This article provides an overview of the new law, it considers the objectives, application, principles guiding the processing of personal data, cross-border transfer of personal data and other key provisions.

Application of the Nigeria Data Protection Act

The Act applies to data controllers or data processors domiciled, resident or operating in Nigeria and the processing of personal data that occurs within Nigeria. It also applies to situations where the data controllers or data processors are not domiciled, resident or operating in Nigeria but are processing the personal data of data subjects in Nigeria.

The Act does not apply to the processing of personal data which is done solely for personal or household purposes by one or two more persons. The Act also does not apply to the processing of personal data necessary for the investigation, detection or prosecution of crimes or the prevention or control of a public health emergency, etc.

Objectives of the Act

The Act seeks to achieve the following objectives:

1. Safeguard the fundamental rights, freedoms and interest of data subjects as guaranteed under the Constitution.
2. Regulate the processing of personal data and ensures that personal data is processed in a fair, lawful and accountable manner.
3. Protect data subjects’ rights and provide means of recourse and remedies in the event of breach.
4. Ensure that data controllers and data processors fulfill their obligations to data subjects.
5. Establish an impartial, independent and effective regulatory Commission to superintend over data protection and privacy issues and supervise data controllers and data processors.

Establishment and Functions of the Nigeria Data Protection Commission

The Act established the Nigeria Data Protection Commission (“the Commission”) for the purposes of achieving the objectives of the Act. Thus, the Commission has the core functions of regulating the deployment of technological and organizational measures to enhance personal data protection, accredit, licence, and register suitable persons to provide data protection compliance services, register data controllers and data processors, receiving complaints relating to violations of the Act or any subsidiary legislations.

Principles of Processing Personal Data

Data controllers and data processors process personal data on the basis of care and accountability to data subjects. Accordingly, data controllers and data processors must act in a fair, lawful and transparent manner, collect data only for specified and legitimate purpose, hold and retain the data accurately, not longer than necessary, and generally ensure appropriate security measures are taken to secure the personal data.

Consent and Lawful Basis for the Processing of Personal Data

Consent of a data subject is very important for processing personal data. A data subject is a person whose information or data is being processed or sought to be processed. A data controller or data processor must obtain the consent of a data subject before processing his/her data, and it lies on the data controller or processor to prove that the data subject has given consent. The request for consent must be in a clear simple language and format with information that the data subject reserves the right to withdraw the consent at any time.  The consent must be freely and intentionally given either in writing, orally or through electronic means. Silence or inactivity does not amount to consent. In the case of a child, or person lacking legal capacity), the consent of a parent or guardian will suffice. The need to obtain consent of parent or guardian, may however not apply where the processing of personal data is necessary to protect the vital interests, or for the purpose of the education, medical or social care of such child or person lacking legal capacity, or where it is necessary for proceedings before a court.

The consent must be given for the specific purpose(s) for which personal data is processed, or where the processing is necessary for the following purposes:

1. For the performance of a contract to which the data subject is a party
2. For compliance with a legal obligation to which the data controller or data processor is subject
3. To protect the vital interest of the data subject or another person
4. For the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor
5. For the purposes of the legitimate interest pursued by the data controller or data processor, or by a third party to whom the data is disclosed.

Obligations of a Data Controller

• Obligation to Provide Information: A data controller has the obligation to provide certain necessary information to a data subject before collecting his personal data. The information which the data controller must provide to the data subject include the following:

1. Identity, residence or place of business and means of communication with the data controller and its representative.
2. Recipients or categories of recipients of the personal data
3. Existence of the rights of the data subject
4. Retention period for the personal data, etc.

The data controller shall make this information available by means of a privacy policy which should be expressed in a clear, concise, transparent, intelligible and easily accessible format.

• Data Privacy Impact Assessment Obligation: The assessment is a process designed to identify the risks and impact of processing personal data. A data controller is required to conduct a data privacy impact assessment where the processing of personal data may result in high risk to the rights and freedom of a data subject. This is to be conducted before the processing of personal data.
• Obligation to Erase Personal Data: A data controller has the obligation to erase the personal data of a data subject without undue delay where it is no longer necessary or where the data controller has no other lawful basis to retain the personal data.

Obligations of a Data Processor

Data controllers are engaged by data processors to process personal data. These data processors are also mandated to comply with the principles for the processing of personal data, assist the data controller to fulfill its obligation, implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data. Where a data processor engaged by a data controller further engages another data processor, the data processor directly engaged by the data controller is obliged to notify the data controller of its engagement with another data processor.

Data Protection Officers

Data controllers that process significant personal data are required to designate a person as a Data Protection Officer (DPO). The DPO may be an employee of the data controller or a person engaged by a service contract and must possess expert knowledge on data protection laws and practices. A DPO advises data controller, monitors compliance with the Act and related data protection policies of the data controller. The DPO also act as the contact point for the Commission on data processing issues.

Rights of Data Subjects

A data subject has the following rights with respect to the processing of his personal data by a data controller.

1. Right to Confirmation from a Data Controller. A data subject has the right to obtain from a data controller without constraint or unreasonable delay, confirmation as to whether the data controller or a data processor operating on its behalf is storing or otherwise processing personal data relating to the data subject and if so, the purpose of the processing, the recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed, etc.
2. Right to receive a copy of his personal data in a commonly used electronic format.
3. Right to correction or deletion of the data subject’s personal data where correction is not possible where the personal data is inaccurate, out of date, incomplete or misleading.
4. Erasure of personal data of the data subject without undue delay
5. Right to restrict the processing of personal data
6. Right to withdraw consent to the processing of personal data at any time.
7. Right to object to the processing of personal data relating to the data subject.
8. The right to reject being subject to a decision based solely on automated processing of personal data.
9. The right to receive personal data in a structured, commonly used and machine-readable format and be able to transmit it to another data controller without any hindrance.

Data Security

Data controllers and data processors are required to implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data in the possession. They must ensure that personal data are protected against accidental or unlawful destruction, loss, misuse, alteration, unauthorized disclosure or access.

The security measures that may be implemented to ensure personal data security include encryption, periodic assessments of risks to processing systems and services, regular testing, assessing and evaluation of the effectiveness of the measures, regular updating of the measures and introducing new measures to address shortcomings, etc.

Personal Data Breaches

Personal data breach is the breach of the security of a data controller or data processor which leads to or may lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or processed.

Data processors are required to notify data controllers or engaging data processors of personal data breaches which the data processors store or process upon becoming aware of it by describing the nature of the personal data breach and the number of data subjects and personal data records concerned and also respond to all information requests from the data controllers or the engaging data processors.

Data controllers should also notify the Commission of personal data breaches which are likely to result in a risk to the rights and freedoms of individuals within 72 hours of becoming aware of such breach. Data controllers are also to communicate the personal data breach to the data subjects in a plain and clear language including measures that could be taken by the data subjects to mitigate any possible adverse effects.

Data controllers and data processors are also required to keep a record of all personal data breaches, facts relating to the breaches, its effects and remedial actions taken.

Cross-border Transfers of Personal Data

Data controllers and data processors are not allowed to transfer or permit the transfer of personal data from Nigeria to another country unless:

1. The recipient is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection.
2. meets one of the lawful basis for transfer of personal data outside Nigeria.

The level of protection considered adequate must uphold the principles that are substantially similar to the conditions for processing personal data provided by the Act. An adequate level of protection is assessed by taking into account the existence of an effective data protection law, access of public authority to personal data, existence of an independent supervisory authority, etc.

Registration of Data Controllers and Data Processors

Data controllers and data processors of major importance are mandated to register with the Commission within six months after the commencement of the Act or upon becoming a data controller or data processor of major importance. Data controllers or data processors of major importance are data controllers or data processors that process personal data of particular value or significance to the economy, society or security and are resident or operating in Nigeria.

The Commission is required to maintain and publish a register of duly registered data controllers and data processors of major importance on its website. A data controller or data processor of major importance shall be removed from the register where it ceases operation.

Enforcement and Penalties

A data subject who is aggrieved by the action, inaction or decision of a data controller or processor may lodge a complaint with the Commission and it may investigate the complaint where it is not vexatious or frivolous.

The Commission may also issue a compliance order once it is satisfied that any requirement of the Act or subsidiary legislation has been violated or likely to be violated by a data controller or data processor. The order may be a warning, order to comply with the request of a data subject or a cease-and-desist order. The Commission may also issue an enforcement order or impose a sanction for violation of the Act or a subsidiary legislation.

The penalty or remedial fee for violation of the Act or subsidiary legislation is:

1. Higher maximum amount, which is the greater of N10,000,000 and 2% of its annual gross revenue in the preceding financial year, in the case of a data controller or data processor of major importance.
2. Standard maximum amount, which is the greater of N2,000,000 and 2% of its annual gross revenue in the preceding financial year, in the case of a data controller or data processor not of major importance.

Conclusion and Remarks

The Nigeria Data Protection Act, 2023 is an important piece of legislation and has been long in coming. It provides for the basic principles and the lawful bases for the processing and transfer of personal data in Nigeria and applies to both resident and non-resident data processors. It provides for the responsibilities of data controllers and data processors while also providing for the rights of data subjects. The processing of sensitive personal data and the personal data of children and persons lacking legal capacity to consent must follow the applicable principles as provided by the Act. Data security measures which are robust are expected to be put in place by data controllers and data processors to protect against the risk of personal data breaches. The Act creates the Nigerian Data Protection Commission which has the overall responsibility to ensure compliance and impose penalties where necessary. Both resident and non-resident data processors are advised to pay particular attention to this new legislation as they are now required to take specific steps to ensure compliance with the Act.

Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com  or contact:

The post Better Late than Never: Nigeria Finally Passes the Data Protection Act first appeared on Goldsmiths Solicitors.

A Trademark is a unique sign or mark that distinguishes the goods and services of one business from another. A mark can either be a device, brand, heading, label, ticket, name, signature, word, letter, numeral, or any combination thereof. Most businesses, companies or organizations have distinctive marks that sets them apart from other businesses.

The relevant law that governs Trademark in Nigeria is the Trademarks Act, Laws of the Federation of Nigeria 2004 (LFN 2004). This article explains the procedure for the registration of trademarks, enforcement, and remedies for the infringement of trademarks in Nigeria.

Requirements for Registration of Trademark:

1. Applicant’s details (i.e., name, signature, nationality, and address).
2. Details of the trademark.
3. A representation of the mark.
4. The classification of goods and/or services (Nigeria uses the Nice Classification of Goods and Services).
5. A signed Power of Attorney

Procedures for Registering a Trademark:

1. Availability search: The first step is to conduct an availability search at the Trademark Registry to ensure that there are no marks similar or in conflict with the proposed mark.
2. Application: If there are no conflicts, an application for trademark registration is filed at the Trademark Registry. After submission of the application form and payment of the necessary fees, the Registrar issues an Acknowledgement Letter confirming receipt of the application.
3. Acceptance: Where the application is approved on the grounds that the mark is distinctive, a Letter of Acceptance will be issued within one to three months by the Registrar of Trademarks.
4. Publication and Certification: Upon the acceptance of the application, the Registrar ensures the notice of the application is published in the Nigerian Trademark Journal. The purpose of this publication is to notify interested parties who may have objections to the application. The opposition period is two months from the date of publication. Where there are no objections or where an objection raised has been upheld, the Applicant may proceed to make an application for the issuance of Certificate of Registration and subsequently, a Certificate of Registration would be issued by the Registrar of Trademarks.

A trademark once registered is valid in Nigeria for an initial period of 7 years in the first instance and subsequent renewals are valid for 14 years.

Trademark Infringement

A trademark is infringed when a person without consent from the trademark owner uses the mark or an identical mark in a way that is likely to deceive the public or cause confusion. Where such rights are infringed upon, the proprietor can institute an action in court for the infringement of such trademark. The court with jurisdiction for trademark proceeding in Nigeria is the Federal High Court. The burden of proof lies on the Proprietor of the trademark to show that his right has been infringed upon. Section 5 (2) Trademarks Act provides that:

“without prejudice to the generality of the right to the use of a trade mark given by such registration as aforesaid, that right shall be deemed to be infringed by any person who, not being the proprietor of the trade mark or a registered user thereof using it by way of the permitted use, uses a mark identical with it or so nearly resembling it as to be likely to deceive or cause confusion, in the course of trade, in relation to any goods in respect of which it is registered.”

The owner of an unregistered trademark on the other hand may institute an action for passing off where there is an infringement.

Enforcement of Rights and Available Remedies

The owner of a registered trademark can enforce his rights through the any of the following options:

1. Filing an opposition within 60 days of the publication in the Trademark journal against the registration of an identical or similar trademark. This is done by filing a Notice of Opposition, the Respondent is required to file a counter statement and the matter will be determined by the Registrar as to whether registration of the mark will be entertained or not. The notice must be in writing and must contain the grounds for the opposition.
2. Making a formal application to the Trademark Registrar for the cancellation of the trademark. This however should be supported with evidence of prior registration of the mark by the proprietor.
3. Sending a cease and desist letter to the infringer to inform him of the trademark that is being infringed and warning him to stop further violations of the mark. Where such infringer refuses, a legal action can be instituted.
4. Apply for a search and seize order where the infringement is known to the proprietor of the Trademark. It allows the owner the opportunity to enter the premises of the infringer without notice to seize all infringing goods.

Where the owner of a trademark commences legal action for the enforcement of his exclusive right to a trademark, the following remedies may be available through the courts:

1. The owner of the trademark can seek damages for compensation for losses suffered in relation to infringement of the trademark especially when such infringement impacts negatively on the owner’s business. The evidence must show a direct causal relationship between the infringement and actual harm.
2. Injunctive reliefs may be sought and granted. The court could prevent the infringer from further using the mark or may restrict usage of the mark to certain areas or impose certain conditions for its usage.
3. An Anton Pillar order can be sought to give access to the owner to enter the premises where the infringed goods are kept and take possession of it.
4. The court can also grant an order of account of profit to recover all the profits made by the infringer from the unauthorized use of the Trademark where such act amounts to gross loss of profit on the part of the owner.

Conclusion

The benefits of trademark registration generally and in Nigeria cannot be overemphasized. The certificate of trademark registration issued by the Registrar, is irrefutable evidence of registration of a mark and confers a right on the owner to use the trademark to the exclusion of others. Not only is a registered trademark protected under the law, but it also protects the identity and goodwill of the brand. The owner of a registered trademark can equally assign or transfer his trademark to an individual or corporate entity and generate revenue from it. Any infringement of the registered trademark could be met by an enforcement action and the registered trademark owner could get injunctive order or damages against the infringer.

Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com  or contact:

The post Trademarks in Nigeria: Registration, Infringement and Enforcement first appeared on Goldsmiths Solicitors.

The protection of IP in Nigeria is mostly governed by the Trademark Act, and the Patents and Designs Act and the agency responsible is the Trademarks, Patents and Designs Registry of the Federal Ministry of Trade & Investment.

Nature of Intellectual Property

According to World Intellectual Property Organisation (WIPO), Intellectual Property (IP) refers to creations of the mind, such as inventions; literary and artistic works; designs; and symbols, names and images used in commerce.[i]

A person’s Intellectual Property may be protected as a patent, copyright or a trademark. Patent protects your inventions such as when you invent something innovative i.e. a new software e.g.  ChatGPT. Trademark protects the name, logo and symbols pertaining to your products or brand. Copyright protects your original works such as literary, musical, dramatic and artistic works, sound recordings, broadcasts including songs, movies, published articles, computer programmes, novels, etc. Patent and trademark must be registered before they can be protected from infringement or unauthorised use in Nigeria. Even though copyright can be registered in Nigeria, registration is not mandatory as original works are automatically protected when they are reduced into a definite form of expression from which it can be perceived, reproduced or communicated directly or with the aid of any machine or device.[ii]

The Benefits of Protecting your Intellectual Property

Intellectual property are assets and as a result they can be stolen, copied, adapted, and infringed upon in any possible way if not properly protected under the appropriate system created for their protection. The infringement would also not be redressable if the intellectual property is not protected.  A well protected intellectual property guarantees the owner the following benefits:

1. It protects your creativity as the author of the work. Protecting your intellectual property ensures that your creativity is not taken advantage of without your authorization, thus leading to loss of patronage from customer and loss of revenue.
2. IP protections gives you a right to the exclusive use of your intellectual property. Any unauthorised use by any other person is an infringement that gives you the right to proceed against them to stop the unauthorised use and claim damages.
3. Protecting your intellectual property protects your brand against reputational damage. Your intellectual property such as your brand name and logo distinguish your business and set it apart from your competitors. If your intellectual property is not protected, counterfeit goods could be sold or poor services delivered with your brand name and logo which would affect the reputation and overall goodwill of your business.
4. It is a source of revenue or income. IP helps you to make money when you license, sell, or commercialize your creations or inventions.
5. IP can be used as a security for example whilst raising funds for your business. For instance, patents of an invention can be used as a collateral for securing loan.

How to Protect your IP in Nigeria

It is very important that you take adequate measures to ensure you do not disclose your IP to anyone before they are fully registered . Your IP can be protected by registering it with the Trademarks, Patents and Designs Registry, and Nigerian Copyright Commission (NCC). For start-ups seeking investors, this should be done even before pitching your idea to any investor. Disclosure of your IP before registration could prejudice or affect your right over the IP if someone registers it before you. Most IP for example trademark and patent operates on the basis of “first to file” principle. Also ensure that your works that are eligible for copyright protection should be fixed in a definite form of expression before passing it to any other person.

Remedies for Breach of IP

The owner of an IP can seek available remedies in the court having jurisdiction where his IP has been infringed. The remedies available include:

1. Damages or account of profits. Damages could be awarded to compensate for the loss suffered as a result of the infringement. Alternatively, an account of profit could be ordered to enable the IP owner to recover all the profits made by the infringer from the unauthorised use of the IP.
2. This remedy operates to stop the infringer from continuing the unauthorised exploitation of the IP.
3. Delivery up for destruction. The court could make an order mandating the infringer to deliver up the infringing products and the devices used in making them for destruction.

Conclusion

Intellectual Property is an important asset, and its value can only be fully realized and enjoyed only when fully protected. Nigeria has proven to be a major global hub for innovations in tech, music, movies, etc. It is very important that you take adequate measures to ensure you do not disclose your IP to anyone before they are fully registered. Start-ups have to be particularly careful with the IP before pitching for investors. In the event that a protected IP is infringed, there are remedies available to the IP to the owner in the form of damages, injunction and destruction of the infringing products.

[i] https://www.wipo.int/about-ip/en/ accessed on 17/11/2021

[ii] Section 1 (2) (b) of the Nigerian Copyright Act LFN 2004

Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com  or contact:

The post The Benefits of Protecting your Intellectual Property in Nigeria first appeared on Goldsmiths Solicitors.