Supreme Court and Online Gaming: Stakes, Skill, and the New Regulatory Line

The Supreme Court’s judgments of 27 May 2026 mark a clear turn in the law on online gaming. The first, in the Tamil Nadu and Karnataka batch (State of Tamil Nadu & Ors. v. Junglee Games India Pvt. Ltd. & Ors.; State of Karnataka v. All India Gaming Federation & Ors.), upheld State laws that extended betting-and-gambling regulation into cyberspace and rejected the argument that games of skill are automatically insulated from regulation merely because skill plays a role. The second, Directorate General of Goods and Services Tax Intelligence (HQS) & Ors. v. Gameskraft Technologies Pvt. Ltd. & Ors., treated stake-based online gaming as falling within the betting-and-gambling framework for tax purposes and upheld the valuation architecture built around that characterisation. Viewed together, the two rulings narrow the reach of the old skill chance distinction. That has direct implications for the Promotion and Regulation of Online Gaming Act, 2025, and the 2026 Rules (covered in the April Bulletin), which proceed on the same basic idea: online money games can be carved out as a distinct regulatory category, even as e-sports and social games are kept apart.

The regulatory judgment arose from State amendments in Tamil Nadu and Karnataka that were designed to regulate online wagering rather than only physical gambling. Tamil Nadu expanded its law to include wagering in cyberspace, penalised wagering or organising wagering on games like rummy and poker, and removed the earlier protection for games of skill when stakes were involved. Karnataka similarly widened the definitions of gaming, instruments of gaming, online gaming, and common gaming house so that online platforms and digital devices could be brought within the statute. The High Courts had struck these measures down on the view that Entry 34 of List II in Schedule VII of the Constitution covers gambling, not skill-based games. The Supreme Court, however, held that the State List had been read far too narrowly, and that the constitutional text did not prevent them from regulating or prohibiting staking on uncertain outcomes merely because the underlying game involved some degree of skill.

The gaming companies relied on State of Bombay v. R.M.D. Chamarbaugwala (RMDC-I), R.M.D. Chamarbaugwala v. Union of India (RMDC-II), State of Andhra Pradesh v. Satyanarayana, and K.R. Lakshmanan to argue that games of skill played with stakes are not gambling. The Court did not accept that proposition. It said RMDC-I never dealt with a game of skill played for stakes, and therefore cannot be stretched into authority for the broader claim advanced by the industry. RMDC-II was treated as protecting genuine skill competitions, but only where stakes do not transform the activity into a gambling enterprise. As for K.R. Lakshmanan, the Court confined it to horse racing and the statutory setting in which that case arose. While the precedents were not overruled; they were narrowed in their factual application and the court refused to treat them as a general precedent.

Additionally, the court held that the expression “betting and gambling” cannot be split so that only the staking side is treated as betting and only the chance side as gambling. The real element is staking money on an uncertain outcome. On that logic, even a game of skill can become part of a gambling enterprise if the statute is directed at wagering on the result. The Court also accepted the State’s public-order reasoning: online staking can create addiction, financial distress, and other harms at scale, and the legislature is not helpless in the face of those harms simply because the medium is digital. The judgement shifts attention from the abstract purity of the game to the legal character of the transaction and the social consequences of monetised play.

The GST judgment in Gameskraft travels along a related path of reorienting older precedents in light of developments in the digital realm. The dispute there was whether stake-based online gaming should be taxed as a service or as an actionable-claim supply connected with betting and gambling. The Court answered that the true character of the transaction matters, and that online gaming involving pooled stakes and uncertain outcomes can fall within the betting-and-gambling framework for GST purposes. It also upheld the valuation approach that looks to the full stake value rather than only the platform’s commission.

The industry had argued that the older skill-game cases, and the manner in which High Courts had applied them, should keep online skill games outside the betting-and-gambling net. The Court did not disagree that those cases recognised skill as legally significant. It disagreed with the further step that the industry wanted to draw from them. The Court said the later emergence of online, stake-based gaming does not freeze the law at the point where those older cases left it. Nor does the fact that a platform is a service intermediary settle the character of the underlying supply. Even the later carve-out of “online money gaming” in the GST framework was not taken to mean that the pre-amendment position was necessarily service-only. The analysis remained one of characterisation, and on that question the Court was willing to treat stake-based gaming as a distinct taxable and regulatory category.

These are significant developments for the new online gaming regime. The Court has not collapsed skill into chance, and it has not said that all online games are gambling. But it has made the older distinction less decisive where the law is aimed at money staked on uncertain outcomes. That leaves the Promotion and Regulation of Online Gaming Act, 2025, and the 2026 Rules on firmer ground than they might have seemed on the earlier precedents. The jurisprudence now points toward a regulatory order in which stake-based online gaming is treated as a special problem. It is increasingly unclear whether all skill based gambling is a commercial activity protected under Article19(1)(g).

EU Bans “Nudifier Apps”: Is India’s Regulatory Framework keeping Pace?

The rise of AI-generated non-consensual intimate imagery (NCII), often referred to as ‘deepfake pornography’, represents a profound convergence of technological capability and systemic harm. The tools driving this crisis, variously marketed as ‘undressers’, ‘nudify apps’, and ‘clothes removers’, exploit deep-learning models, image-recognition algorithms, and body-reconstruction technology to synthesise realistic sexualised images from ordinary photographs. They infer a subject’s physical form through their clothing and construct a nude likeness calibrated to the subject’s lighting, pose, and skin tone.

The European Parliament Research Service has warned that as much as 90 per cent of online content could be AI-generated by 2026. Of the deepfakes already in circulation, approximately 96 per cent were produced without the subject’s knowledge. Women and girls bear a disproportionate burden wherein they constitute 99 per cent of deepfake victims 

On 5 May 2026, the European Parliament’s Committee on Women’s Rights and Gender Equality (FEMM) convened a high-level public hearing titled ‘AI, gender-based violence including sexual images of women and children: the case of Grok’. The hearing focused on the systemic failure of technology platforms to prevent the generation and distribution of non-consensual deepfake imagery, and the urgent need for a cohesive regulatory instrument such as “Digital Omnibus” capable of closing the legal loopholes that have allowed nudification tools to proliferate largely unchecked. Grok had attracted criticism for producing explicit synthetic content with minimal guardrails, placing it at the centre of a wider conversation about whether existing platform-liability and content-moderation frameworks were adequate for the generative AI era. 

The EU Parliament and Council negotiators subsequently reached a provisional agreement amending the EU Artificial Intelligence Act under the Digital Omnibus package. While formal adoption and publication in the Official Journal are required before the measures take full legal effect – expected before 2 August 2026 – the agreement represents a watershed in EU technology law. Its principal provisions are as follows:

•     A new prohibition on AI-generated non-consensual intimate imagery (‘nudifiers’) and child sexual abuse material, introduced directly into Article 5 of the AI Act which governs the  absolutely prohibited AI practices. This elevates nudification tools to the same prohibited category as AI systems that manipulate behaviour subliminally or exploit vulnerabilities.
•     A shift in compliance deadlines: high-risk obligations for standalone Annex III AI systems are deferred to 2 December 2027; for AI embedded in regulated products under Annex I, to 2 August 2028, acknowledging the compliance burden on industry while maintaining regulatory direction.
•     Watermarking obligations for AI-generated content are moved to 2 December 2026, providing a degree of near term transparency for end users encountering synthetic media.
•     Limited use of personal data to detect or correct algorithmic bias, a carefully circumscribed provision designed to improve AI system fairness without creating broad surveillance exceptions.
•     Registration requirements for certain previously exempted tools in the EU high-risk AI database, closing a loophole that had allowed some systems to avoid oversight by virtue of narrow technical classifications.
•     Streamlined oversight for some general-purpose AI (GPAI) systems through the EU AI Office, rationalising the supervisory architecture across a fragmented landscape.

Perhaps the most consequential conceptual shift embedded in the agreement is the reallocation of regulatory responsibility. Prior to this development, the EU’s approach to deepfakes and nudification was primarily framed as a content-moderation and data-protection issue wherein deepfakes were treated as violations of privacy and transparency rules, addressed indirectly through the General Data Protection Regulation (GDPR), the Digital Services Act, and platform-liability frameworks. Providers were largely reactive — required to remove harmful content upon notification, but not obligated to prevent its creation.

Under the new framework, the primary burden of responsibility shifts from individual end users (who are, in most cases, also victims) to the companies building and deploying the AI models. Providers are now required to assess any ‘foreseeable misuse’ of their technology before it is released to the public. They must implement technical safeguards that prevent users from circumventing content filters through clever prompting or minor image alterations. Critically, the EU AI Office is empowered to monitor whether these safeguards are integrated into a model’s core architecture — not merely bolted on as superficial filters that can be bypassed .

There is a similar growing concern regarding deepfakes in India as well. Deepfake cases in India have surged by 550 per cent since 2019, with projected financial losses estimated at ₹70,000 crore in 2024 alone. Over 95–98% of deepfakes online are pornographic in nature, with 90–99% targeting women, often non-consensually. The most recent NTR Jr. case, for instance, compelled the courts to improvise a remedy within existing intellectual property and personality rights frameworks, establishing that AI-generated impersonation could be restrained by injunction — but highlighting, simultaneously, the absence of a dedicated statutory basis for such relief. As of now, the legal framework governing deepfakes in India as follows-

•     The Information Technology Act, 2000 addressing cyber offences, obscene content, and identity theft in broad terms.
•     The Bharatiya Nyaya Sanhita, 2023 (BNS) which provides provisions relevant to harassment, defamation, sexual offences, and impersonation.
•     The Digital Personal Data Protection Act, 2023 (DPDP Act) imposing obligations on data fiduciaries that may extend to the misuse of biometric likeness, with penalties available once the Data Protection Board becomes operational.
•     The IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026 notified by MeitY on 10 February 2026 and operational from 20 February 2026, imposing a strict three-hour takedown window for AI-generated content flagged as harmful by a court or government order. For sensitive content involving non-consensual nudity or morphed imagery (including deepfake pornography), the removal window has been reduced from 24 hours to 2 hours. Furthermore, the obligation to report offences has been made explicit under the IT Rules and now it is a part of due diligence requirement.  

In India, the primary liability continues to be framed around the end user or the perpetrator of the specific act, unlike the EU framework which shifts the responsibility onto the companies building and deploying the AI models. India still utilises a reactive mechanism rather than the EU model which places a preventive duty requiring the AI providers. The EU has empowered the EU AI Office to monitor compliance across general-purpose AI systems. India has no analogous body with the technical expertise, statutory mandate, and cross-sectoral jurisdiction to regulate AI systems – enforcement currently depends on an ad hoc combination of MeitY, the Cyber Crime cells, and the courts.   For India, which has a massive internet population, acute deepfake exposure and a growing AI development environment, the question is how quickly it will act on this issue.