Law & Policy Technology Law LL.B Mania June 14, 2026 0 Comments

AI-Generated Content Liability in India: Sec 79 Safe Harbour, Deepfake Compliance under IT Amendment Rules 2026

A Comprehensive FAQ Guide for Founders and Legal Counsels

Contributed By Adv. Manvee and Ankit Kumar

Table of Contents

Introduction

India’s AI startup ecosystem has expanded faster than its liability framework. Generative text tools, AI image generators, voice-cloning platforms, deepfake tools, and autonomous content systems are now being deployed at scale, but the legal question remains unresolved: when does an AI platform remain an intermediary, and when does it become responsible for the content it helps create, modify, curate, or distribute?

The answer lies primarily in Section 79 of the Information Technology Act, 2000 (“IT Act”), which provides a conditional safe harbour to intermediaries for third-party information, data, or communication links made available or hosted by them. This protection is not automatic. It depends on the intermediary satisfying Section 79 conditions and observing due diligence under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, as amended up to 2026.

For AI startups, Section 79 can be the most important liability shield, but only if the platform can demonstrate that it has not crossed the line from being a passive intermediary to becoming an active creator, selector, editor, or promoter of unlawful content. Its retention depends on documented, continuous compliance. Failure to maintain this compliance posture may expose the platform and, in serious cases, its founders or officers to civil claims, criminal exposure, blocking directions, regulatory scrutiny, and loss of intermediary protection.

This article answers the key questions that AI startup founders, product teams, and legal counsel are asking in 2026, i.e., when Section 79 safe harbour applies, when it may be lost, how deepfakes and synthetically generated information are regulated, and what compliance steps startups should implement before scaling.

Quick Summary: AI Liability and Section 79 Safe Harbour in India

AI startups in India may claim the Section 79 safe harbour only where they qualify as intermediaries and comply with the IT Rules, 2021. The 2026 amendments introduce specific obligations around “synthetically generated information,” including technical measures, labelling, metadata/provenance mechanisms, faster grievance timelines, and stronger due diligence for platforms enabling synthetic audio, visual, or audio-visual content. Startups dealing with deepfakes, voice cloning, AI-generated images, or synthetic videos face higher legal and compliance risk.

Part I: Section 79 Safe Harbour, Fundamentals

1. What is Section 79 safe harbour under the IT Act, 2000?

Section 79 of the Information Technology Act, 2000 grants legal immunity to ‘intermediaries’ from liability for third-party content that they transmit, host, or publish, provided certain conditions are satisfied. The provision functions on three pillars.

First, the entity must qualify as an “intermediary” under Section 2(1)(w) of the IT Act, which covers persons who receive, store or transmit electronic records on behalf of another person or provide services with respect to such records, such as telecom service providers, network service providers, internet service providers, web-hosting providers, search engines, online payment sites, online auction sites, online marketplaces and cyber cafes.

Second, the intermediary should not have caused the transmission, chosen the recipient, or altered the information in transit.

Third, the intermediary must observe due diligence under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and act within the prescribed timelines when it receives actual knowledge through the legally recognised channels or receives user grievances that trigger obligations under the Rules.

Section 79 immunity does not apply in all cases but only under specific conditions. An AI startup that actively curates, selects, modifies or promotes unlawful content, or fails to comply with valid takedown obligations and due diligence requirements, may lose the benefit of Section 79 protection depending on the facts.

2. Why does AI-Generated Content Liability matter for startups?

In contrast to the traditional platform, where users provide content on their own or the content provider significantly influences the content being hosted, AI-driven platforms have a model, which may itself be the source of content or have a strong influence on the content being hosted. This erases the classical distance between the intermediaries, on the one hand, and the publishers, on the other. When a generative AI tool produces defamatory text, sexually explicit imagery, or politically sensitive misinformation, whether the platform deploying that tool retains safe harbour becomes a live and contested legal question.

The regulatory dynamics are high. The harmful AI content can attract civil liability, leading to claims of damages that are well-valued in startups. The exposure of crimes under the Bharatiya Nyaya Sanhita, 2023 (“BNS”) concerning obscenity, defamation, or impersonation could lead to the imprisonment of founders and senior officers. MeitY can direct the blocking of platforms and suspension of business licences. And the loss of safe harbour in one enforcement action may come retrospectively to expose a startup to liability over years of prior content.

3. Can an AI startup claim Section 79 protection in India?

Yes, but only where the startup’s role is closer to that of a passive conduit, host or intermediary and not that of an active creator, selector, editor or promoter of unlawful content. The analysis is fact-specific and depends on product design, user flows, model behaviour, content controls, moderation practices, and the startup’s response to legally valid notices, directions, or grievances.

An AI startup that is operating a platform whereby individuals enter prompts, and the model generates output, will generally argue that:

(a) the prompt is user-generated content;

(b) the output of the model is a mechanical response to the user input, and

(c) the startup is acting as an intermediary to host third-party content.

This point has a valid justification in the current system of India, as the system was developed before the generative AI era.

Nevertheless, this argument significantly falters where the AI model actively generates content without a user request; where the start-up curates, promotes, or monetises specified model outputs; or where the start-up has been previously notified of certain harmful output categories and has not taken remedial action.

Part II: When Safe Harbour Is Lost

4. Does my AI startup lose Section 79 protection if users generate harmful content?

Not automatically. Protection is only lost where the intermediary knew of the unlawful content, received a court order or government direction to remove it, and failed to take reasonable steps to do so within a reasonable timeframe.

Under the updated Intermediary Rules, the Grievance Officer must acknowledge a complaint within 24 hours and resolve it within 7 days. Certain removal requests relating to prohibited categories under Rule 3(1)(b) must be acted upon expeditiously and resolved within 36 hours. Complaints involving private-area exposure, nudity, sexual acts, impersonation in electronic form, or artificially morphed images must be acted upon within 2 hours. Failure to comply with these timelines and due diligence obligations may weaken or defeat the platform’s claim to Section 79 safe harbour for the relevant content, conduct, or enforcement action. Whether broader platform-level liability arises will depend on the facts, the nature of non-compliance, and the platform’s role in the unlawful content. It is not enough that a user creates harmful content to lose the rights to the safe harbour; it is based on knowledge and inaction.

5. When can an AI startup lose Section 79 safe harbour?

Section 79 safe harbour may be lost, weakened or become unavailable in the following situations, depending on the facts and the platform’s role:

Active Role in Content Creation: If the AI model generates content without a user prompt, or the startup edits, curates, or selects outputs for distribution, it acts as a publisher rather than a passive intermediary. In Shreya Singhal v. Union of India (2015), the Supreme Court distinguished between actual knowledge from a court or government authority and mere constructive notice from third-party complaints; only the former triggers safe harbour loss.
Failure to Follow Due Diligence: Non-compliance with the Intermediary Rules, including failure to publish a privacy policy and user agreement, failure to appoint a Grievance Officer, or failure to act within prescribed timelines, may jeopardise safe harbour protection.
Post-Notice Inaction: For Section 79 purposes, actual knowledge should be framed around a court order or a notification/direction from the appropriate government or authorised agency. Private complaints may still trigger grievance-handling duties under the Rules, but they should not be described as automatically equivalent to statutory “actual knowledge” for loss of safe harbour. Inaction after notice is treated as constructive participation in the harm.
Design Intent: Where a startup’s founders or management are found to have designed the platform specifically to enable harm, such as a deepfake tool marketed for non-consensual intimate imagery, the entire safe harbour framework is inapplicable.
Non-Compliance with Government Orders: Failure to comply with lawful blocking, monitoring, or information-assistance directions under the IT Act can seriously jeopardise safe harbour and expose the intermediary to statutory liability. The consequence should be analysed based on the specific order, statutory provision, and nature of non-compliance.

6. What due diligence must an AI platform follow to retain Section 79 protection?

The Intermediary Rules, 2021, codify the following minimum compliance requirements:

Grievance Officer: Appointed and contact details prominently published; complaints acknowledged within 24 hours and resolved within 7 days.
Rule 3(1)(b) takedown complaints: Acted upon expeditiously and resolved within 36 hours, except for categories excluded under the Rules.
Private-area/nudity/sexual act/impersonation/morphed image complaints: Reasonable and practicable measures to remove or disable access within 2 hours.
Government/court actual knowledge under Rule 3(1)(d): Removal or disabling of access within 3 hours where the statutory conditions are met.
Preservation: Removed or disabled content and associated records preserved for 180 days for investigation purposes, or longer where required by court or lawfully authorised government agencies.
Significant Social Media Intermediary (“SSMI”): Chief Compliance Officer, Nodal Contact Person, and Resident Grievance Officer required where the platform qualifies as a significant social media intermediary. The Rules refer to the user threshold as notified by the Central Government.

Part III: What Counts as AI-Generated Content

7. What counts as AI-Generated Content?

Indian intermediary law now uses the statutory expression “synthetically generated information” in the 2026 amendments to the IT Rules. This means audio, visual, or audio-visual information that is artificially or algorithmically created, generated, modified, or altered using a computer resource in a manner that appears real, authentic, or true and depicts or portrays any individual or event in a manner that is, or is likely to be perceived as, indistinguishable from a natural person or real-world event.

The definition also excludes routine or good-faith editing, formatting, enhancement, technical correction, colour adjustment, noise reduction, transcription, compression, accessibility improvements, translation, searchability improvements, educational materials, research outputs, templates, and conceptual content, where such use does not materially alter, distort, or misrepresent the underlying content or create a false document or false electronic record.

8. What is synthetically generated information under Indian law?

The term “synthetically generated information” is defined under Rule 2(1)(wa) of the IT Rules, as inserted by the 2026 amendments. Rule 3 then builds due diligence obligations around such information where an intermediary enables or facilitates the creation, generation, modification, publication, transmission, sharing, or dissemination of synthetically generated information. Where the Rules apply, intermediaries must deploy reasonable and appropriate technical measures to prevent unlawful synthetically generated information and must label permitted synthetically generated information in the prescribed manner.

A platform that enables users to generate synthetic information without adequate labelling, watermarking, or provenance metadata risks being found to have facilitated deception. A failure to deploy reasonable technical measures, labelling, metadata, or provenance mechanisms where required may be treated as a due diligence failure and may weaken the intermediary’s claim to safe harbour.

Part IV: Deepfakes, Voice Cloning, and AI Impersonation

9. Are deepfakes covered under India’s intermediary rules?

Yes. The Intermediary Rules (Rule 3(1)(b)(vii) forbid content that impersonates another person. The 2026 amendments specifically address synthetically generated information, including content that falsely depicts or portrays a natural person or real-world event by misrepresenting a person’s identity, voice, conduct, action, or statement, or by misrepresenting an event as having occurred. Deepfakes and voice-clone content may therefore trigger due diligence obligations where they fall within these categories.

MeitY’s November 2023 Advisory added that all intermediaries should take the following steps to prevent hosting of deepfakes, disable access to deepfakes within 24 hours of being notified of a deepfake complaint, and report deepfake incidents to the CERT-In, when compared to 15 days for other complaints. MeitY advisories and public communications may be relevant to understanding regulatory expectations, but statutory obligations should be grounded primarily in the IT Act and the Intermediary Rules, as amended.

10. Do I need to label AI-generated content on my platform?

Yes, where the platform enables or facilitates synthetically generated information covered by the 2026 amendments. The Rules require reasonable technical measures to prevent unlawful synthetically generated information and require permitted synthetically generated information to be prominently labelled, with metadata or other appropriate technical provenance mechanisms to the extent technically feasible. MeitY’s deepfake advisory outlines the need for platforms to have technical safeguards, metadata tags, watermarks, or provenance systems to allow identification of AI-generated content.

This is a product-level requirement for startups; Any platform that enables the creation, generation, modification, publication, transmission, sharing, or dissemination of covered synthetically generated audio, visual, or audio-visual information should assess whether labelling, metadata, provenance, and technical safeguard obligations apply. Text-only AI outputs should be analysed separately, because the 2026 definition of synthetically generated information is framed around audio, visual, or audio-visual information.

11. What is the takedown timeline for AI-generated content or deepfakes?

Content Category	Timeline
*General user grievances*	Acknowledge within 24 hours; resolve within 7 days.
*Rule 3(1)(b) prohibited-content removal requests*	Resolve within 36 hours, except for excluded categories under the Rules.
*Private-area exposure, nudity, sexual act, impersonation in electronic form, including artificially morphed images*	Remove or disable access within 2 hours from complaint.
*Government/court actual knowledge under Rule 3(1)(d)*	Remove or disable access within 3 hours where the statutory conditions are met.
*Court orders*	Follow the timeline specified in the order, subject to the Rules and applicable law.

12. Can I be criminally liable for deepfakes created by users on my platform?

In theory, yes, if the startup had actual knowledge and failed to take any action, and there is evidence of design intent. Section 66E of the IT Act prescribes up to three years’ imprisonment for capturing or transmitting pictures of the private parts of a person without his consent. Defamatory deepfakes may attract criminal defamation under Section 356 of the Bharatiya Nyaya Sanhita, 2023. Non-consensual intimate imagery or voyeuristic deepfake content may also raise exposure under Section 77 of the BNS, depending on the facts, and Sections 66E, 67, and 67A of the IT Act may apply where private images or sexually explicit material are captured, published, or transmitted electronically.

The criminal liability of platforms for AI-generated content is not yet finalised in Indian courts, but the liability is real, escalating, and it is important for founders to consider every complaint received as a potential criminal trigger and take prompt action.

Part V: Classification, Intermediary, Publisher, or Model Provider?

13. Is my AI startup an intermediary, publisher, SaaS provider, or model provider?

It is the most important classification question that an AI startup will encounter. Under Indian law, the key distinction is not simply between “intermediary” and “publisher,” but between a platform that qualifies for conditional Section 79 safe harbour and an entity that plays an active role in creating, selecting, modifying, curating, promoting, or publishing the content. AI startups should assess their role functionally, based on product design and actual control over outputs.

In general, a SaaS provider running a third-party AI model and giving users access to interact with the AI will be considered an intermediary as long as the SaaS startup does not change the output from the AI or select which output to show the user.

A model provider that trains, develops and deploys its own foundational AI model is in a more contested position. Indian law has not yet conclusively determined when model-generated output should be treated as third-party information, platform-generated content or publisher-controlled content.

Until there is clearer statutory or judicial guidance, foundational model providers should assume higher compliance risk and maintain stronger safeguards, logging, labelling, abuse-prevention and grievance-handling systems.

Startup Type	Liability Risk	Safe Harbour Availability
AI SaaS (third-party model)	Lowest	Strong, if due diligence was met
AI Platform (user prompts + model output)	Medium	Available with robust compliance
AI Content Publisher (curates model outputs)	High	Weak, may be treated as a publisher
Foundational Model Provider	Highest	Contested, pending Digital India Act
Deepfake / Voice-clone Tool Provider	Extreme	Likely lost by design intent

14. What is a Significant Social Media Intermediary, and does my startup qualify?

A Significant Social Media Intermediary (“SSMI”) is a social media intermediary having registered users in India above the threshold notified by the Central Government. SSMIs face materially enhanced obligations, including: (1) appointment of a Resident Grievance Officer, (2) Chief Compliance Officer, and (3) Nodal Contact Person (all Indian residents); (4) monthly transparency reports; and (5) for messaging platforms, the ability to identify the first originator of specified messages.

The SSMI threshold is a key growth-stage trigger. If an AI platform crosses the notified user threshold and qualifies as a significant social media intermediary, it must implement the additional obligations applicable to SSMIs, including appointment of required officers, transparency reporting, and other Rule 4 obligations. Non-compliance may jeopardise safe harbour and create regulatory exposure.

Part VI: DPDP Act, Training Data, and Voice-AI Liability

15. Does the DPDP Act apply to AI training data involving Indian users?

Yes. The Digital Personal Data Protection Act, 2023 (“DPDP Act”) covers the processing of digital personal data located in India, as well as outside of India when processing is connected with providing goods or services to persons in India. AI model training may constitute ‘processing’ under Section 2(x), as it involves the collection, storage, adaptation, and use of personal data.

An AI Startup that collects Indian user information from social media, uses transactional records, health data, or behavioural data of Indian users, or trains an AI model with information that can identify the Indian users, is considered a Data Fiduciary under the DPDP Act.

16. Can an AI startup legally train models on publicly available Indian user data?

This is one of the most contested questions in Indian AI law. The DPDP Act does not treat all publicly accessible personal data in the same way. Personal data that is made or caused to be made publicly available by the Data Principal, or by another person under a legal obligation to make it publicly available, is excluded from the application of the DPDP Act. However, AI startups should not assume that every publicly accessible dataset is automatically exempt. The source of publication, the purpose of processing, the nature of the data, platform terms, copyright, confidentiality, sectoral restrictions, and privacy expectations must still be assessed before using such data for AI training.

Where the dataset includes sensitive categories under existing SPDI Rules, confidential information, scraped platform data, children’s data, voice/image data, or data obtained in breach of website terms or contractual restrictions, separate legal risks may arise even if some information is publicly accessible. For AI training, startups should maintain dataset provenance records, document lawful basis/consent analysis where applicable, and remove or minimise personal data wherever possible.

17. Can my voice-AI startup be held liable for cloning someone’s voice without consent?

Yes, on multiple grounds simultaneously. Voice cloning without consent engages the following:

Right to Privacy (Article 21): In Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1, the Supreme Court held that informational privacy includes a person’s control over their own biometric and identity data. A voice synthesised from a person’s recordings without consent violates this right.
DPDP Act, 2023: Voice recordings or voiceprints may constitute personal data where they identify or relate to an identifiable individual. Where voice data is used for authentication, identification, impersonation, profiling, or model training, startups should assess privacy, consent, contractual, and personality-rights risks carefully. Training a voice-cloning model on a person’s voice recordings constitutes processing of personal, and potentially sensitive, data.
Copyright Act, 1957: A performer’s right under Section 38A includes the right to prevent reproduction of their performance without consent. Training a voice model on a public figure’s speeches without a licence raises performers’ rights issues.
Bharatiya Nyaya Sanhita (“BNS”) Provisions: Using a cloned voice to impersonate someone for financial gain constitutes criminal cheating under Section 318 BNS; using it to cause defamation engages Section 356 BNS.

Part VII: Bias, Enterprise Misuse, and Disclaimers

18. Who is liable when an AI model produces biased outputs that harm a user?

India does not yet have an algorithmic accountability statute. The liability for harm caused by AI bias needs to be assessed under both tort law and consumer protection law. Under the Consumer Protection Act, 2019, an AI-powered service that causes harm due to a ‘defect in service’ can trigger a consumer forum claim. Section 2(11) defines ‘defect in service’ to include any imperfection or shortcoming in quality or performance.

Let’s state a hypothetical scenario, An AI system systematically denying credit to people in certain areas, routinely excluding females from job opportunities, or underdiagnosing diseases in specific populations could potentially constitute a consumer protection violation. The proposed liability chain would run from the harmed user to the startup deploying the model, and possibly extend to the foundational model provider whose model contained the bias, particularly where the bias was foreseeable, and remediation was not attempted after notice. However, this liability framework remains untested in Indian courts.

19. If my AI SaaS product is used by an enterprise that causes harm, am I liable?

The liability of the SaaS provider will be based on the contractual risk allocation, the extent of control over enterprise use, and whether the startup was informed of specific harmful use cases. Where the enterprise uses the tool in a manner expressly prohibited by the Terms of Service, and the SaaS provider had no actual knowledge of the misuse, the SaaS provider is likely protected. Enterprise contracts should also cover: a clear definition of the use cases allowed; a clause of indemnity in case of misuse; representations of the enterprise that all required consents have been acquired; and audit rights for the SaaS provider.

20. Can disclaimers protect my AI startup from liability?

Disclaimers can limit, but not completely extinguish, potential liability. An indemnity clause in a contract to be held harmless for their own fraud or gross negligence is illegal and unenforceable as a matter of public policy under Section 23 of the Indian Contract Act, 1872. Disclaimers work best when they clearly and accurately describe the limitations of the AI system, are explicitly displayed and accepted by the user at sign-up, supported by actual technical measures, and explicitly reflected in platform usage. If a disclaimer is in conflict with the start-up’s commercial message, which may be a “for entertainment purposes only” statement on a product advertised as a professional decision support tool, courts will ignore it.

Part VIII: Regulatory Landscape, Current and Future

21. Do Indian AI startups need government approval before launching an AI model?

As of now, India doesn’t have a blanket pre-launch regulatory clearance process for AI models. India does not currently have a general pre-launch approval requirement for all AI models. However, AI startups should monitor MeitY advisories, sectoral regulator guidance, and the IT Rules, especially where the model enables synthetic audio, visual, or audio-visual content, misinformation, impersonation, deepfakes, or high-risk use cases.

But regulators across sectors have their own requirements. AI models deployed in the credit and banking sector, such as those used by the RBI in lending and credit scoring; the insurance sector, like the IRDAI in insurance underwriting; the medical field, like the CDSCO in medical diagnosis; and the securities market, like the SEBI in securities trading, need to follow sector-specific AI guidance, many of which contain pre-deployment testing, explainability and audit requirements. In regulated industries, regulators’ AI guidance should be considered pre-launch criteria for founders.

Part IX: Practical Examples

Scenario 1: AI Chatbot Platform, User-Generated Harmful Content

A startup in Bengaluru has a general-purpose AI chatbot that enables Indian users to access it through a mobile application. The user manages to successfully instruct the chatbot to generate instructions for the synthesis of a hazardous substance. The user is able to successfully give instructions to the chatbot for the synthesis of a hazardous substance. A public interest organisation finds out about the material and issues a legal notice to the startup’s Grievance Officer.

Analysis: A private legal notice by itself should not be treated as statutory “actual knowledge” for Section 79 purposes in the same way as a court order or government direction. However, it may still trigger grievance-handling and risk-review obligations. The startup should acknowledge the complaint within 24 hours, assess whether the output falls within a prohibited category, preserve relevant logs, disable access where required, and update safety filters. If a valid court order or government direction is received, the platform must act within the applicable statutory timeline.

Scenario 2: Deepfake Video Generator, Non-Consensual Intimate Imagery

A Mumbai-based start-up provides a video face swap tool in a freemium model. It is used by several people to produce nude pictures of actual people without their consent. Within a week, the startup gets three complaints from victims.

Analysis: The startup faces high safe harbour and criminal-law risk. A face-swap tool that predictably enables non-consensual intimate imagery may be viewed as creating foreseeable harm, especially if safeguards are weak. Upon receiving complaints involving private-area exposure, nudity, sexual acts, impersonation in electronic form or artificially morphed images, the platform must take reasonable and practicable measures to remove or disable access within the applicable 2-hour timeline. Depending on the facts, exposure may arise under the IT Act and BNS provisions relating to privacy, sexually explicit material, voyeuristic content, impersonation, cheating or defamation.

Scenario 3: AI Credit Scoring SaaS, Bias in Fintech Deployment

A startup in Hyderabad provides an NBFC with a SaaS contract for an AI credit scoring model. A Hyderabad-based startup enters into a SaaS contract with an NBFC for its AI credit scoring model. There is a systematic geographic bias in the model, leading to the exclusion of borrowers from some states. Complaints of affected borrowers are lodged with the RBI Ombudsman.

Analysis: NBFC is the primary regulatory target, AI Startup has contractual liability if the SaaS agreement requires the model to be accurate or fair, product liability under consumer protection law if the model is a ‘defective product’ and regulatory exposure in the event RBI’s AI guidelines mandate the model to be tested for bias before deployment.

Founder Compliance Checklist | LL.B Mania

Interactive compliance tool

Founder Compliance Checklist

Track foundational, operational, growth-stage, and enterprise compliance actions for AI startups seeking to preserve intermediary protection and manage regulatory risk.

Publish Terms of Service prohibiting unlawful content categories under Rule 3(1)(b) of the Intermediary Rules.High priority Publish a Privacy Policy aligned with applicable DPDP Act commencement and transition requirements.High priority Appoint and prominently publish a Grievance Officer, including name, designation, and contact details.High priority Implement labelling, metadata, provenance, or watermarking for covered synthetic audio, visual, or audio-visual information; separately assess disclosures for text-only outputs.High priority Prepare and maintain an internal legal memo documenting the platform’s intermediary classification and legal basis.Medium

Maintain a Grievance Register with timestamps for receipt, acknowledgement, action, and resolution.High priority Map rapid-response workflows to applicable timelines: 24-hour acknowledgement, 7-day grievance resolution, 36-hour prohibited-content action where applicable, 2-hour action for specified intimate or impersonation content, and 3-hour action for valid Rule 3(1)(d) actual-knowledge cases.High priority Conduct quarterly reviews of model outputs for emerging harmful use cases not covered by existing safety filters.Ongoing Maintain audit trails for moderation decisions, takedowns, restorations, and rejected complaints in line with applicable legal retention requirements.Ongoing Brief engineering teams on the legal impact of model updates, including regressions that bypass existing safeguards.Medium

Monitor registered-user counts against the notified SSMI threshold and begin compliance preparation before crossing it.Medium Appoint a Chief Compliance Officer, Nodal Contact Person, and Resident Grievance Officer before SSMI obligations become applicable.High priority Begin monthly transparency reporting when the platform becomes subject to SSMI requirements.High priority Conduct a future-law readiness review when any replacement digital-law framework is formally introduced or tabled.Medium Map training-data and personal-data compliance against officially notified DPDP commencement and transition timelines.Ongoing

Define permitted and prohibited use cases clearly in enterprise SaaS contracts.High priority Include appropriate indemnity provisions addressing enterprise misuse, subject to applicable law and negotiated risk allocation.High priority Require representations and warranties that enterprise clients have obtained necessary rights, notices, consents, and approvals.Medium Retain audit or assurance rights to verify compliance with permitted-use restrictions.Medium For fintech, healthtech, edtech, and other regulated deployments, complete a sector-specific legal and regulatory review before launch.High priority

Part XI: Common Mistakes AI Startups Make That Can Risk Safe Harbour

Mistake	Why It Risks Safe Harbour	Remediation
No Grievance Officer appointed or published.	Violates Rule 3(2) for intermediaries; SSMIs and online gaming intermediaries have additional Rule 4 obligations.	Appoint, publish name and email on the platform
Grievance Officer outside India (for SSMIs)	Violates residency requirement under Rule 4(1)(a)	Appoint an Indian resident officer
No labelling/provenance mechanism for covered synthetically generated information	May violate 2026 IT Rules where the platform enables or facilitates covered synthetic audio, visual or audio-visual information.	Implement a watermark or metadata system at the output stage
Ignoring private-area, nudity, sexual act, impersonation, or artificially morphed image complaints beyond the applicable 2-hour timeline	Voids safe harbour; creates criminal exposure for founders	Implement a 24-hour deepfake triage protocol
Training on Indian user data without consent	DPDP Act violation from May 2027; current SPDI Rule violation for sensitive data	Audit training datasets; obtain consent or remove personal data
Disclaimer contradicts commercial positioning.	Disclaimer disregarded; product liability applies	Align disclaimers with the actual use case and marketing
No safeguards in enterprise SaaS contracts	Startup bears liability for enterprise misuse	Add permitted use, indemnity, and audit rights clauses
Failure to update safety filters after a harmful use case is identified	Post-knowledge inaction voids safe harbour	Implement rapid response protocol for safety filter updates
Crossing the SSMI threshold without SSMI compliance	Safe harbour void from the date of threshold crossing	Begin SSMI preparation at 3 million users
No sector-regulator compliance in fintech or healthtech deployment	Regulatory action independent of safe harbour analysis	Conduct sector-specific AI compliance review before launch

Conclusion

Section 79 safe harbour is not a passive protection that AI startups inherit by default. It is an active compliance posture that must be built, maintained, and defended with the same rigour applied to product development and fundraising. India’s intermediary liability framework was designed for a world of static content platforms; its application to generative AI, where the platform itself is the content creator, is still being worked out by courts, regulators, and the legislature.

The coming years will be decisive. If enacted, a future Digital India Act may create a more specific liability architecture for AI developers, deployers, intermediaries, and model providers. The DPDP Act will impose consent obligations on training data that many startups have not yet addressed. Several deepfake and labelling concerns are already reflected in the 2026 amendments to the Intermediary Rules, particularly through obligations relating to synthetically generated information, labelling, metadata, and grievance response timelines. And Indian courts will begin deciding, for the first time, whether an AI model that generates harmful content by design is an intermediary at all.

AI startups that treat compliance as infrastructure, embedding grievance mechanisms, content labelling, data governance, and contractual safeguards into their products from day one, will retain safe harbour and scale responsibly. Those who treat Section 79 as a legal afterthought will find, when the first enforcement action arrives, that their shield was never really there.

Disclaimer: This article is for general informational purposes only and does not constitute legal advice. Section 79 safe harbour, intermediary status and AI-related liability depend on the platform’s actual role, product design, technical controls, user flows, moderation practices, knowledge of unlawful content, compliance with applicable orders or directions, and adherence to statutory due diligence obligations. AI startups should obtain legal advice before launching or scaling products involving synthetic media, deepfakes, voice cloning, automated content generation, training datasets, or high-risk enterprise use cases.

Author

LL.B Mania

Post Views: 10