NAVIGATING THE LEGAL

MAZE: BEST PRACTICES AND

COMPLIANCE STRATEGIES FOR
IP AND DATA PROTECTION
LAWS
BY- [Link]

1. INTRODUCTION.
2. UNDERSTANDING INTELLECTUAL PROPERTY LAWS.
3. COMPARING INDIA'S LATEST DATA PROTECTION LEGISLATION WITH
GDPR.
4. MEASURES OF COMPLIANCE FOR DATA PROTECTION AND IP
5. TECHNOLOGICAL SOLUTION FOR IP AND DATE PROTECTION.
6. CASE STUDIES HIGHLIGHTING THE CONSEQUENCES OF NON-
COMPLIANCE WITH DATA PROTECTIION REGULATION.
7. LANDMARK CASES IN RELATION TO IP RIGHTS.
8. UPCOMING TRAITS AND ADVANCES IN DATA AND IP PROTECTION
9. CONCLUSION AND RECOMMENDATIONS

INTRODUCTION
Businesses confront numerous difficulties in safeguarding their intellectual property (IP) and
making sure that data protection regulations are followed in today's data-driven world. It is
impossible to overestimate the significance of data protection and intellectual property (IP).
Data and digital assets are becoming more and more important to businesses, thus protecting
these resources is critical. This overview article provides guidance on comprehending the
basic ideas and precepts related to intellectual property and data security.

1
UNDERSTANDING INTELLECTUAL PROPERTY LAWS.
Three main foundations support intellectual property laws: copyrights, trademarks, and
patents. With the use of patents, creators can guarantee that they are the only ones with the
right to produce, utilize, or market their innovations for a certain amount of time. Conversely,
trademarks safeguard brands and logos, setting goods and services apart from rivals in the
market. Copyrights provide authors with the exclusive right to reproduce, distribute, and
exhibit their original creative works in public spaces. These works include literary, artistic,
and musical compositions.

Simultaneously, India's data protection landscape has experienced notable advancements,

mostly due to the enactment of the Personal Data Protection Bill (PDPB), which attempts to
govern the handling and processing of personal data. The purpose of the PDPB is to create
guidelines for the gathering, storing, and processing of personal data. It draws inspiration
from international frameworks like the General Data Protection Regulation (GDPR) of the
European Union and places a strong emphasis on user consent, accountability, and openness.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011, which establish security guidelines for businesses
handling sensitive personal data or information, are another way that India has strengthened
data protection. Aadhaar-related data is protected and kept private under the Aadhaar
(Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016,
which also oversees India's unique identifying system. At the same time, the Digital Personal
Data Protection Act, 2023 (DPDPA), India's long-awaited universal law protecting personal
data, was finally passed.

COMPARING INDIA’S LATEST DATA PROTECTION LEGISLATION

WITH GDPR.
India's general data protection law provides just a restricted scope of protection. The
Information Technology Act of 2000 and the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the "SPDI
Rules") contain some outdated regulations regarding the processing of certain types of
"sensitive personal data," such as financial information, health information, and the like.
They are poorly enforced, mostly apply to data collectors rather than controllers, and only
become significant in the case of a data breach.

2
As a result, it is now standard procedure in the market to collect vast amounts of data via
general, uneven, packaged consents and to handle, process, and transfer said data in a
considerable amount. Nonetheless, the right to informational privacy was reaffirmed by the
Supreme Court of India in the 2017 decision of Justice K.S. Puttaswamy (Retd.) v. Union of
India ("Puttaswamy"), as it is derived from the fundamental rights to life and personal liberty.
This decision opened the door for the first iteration of India's data bill, which eventually led
to the DPDPA's enactment following a protracted parliamentary procedure.

Similar to the GDPR, the DPDPA requires consent to be "free, specific, informed,
unconditional and unambiguous with a clear affirmative action." However, in contrast to the
GDPR, it does not allow processing based on the legal justifications of legitimate interests or
contractual need.
SIMILARITIES:

The DPDPA and the GDPR are both extensive data protection regulations that have a
number of things in common, such as: They grant people a number of rights with regard to
their personal data, including the ability to access, remove, and object to its processing. They
impose responsibilities on companies handling personal data, include putting in place suitable
security measures and notifying the competent supervisory authority of data breaches. They
include clauses pertaining to fines for noncompliance and enforcement.

DIFFERENCES:

Although the GDPR and the DPDPA share certain commonalities, they also differ in
important ways. These differences include:
Regardless of the organization's location, the GDPR is applicable to all entities that process
the personal data of individuals residing in the EU. On the other hand, regardless of the
organization's location, the DPDPA applies to all entities processing personal data of
individuals situated in India. While the DPDPA applies universally to all types of digital
personal data without extra limits on processing sensitive or essential personal data, the
GDPR specifies unique categories of personal data that can only be handled for defined
purposes. While the DPDPA provides less restrictive rules for the transfer of personal data
outside of India, the GDPR sets stronger restrictions for the transfer of personal data outside
of the European Union.

3
COMPLIANCE CHALLENGES

For Companies Operating in the EU: Companies operating in the EU that process the
personal data of people residing in the EU or India are subject to both the GDPR and the
DPDPA. Due to the different needs of the two laws, this poses a dilemma.
For Indian Businesses: If an Indian business processes the personal data of an Indian citizen,
it is required to abide by the DPDPA. Businesses who are not familiar with Indian data
protection rules may find this challenging.

MEASURES OF COMPLIANCE FOR DATA PROTECTION AND IP:

[Link] Adherence: Learn about applicable laws and rules pertaining to data protection
and intellectual property, including the CCPA, GDPR, HIPAA, and standards particular to
your business. Assure adherence to legal duties for intellectual property rights and copyright,
as well as requirements pertaining to data collection, processing, storage, and transfer.
2. Inventory and Classification of Data: Sort data according to its significance and level of
sensitivity for the company, making a distinction between sensitive, private, and public
information. Continually examine and update data classifications as needed, and keep an
inventory of all data assets, including intellectual property.
3. Consent Management: Before collecting, processing, or disclosing a person's personal
information, get that person's express consent. Then, make sure that the consent requirements
specified in the applicable rules are met. Establish procedures for tracking and maintaining
consent, and provide people the option to revoke their consent at any moment.
4. Data Security Measures: Put strong organizational and technical security measures in place
to guard against unauthorized access, disclosure, alteration, and destruction of personal
information as well as intellectual property. To protect data assets from both internal and
external threats, make use of data loss prevention solutions, multi-factor authentication,
encryption, and access controls.
5. Privacy by Design and Default: Make sure that privacy and data protection concerns are a
fundamental part of the design process by including privacy principles into the creation of
goods, services, and systems from the beginning. Implement privacy-enhancing features and
settings by default, reducing the collection and retention of personal data, and set the greatest
level of privacy protection for users.
6. Data Breach Reaction Strategy: Create and keep up to date a thorough data breach
response plan that outlines the steps involved in identifying, evaluating, and handling security

4
breaches affecting intellectual property or personal data. Assign precise roles and duties to all
important participants in the response process, such as the IT, legal, and communications
departments. Also, make sure that the plan is regularly tested through exercises and training.
7. Vendor management and due diligence: When working with outside vendors or service
providers, make sure you perform extensive due diligence to make sure they abide by the
relevant security and data protection regulations. Incorporate clauses in contracts mandating
contractors to follow certain data protection guidelines, participate in recurring security
evaluations, and promptly report security events or breaches to the company.
8. Frequent Evaluations and Audits: To find weaknesses, vulnerabilities, and opportunities
for improvement, conduct routine audits and evaluations of data security and protection
procedures. In order to maintain continuous compliance and risk management, review and
update policies, procedures, and controls in response to audit results and modifications in
regulatory requirements.
Through the efficient implementation of these compliance procedures, firms may exhibit their
dedication to safeguarding intellectual property and personal information, reduce the
likelihood of violations and associated penalties, and cultivate confidence among
stakeholders, partners, and customers.

TECHNOLOGICAL SOLUTIONS FOR IP AND DATA PROTECTION:

Increasing IP and data protection measures inside enterprises is made possible in large part
by technological solutions. The following are some essential tech fixes to improve security:
1. Tools for Data Loss Prevention (DLP): Organizations can keep an eye on and manage the
flow of sensitive data across endpoints and networks by putting DLP tools into place. These
solutions use real-time monitoring and warnings, enforce data usage regulations, and assist
prevent illegal access, sharing, or leakage of confidential information.

2. Encryption and Tokenization Technologies: Tokenization and encryption technologies

offer an extra degree of protection for data while it's in transit and at rest. Data is rendered
unintelligible through encryption, guaranteeing that only those with the proper authorization
and decryption keys can access it. Tokenization keeps data usable while lowering the
possibility of exposure in the event of a breach by substituting non-sensitive placeholders for
sensitive data.
The use of advanced threat detection and prevention technologies aids companies in the
prompt identification and mitigation of security threats. In order to identify unusual activity,

5
malicious software, or unauthorized access attempts, these systems make use of machine
learning algorithms and behavioural analytics. This enables prompt response and cleanup.

CASE STUDY HIGHLIGHTING THE CONSEQUENCE OF NON

COMPLIANCE OF DATA PROTECTION LAWS.

The breach of Equifax data

The 2017 Equifax data breach serves as a sobering reminder of the dire repercussions of
breaking data protection laws. The hack, which exposed the personal data of some 147
million people, resulted in a great deal of legal and regulatory ramifications, including
government agency investigations and lawsuits. Significant financial fines were imposed on
Equifax, which also had to deal with regulatory agencies' settlements and class-action
lawsuits from impacted individuals.
The hack caused serious harm to the company's brand, undermining consumer confidence
and drawing criticism for insufficient security protocols and a delayed announcement.
Equifax's business operations and financial performance were significantly impacted by the
incident, which made cybersecurity improvements and customer remediation initiatives
necessary. Ultimately, in order to prevent expensive breaches and maintain confidence in the
digital era, the Equifax incident highlights the vital significance of strong cybersecurity
measures, regulatory compliance, and giving priority to the safeguarding of sensitive
consumer information.
Facebook has a prolonged history of privacy violations and data breach:
1. Facebook introduced Beacon in December 2007, an advertising program that tracked user
transactions on third-party websites without getting explicit permission from the user.
2. In December 2009, Facebook changed its platform for sharing content, opening up
previously private user data to the public.
3. The Wall Street Journal disclosed in May 2010 that Facebook has shared user information
with advertisers without the express approval of the users.
4. Facebook and the FTC reached a settlement in November 2011 over privacy concerns, but
further events revealed lingering problems.
5. Graph Search was introduced in January 2013 and raised privacy concerns by enabling
users to look up information about other users and groups.
6. June 2013: Email addresses and phone numbers belonging to around 6 million individuals
were compromised due to a flaw.
7. March 2018: Without the required authorization, data from 87 million users was made

6
public due to the Cambridge Analytical controversy. Additionally, a malfunction in privacy
settings exposed the private posts of 14 million individuals.
9. September 2018: Due to a flaw in the "View As" feature, hackers were able to access data
belonging to 50–90 million people.
10. December 2018: In defiance of its pledges to the FTC, Facebook was discovered to be
sharing user data without consent.
11. March 2019: Employees may have had access to up to 600 million Facebook passwords
that were kept in unencrypted files.
12. April 2019: Facebook improperly uploaded the email contacts of 1.5 million users in
order to target ads and suggest friends.
13. September 2019: Although it wasn't Facebook's, information on 419 million users was
discovered on an open server.
14. December 2019: Probably as a result of API misuse, data from over 300 million
Facebook accounts was discovered on the dark web.
15. June 2020: Due to an error, Facebook gave developers access to user data, including
personal information on dormant users.
16. April 2021: Following a 2019 scraping event, personal information belonging to 533
million people was exposed in an online forum.
17. April 2023: Applications for a $725 million privacy settlement resolving infractions
connected to the Cambridge Analytical Affair are now being accepted.

Facebook has been under constant scrutiny and fines for its handling of user data and privacy
violations, despite numerous pledges and settlements.

The Marriott International data breach is still a noteworthy incident in recent

cybersecurity history as of January 2022, when I wrote my final update. In 2020, there was a
breach that affected roughly 5.2 million visitors. Due to unlawful access to Marriott's
database, personal data like names, addresses, email addresses, and loyalty account
information were compromised.

Following the breach, investigations into Marriott's handling of the matter were carried out
by regulatory bodies, such as the UK's Information Commissioner's Office (ICO). In October
2020, Marriott International received a penalty letter from the ICO for violating the General
Data Protection Regulation (GDPR), which carried a punishment of £18.4 million. Marriott
was judged by the ICO to have neglected to put in place sufficient security measures to

7
safeguard customer data, which resulted in the breach and subsequent non-compliance with
GDPR regulations.

This incident emphasizes how crucial it is to have strong cybersecurity safeguards in place
and to follow data protection laws in order to protect sensitive consumer information. It
reminds businesses about the possible financial, legal, and reputational repercussions of data
breaches and privacy legislation noncompliance. It is advised to consult reputable news
outlets, official comments from Marriott International, and regulatory bodies for up-to-date
information on the Marriott International data breach and any associated developments.

LANDMARK JUDGEMENTS CONCERNING IP RIGHTS

March 2023: Burger King Corporation v. Ranjan Gupta & Ors. [[Link]-TM)
686/2022 C.O.]
Burger King Corporation's registered trademark 'Burger King' was up for dispute in March
2023, but the Delhi High Court dismissed it. As per the ruling of Justice Amit Bansal, the
defendants failed to present any proof substantiating their assertion that the trademark 'Burger
King' was widely used or generic in commerce. The court recognized that Burger King
Corporation had registered the trademark in more than 122 countries, including India, and
had been using it since 1954.
Guangdong Oppo Mobile and Others v. The Controller of Patents [No. 20 Aid for 2022]
An inventive charging system, technique, and power adapter have been the subject of an
Indian patent application by Guangdong Oppo Mobile, an electronics manufacturer. The
invention promised benefits like downsizing, cost effectiveness, and longer battery life by
directly introducing a pulsating waveform voltage to a mobile terminal's battery.
However, the Controller of Patents denied the initial patent application due to a lack of
inventive processes and novelty. This ruling was recently overturned by the Calcutta High
Court, which also mandated a re-evaluation and the publication of a Second Examination
Report (SER) in three months. The court stressed the distinction between the originality and
obviousness standards and clarified that previous art materials must address the invention in
its entirety. It further said that mosaicking of earlier works of art is only permitted if a skilled
individual can discern a common thread connecting the claims with earlier works of art. The
court further emphasized that the patent office must issue a new SER in the event that a claim
is changed.

8
Union of India v. Bayer Corporation, 162 (2009) DLT 371
The medication "Sorafenib Tosylate," which is used to treat liver and kidney cancer, was
patented by Bayer Corporation, which was the plaintiff in the case of Bayer Corporation v.
Union of India. The Drug Controller of India gave Natco Pharma an obligatory license in
2012 so that the company could manufacture a generic version of the medication at a
substantially cheaper cost than Bayer's. Bayer challenged this ruling, arguing that the license
was illegitimate and unconstitutional. They requested a stay on the license from the
Intellectual Property Appellate Board (IPAB), but their appeal was turned down. Bayer then
filed a challenge in the Bombay High Court (HC) against this ruling.

Neon Laboratories Ltd. v/s Medical Technologies Ltd. & ors 2015(64) PTC 225 (SC),
The trademark 'ROFOL' was registered by the appellant in 1992 and approved for use in
2001. But it wasn't until 2004 that they released the product onto the market. In the
meantime, the respondent had demonstrated previous usage by introducing a medication
under the trademark "PROFOL" in 1998. The respondent's prior use, marketing activities,
and strong goodwill gained the court's decision, even in spite of the appellant's earlier
registration. The 'ROFOL' trademark was consequently subject to an injunction. The Supreme
Court underlined that trademarks shouldn't have descriptive features about the products they
represent; instead, they should be original inventions.

The primary question was whether the Drug Controller General of India's (DCGI) license
complied with the Patent Act. The HC emphasized the public interest in maintaining the
license's validity. It decided that the purpose of the Patent Act is to protect inventors from
infringement and to foster invention. According to the HC's interpretation of the pertinent Act
parts, the DCGI is able to approve the sale of generic medications in the public interest, even
if they are patented. It made it clear that as long as the right licenses were obtained, this kind
of authorization did not constitute patent infringement. As a result, the HC denied Bayer's
plea while upholding the DCGI's ruling.
Novartis Vs Cipla
A legal dispute arose in India in 2010 between Novartis and Cipla over the patent rights to
the cancer medication Glivec. Having secured patents for the medication in multiple nations,
Novartis also pursued patent protection in India. Nevertheless, Glivec's application was
turned down since it didn't fit the requirements of Indian patent law for a new invention.
Novartis argued that the patent laws of India were excessively stringent and did not conform
to global norms. They maintained that patent protection was justified by their considerable

9
investment in Glivec's R&D. However, Cipla contended that in order to guarantee
affordability for Indian patients, a generic version of the medication should be made available
at a cheaper price.
In a historic ruling against Novartis in 2013, the Indian Supreme Court upheld the nation's
strict patent laws and refused to grant Glivec patent protection. This decision was heralded as
a major gain for Cipla and for expanding access to reasonably priced medicine in India.

UPCOMING TRAITS AND ADVANCES IN DATA AND IP

PROTECTION
Emerging technologies like blockchain and artificial intelligence (AI) have the potential to
completely transform data and intellectual property protection as the digital world changes.
Looking more closely at how these technologies help improve data and intellectual property
protection:
1. Technology of Blockchain:
• Unmatched Data Integrity: Blockchain's decentralized, unchangeable ledger provides
unmatched data integrity, which makes it perfect for safely storing and handling private data
pertaining to intellectual property rights, like patents, trademarks, and copyrights.
• Smart Contracts for Intellectual Property Transactions: These self-executing contracts,
which have the contents of the agreement directly encoded into code, can automate and
simplify intellectual property transactions. They guarantee efficiency, security, and
transparency while lowering the possibility of disagreements or fraudulent activity.
• Digital Rights Management (DRM): By providing safe and traceable licensing and royalty
payments, block chain-based DRM solutions can provide content creators and rights holders
more control over the distribution and consumption of digital assets, such as music, videos,
and e-books.
2. AI, or artificial intelligence
• Predictive Analytics for Threat Detection: By using artificial intelligence (AI) to analyze
large data sets, predictive analytics can spot patterns and abnormalities that could point to
unauthorized access or security threats. This helps organizations proactively reduce risks and
stop data breaches.
• Advanced Encryption and Authentication: To fortify data security protocols and prevent
unwanted access to private data, AI algorithms can improve authentication methods and
encryption strategies, such as biometrics and behavioral analytics.

10
• Automated Compliance Monitoring: By continuously observing data handling procedures,
identifying non-compliance concerns, and offering actionable insights to guarantee adherence
to data protection standards, AI-driven compliance monitoring systems can expedite the
regulatory compliance process.
3. Hybrid Approaches:
• Blockchain and AI Integration: Combining blockchain technology with AI algorithms can
improve IP and data security capabilities by generating synergy. The tamper-resistant
qualities of blockchain assure the integrity and transparency of the data evaluated by AI
algorithms. For instance, blockchain-powered analytics can analyze transactions to identify
potential security issues or fraudulent activity.
• Privacy-Preserving Technologies: By combining blockchain and AI, hybrid approaches can
help develop privacy-preserving technologies like differential privacy and federated learning,
which allow for collaborative data analysis and machine learning without violating people's
right to privacy or disclosing private information.
CONCLUSION AND RECOMMENDATIONS:
The value of data and intellectual property (IP) has increased dramatically in the current
digital era, making them essential resources for companies in all sectors. Maintaining trust
and integrity with stakeholders, partners, and consumers is just as important as gaining a
competitive edge when it comes to safeguarding these assets. We have emphasized the vital
significance of strong intellectual property and data protection protections throughout this
conversation.
Effective data and intellectual property protection policies are essential for defending against
a variety of risks, including cyber attacks, data breaches, and theft of intellectual property.
Through the implementation of best practices and the prioritization of compliance initiatives,
organizations may safeguard their operations, minimize risks, and maintain their reputation.
Organizations must:
1. Recognize Regulatory Requirements: in order to do this stay up to date with the latest data
protection laws, both in your country and elsewhere. Examples of these laws include the
CCPA, GDPR, and upcoming laws like the Personal Data Protection Bill in India.
Maintaining reputation and trust is equally as important as adhering to legal requirements in
terms of compliance.
2. Put Sturdy Security Measures in Place: Invest in state-of-the-art cybersecurity tools and
procedures to protect against data breaches, illegal access, and other security risks. This

11
covers regular security audits, multi-factor authentication, encryption, and access controls.
3. Train Staff Members: Encourage a culture of data security awareness among staff
members by providing them with tools and training on how to handle sensitive data, spot
phishing efforts, and follow business guidelines.
4. Adopt Emerging Technologies: Investigate how to strengthen intellectual property and
data protection using cutting-edge technologies like blockchain and artificial intelligence. By
utilizing these cutting-edge technologies, you may improve compliance monitoring,
strengthen data integrity, and fend off changing threats.
In conclusion, companies of all sizes and in all sectors must prioritize protecting sensitive
data and intellectual property. In today's linked, data-centric environment, organizations may
reduce risks, protect their assets, and maintain the trust and confidence of their stakeholders
by adopting strong security measures and adopting a proactive approach to compliance.

12
13