photo
18.09.2025

Legislation is needed to protect people from the negative impact of deepfakes

It is necessary to the Polish legal system legislation that directly addresses the dissemination of harmful content in the form of deepfakes, ensuring that victims can effectively and quickly seek protection of their rights.

This proposal was presented by Mirosław Wróblewski, President of the Personal Data Protection Office, in a letter addressed to Deputy Prime Minister and Minister of Digital Affairs Krzysztof Gawkowski. The President points out that the current regulations are not adapted to the specific nature and capabilities of deepfake technology and content generated by artificial intelligence, as well as their potential negative impact on people.

The development of deepfake technology multiplies threats

Legal changes are necessary because deepfake technology allows the creation of recordings, videos, and audio that appear authentic, even though they are not. The technology itself is neutral and can be used, for example, to create special effects in films, but it can also lead to abuse, including violations of human rights and freedoms on an unprecedented scale.

Among the threats posed by deepfake technology, the President of the Personal Data Protection Office mentions the use of a person's image without their knowledge and consent, and identity theft (facilitating impersonation). This technology can also be used for blackmail and harassment, as it allows a person to be shown in situations that did not actually take place.

The President pointed out that deepfakes can also be used to fabricate evidence in court and pose a threat to national security or the security of public and private entities’ information systems. Deepfakes can be used for political manipulation (especially during election campaigns), social polarization, riots, or violent conflicts.

Another example is the circumvention of security systems, such as biometric authentication systems.

All this is also part of the context of various forms of attacks by the Russian Federation.

The President of the Personal Data Protection Office also referred to cases of abuse caused by the use of deepfake technology that had been reported to him so far:

-          a complaint concerning the posting of false information on social media about a journalist, a public figure, claiming that she had died, been beaten by her husband, or been sent to prison. In this case, the President issued a ban on data processing for three months (the maximum period provided for by law) on the basis of the GDPR, and the case is being investigated by the Irish supervisory authority.

-          A case involving primary school students generating a fake photo of a naked classmate. In this case, the President notified the Police of a possible crime, but the Police refused to take up the case.

-          Reports from doctors who fell victim to fraudsters using deepfake technology. Their images and authority were used in false advertisements in which the doctors allegedly encouraged people to take certain preparations.

The law does not provide sufficient protection

Current law only protects the use of images in certain areas. The provisions of the Copyright and Related Rights Act require consent for the dissemination of images, and the Civil Code regulates the protection of personal rights, including image and voice. In turn, the GDPR treats images as personal data requiring protection. If we take into account the Criminal Code, the use of deepfakes may constitute, for example, the prohibited act of identity theft (Article 190a (2)), coercion to behave in a certain way (Article 191), dissemination of the image of a naked person without consent (Article 191a), public presentation or production, dissemination, storage, and possession of pornographic content (Article 202), defamation or insult (Articles 212 and 216), or fraud (Article 286).

The President of the Personal Data Protection Office pointed out that none of the above-mentioned legal regulations provide tools for full and effective protection against the effects of such abuse, e.g., through the rapid removal of illegal materials. Meanwhile, the effects of such abuse in today's world dominated by the internet and social media are extremely severe, identifying the creators of deepfakes is often very difficult, and court proceedings take too long.

Therefore, in his letter to Deputy Prime Minister Krzysztof Gawkowski, President Mirosław Wróblewski called for work to be initiated with the aim of introducing provisions into Polish law that will regulate legal liability for the dissemination of false content in the form of deepfakes and ensure effective protection of personal data.

Various possibilities

The President of the Personal Data Protection Office presented examples of legal solutions adopted by some countries to provide legal protection against harmful deepfakes, as well as the legislative changes planned by some of them. For example, Denmark is preparing a draft amendment to copyright law that would allow citizens to demand the removal of deepfakes from online platforms and seek compensation for infringements.

He also suggested considering the obligation of technology/internet/social media platforms to install systems for the automatic and effective detection and labeling of deepfakes. He encouraged support for grassroots efforts to develop standards and best practices for verifying content authenticity, flagging fake material, and responding to user reports.

We encourage you to read the details of the President's letter, which we have included below (in polish).

DPNT.413.31.2025