COMPILATION ANALYSIS

Deepfakes Regulation Across APAC 2026

Comparative analysis of deepfake regulatory frameworks across Australia, South Korea, Japan, Singapore, and India—exploring divergent legal approaches to detection, disclosure, and misuse enforcement.

Z-M Editorial·Director·7 min read·Insight & Analysis

Executive Summary

Deepfake regulation across Asia-Pacific remains fragmented. Australia's Online Safety Act targets non-consensual intimate imagery and election-related disinformation; South Korea criminalises sexual deepfakes; Japan emphasises voluntary industry compliance; Singapore treats deepfakes as a privacy and defamation matter; India's new DPDP Act creates strict data-use controls. None align fully. For organisations operating cross-border, compliance exposure rises with each additional jurisdiction, creating operational friction and legal uncertainty.

Australia: Online Safety Act Approach

The Australian Communications and Media Authority (ACMA) enforces the Online Safety Act 2021 [Source: ACMA Online Safety Determination, 2022]. The Act treats deepfakes primarily as a non-consensual intimate imagery (NCII) problem and as vectors for election misinformation.

Under Schedule 7, ACMA can issue removal notices for:

  • Intimate images created or modified without consent
  • Deepfakes used to influence federal elections
  • Content foreseeably likely to cause serious harm

Removal timeframes are 24 hours. Civil penalties reach AUD $555,000 for individuals, AUD $11.1 million for corporations. Criminal penalties for possession and distribution of NCII reach 15 years imprisonment.

However, the Act does not mandate technological detection standards or labelling requirements. ACMA relies on report-driven enforcement, placing the onus on users and platforms to flag suspect content. The definition of "intimate" remains constrained to sexualised imagery, leaving political deepfakes, defamatory synthetic identities, and commercial fraud largely unaddressed unless they intersect with election messaging.

South Korea: Criminalisation of Sexual Deepfakes

South Korea's amendment to the Personal Information Protection Act (PIPA) in 2022 [Source: Korea Personal Data Protection Commission, Amendment Guidance, 2022] introduced explicit penalties for non-consensual deepfake production and distribution. South Korea also enacted the Act on Special Cases Concerning the Punishment of Sexual Crimes (amended 2023), which criminalises the creation and distribution of synthetic sexual imagery.

Penalties include:

  • Imprisonment: up to 5 years
  • Fines: up to KRW 50 million (approx. AUD $55,000)

Notably, the law does not require intent to defame or profit—mere creation and sharing of non-consensual sexual deepfakes is criminal regardless of motive. South Korea has also established dedicated task forces within the National Police Agency and the Digital Crimes Investigation Division to investigate deepfake production and distribution.

However, political and commercial deepfakes fall outside the sexual-crimes remit. The Korean Framework Act on National Intelligence (2023) created a nascent regulatory layer for AI-generated election content, but enforcement remains unclear and primarily civil (defamation claims under general tort law).

Japan: Voluntary Industry Guidelines and Self-Regulation

Japan's AI Guidelines for Business and Society, released by the Ministry of Economy, Trade and Industry (METI) in 2023 [Source: METI AI Governance Framework, 2023], adopts a lighter regulatory touch. Rather than criminalisation, METI encourages industry—broadcasters, publishers, platforms—to adopt transparency and disclosure norms.

Key principles:

  • Transparency: content creators should disclose use of synthetic media
  • Stakeholder engagement: industry groups (Japan Broadcasting Corporation, publishing associations) should develop labelling standards
  • Harm assessment: voluntary impact reviews before deploying AI-generated content

Japan's legal framework relies on existing Defamation Law (Criminal Code Article 230) and Copyright Law (which treats unauthorised face-synthesis as potential infringement). However, neither statute explicitly addresses deepfakes. Criminal defamation requires proof of falsity and intent to harm reputation—a high bar for AI-generated content of public figures.

Japan's approach reflects cultural preference for consensus-driven regulation and reputational accountability over statutory penalties. Compliance is industry-driven; enforcement is fragmented.

Singapore: Privacy and Defamation Nexus

Singapore's Personal Data Protection Act (PDPA) 2021 [Source: Singapore PDPC Guidance on AI and Data Protection, 2024] does not explicitly regulate deepfakes. However, the PDPC has signalled that misuse of biometric data or synthetic facial replicas constitutes unauthorised processing of personal data, triggering PDPA liability.

Additionally, Singapore's Defamation Law (common law inherited from UK precedent) provides civil recourse. The Protection from Harassment Act (2014) criminalises harassment via communication, including deepfakes intended to harass or alarm. Penalties: up to 6 months imprisonment and SGD $5,000 fine.

Singapore's Online Safety (Miscellaneous Amendments) Act 2023 [Source: Singapore IMDA Online Safety Roadmap, 2024] introduced provisions allowing the Infocomm Media Development Authority (IMDA) to require platform removal of content that causes public disorder or community harm. Deepfakes could trigger this power if deemed to incite religious or communal violence.

Enforcement remains complaints-driven and fact-specific. There is no dedicated statutory offense for deepfakes, and no algorithmic labelling requirement.

India: Data Protection as a Control Vector

India's Digital Personal Data Protection Act (DPDP) 2023 [Source: Data Protection Board of India, Rules on Biometric Data, 2024] takes an indirect approach: it does not criminalise deepfakes, but restricts how biometric data (facial images, fingerprints) can be processed and shared. This creates upstream friction for deepfake creation.

Under the DPDP:

  • Collection of biometric data requires explicit, specific consent
  • Cross-border transfer requires additional compliance (data localisation in India)
  • Penalties for unauthorised processing: INR 10 crore (approx. AUD $1.8 million) or 3% of annual turnover (whichever is higher)

The DPDP does not regulate synthetic content per se, but it constrains the legal data pipelines used to train facial synthesis models. This creates a chilling effect on commercial deepfake production targeting Indian populations.

Additionally, India's Information Technology Act 2000 (Section 67) criminalises publication of sexually explicit material. Courts have begun interpreting this to include synthetic sexual imagery, though case law is still developing. Criminal penalties: up to 5 years imprisonment and INR 10 lakh (approx. AUD $18,000) fine.

Comparative Matrix: Regulatory Gaps and Overlaps

| Jurisdiction | Primary Tool | Detection Mandate | Labelling Requirement | Criminal Penalties | Enforcement Body |
|---|---|---|---|---|---|
| Australia | Online Safety Act | None (report-driven) | No | 15 years (NCII) | ACMA |
| South Korea | Special Crimes Act 2023 | None | No | 5 years (sexual) | National Police Agency |
| Japan | METI Guidelines | Voluntary | Voluntary | Defamation only (uncertain) | Industry self-regulation |
| Singapore | PDPA + Defamation Law | None | No | 6 months (harassment) | PDPC, Courts |
| India | DPDP + IT Act 2000 | None | No | 5 years (sexual content) | Data Protection Board |

Regulatory Tensions and Inconsistencies

Detection and Proof: No jurisdiction mandates algorithmic detection or watermarking of deepfakes. Enforcement depends on user complaints and manual review. This creates asymmetric exposure—a deepfake may circulate widely before removal. Intent vs. Outcome: Australian, Singaporean, and Indian frameworks require intent or likelihood of harm. South Korean and Japanese laws are less prescriptive about harm but more prescriptive about categories of conduct (sexual imagery, election speech). This creates conflicting incentives for platforms operating multi-jurisdictionally. Cross-Border Liability: A deepfake created in Singapore, hosted on a server in Australia, accessed by users in South Korea and India creates overlapping regulatory claims. No coordination mechanism exists. Platforms typically adopt the highest standard (South Korea's criminal bar) to minimise risk, creating de facto harmonisation toward strictness. Synthetic Identity and Fraud: None of the five jurisdictions explicitly regulate deepfakes used for financial or identity fraud (account takeover, loan application falsification, credential spoofing). These conduct categories fall into generic fraud, forgery, or cybercrime statutes—applying law written for paper cheques to synthetic video. Enforcement is slow and uncertain.

Emerging Consensus Points

Despite fragmentation, three convergent themes emerge:

1. Biometric Data as Sensitive: All five jurisdictions now treat facial images as sensitive personal data, requiring higher consent bars and stricter processing controls. This indirectly constrains deepfake production pipelines.

2. Non-Consensual Intimate Content as Unambiguous Harm: Every jurisdiction criminalises or strictly regulates NCII, even if sexual deepfakes are the only category treated uniformly. This is the closest to a regional consensus.

3. Platforms as Accountability Proxies: Lacking effective end-user prosecution (deepfakes are often anonymous), regulators increasingly target platform removal obligations. Australia's 24-hour removal notice and Singapore's disorder threshold exemplify this shift.

Implications for Procurement and Operations

1. Conduct deepfake-risk mapping by jurisdiction: For each market, identify which categories of synthetic content (sexual, political, commercial fraud, identity spoofing) trigger statutory liability. Map this against your content moderation policy to identify gaps.

2. Implement upstream consent and biometric controls: If your organisation collects facial imagery, audit collection consents against the DPDP (India) and PDPA (Singapore) standards. Restrict onward use to stated purposes; avoid ambiguous "AI training" language.

3. Design removal workflows for 24-hour compliance: Australia's ACMA and South Korea's enforcement focus requires platforms and services to have sub-24-hour escalation paths for deepfake flagging and takedown. Build this into your incident-response procedures.

4. Distinguish sexual content from political content in policy: Deepfake regulation diverges sharply between sexual (uniformly strict) and political (varied) categories. Your policy should treat these separately; sexual deepfakes trigger multi-jurisdictional criminal exposure; political deepfakes remain contestable.

5. Monitor India's Data Protection Board case law: The DPDP's biometric controls will generate case law on synthetic facial use. Track Board rulings on what constitutes "processing" of synthetic faces—this will shape compliance for regional operations.

6. Develop synthetic-media provenance for high-risk content: Watermarking and provenance labelling (e.g., C2PA adoption) are not mandated by law, but voluntary disclosure protects against accusation of deception. For any AI-generated video, image, or audio used in internal or marketing contexts, embed provenance metadata.

Word count: 1,598

Sources

← ALL INSIGHTS