been formed. Therefore, we’ll be keeping a close eye on developments and will update this blog as more information is given.

 

Deepfake laws: Australia

Australia has not passed any laws specifically about deepfakes. However, in June this year, it introduced the Criminal Code Amendment (Deepfake Sexual Material) Bill. The bill aims to make it an offence to share sexual material which depicts (or appears to depict) another person when:

  • the person knows the other person does not consent to the transmission; or
  • the person is reckless as to whether the other person consents to the transmission.

It applies to both material which has been digitally altered, such as deepfakes, and unaltered material. This is part of Australia’s wider agenda to tackle gender-based violence.

Additionally, victims of deepfakes may be able to seek redress under Australia’s defamation laws. Though many defamation laws around the world tend to focus on spoken or written words, Australia’s legislation recognises that images, including those which have been digitally altered, can also be defamatory. However, it should be noted that for defamation cases, Australian courts don’t often grant injunctions. Therefore, though victims may be able to receive compensation, it’s much more difficult to have the deepfakes removed.

 

The war against deepfakes

We’re at a crucial point where legislative bodies across the world are introducing and passing laws to address the challenges posed by deepfake technology. And the current trajectory suggests that we’ll continue to see fast-paced development of legislation globally.

It’s clear that we’ve got a long way to go to protect those who are victims of deepfakes. But by establishing clear guidelines for the creation and sharing of deepfakes, regulators can take steps to protect individuals and society as a whole against such a rapidly evolving sector.

Alongside regulation, we believe that user-generated content platforms should gain explicit consent from their users at the point that they upload a piece of content. As part of this process, platforms should ensure that the person uploading the content is the same person in the image.

If a person attempts to upload a deepfake image or video of someone else, the person in the content would not provide their consent. This would help prevent the spread of misinformation and could help mitigate non-consensual, intimate imagery of real people.

If you’d like to know more about how we’re helping to detect deepfakes, please get in touch or take a look at our white paper.

Please note this blog has been prepared for information purposes only. You should always seek independent legal advice.

Keep reading

Image of a young girl looking at her mobile phone. The accompanying text reads "Kids Online Safety and Privacy Act - United States".
Articles July 31, 2024

Understanding the Kids Online Safety and Privacy Act (KOSPA)

From the UK’s Online Safety Act to Europe’s Digital Services Act, we’re in an era of increasing online safety regulation. In the US, the Kids Online Safety and Privacy Act (KOSPA) is a landmark piece of legislation, passed in the Senate on 30th July 2024.  KOSPA is a legislative package that merges two bills – the Kids Online Safety Act and the Children’s and Teens Online Privacy Protection Act (also known as COPPA 2.0).  This blog looks at some of the requirements of KOSPA and what this means for companies.   What is the purpose of KOSPA? KOSPA is

#regulation
Rachael Trotman Rachael Trotman
7 min read
Articles July 25, 2024

Yoti calls on new government to update legislation, support digital IDs and prioritise online safety

As the new government looks ahead and plans what details to include in the new laws mentioned in the King’s Speech, we have outlined some key focus areas where leveraging technology at relatively low cost can unlock digital transformation in the UK and accelerate economic growth.   Updating the Mandatory Licensing Conditions  Whilst it’s encouraging to see the new government intends to introduce a new law protecting retail staff from verbal and physical abuse, prevention is better than cure and retailers all confirm that checking age is one of the events that triggers abuse. We urge the new government

#regulation
Rachael Trotman Rachael Trotman
8 min read
Image of a man holding his mobile phone in one hand and a driving licence in the other hand. The accompanying text reads "Digital Information and Smart Data Bill - United Kingdom".
Articles July 18, 2024

Understanding the Digital Information and Smart Data Bill

This blog was updated in July 2024, following the General Election and the King’s Speech which announced the new Digital Information and Smart Data Bill (DISD). The government has committed to introducing the Bill, which aims to harness the power of data for economic growth, including setting up a regulatory framework for digital identities in the UK.  We will update this blog once the government has shared further information about this new Bill. Below is a summary of what we know so far.  For now, we have also included the previous blog content on the former Data Protection and

#digital id#regulation
Rachael Trotman Rachael Trotman
9 min read