May 4, 2022

A SNEAK PEEP INTO THE PATENT VALIDITY ASSESSMENT SYSTEM

May 4, 2022

INTRODUCTION

Generally speaking, registration presupposes some sort of conclusion or priority in terms of legal rights. For patent or design however, this might be a little utopic, because Intellectual Property (IP) heavily prioritizes acknowledging original creators and inventors, as will be seen. To satisfy the requirements for the issuance of Patent over an object, function or process and be issued a Patent is not enough apparently; what makes a Patent truly valid in the essence of IP transcends beyond an application for Patent and certainly beyond a mere certificate of registration.

REGISTRATION OF PATENT

The phrase “Registration of Patent” connotes that a Patentee has registered an object, function or process (subject-matter of patent) with the Patent Office and has been issued a Certificate of Registration over it. In reality however, the PH is not registering the Patent itself; the Patent is issued to him upon meeting the requirements for its issuance such as novelty, non-obviousness, utility, etc.

Upon registration, the Patentee becomes the registered title holder over the subject-matter. In any litigation surrounding the validity or infringement, the registration certificate becomes a prima facie evidence of validity, not a conclusive one. This is because validity of Patent is not tied down to the registration process; it focuses on the qualification (creation and inventive step) in the subject-matter. The reason is as already mentioned – IP seeks to protect people’s creativity and ideation.

PATENT VALIDITY ANALYSIS

Patent validity analysis encompasses a lot; from the application for Patent to the scrutiny of the application, its approval, etc. Essentially, it is to ensure that the subject-matter of Patent meets the requirements for the issuance of the Patent.

Patent validity analysis occurs in two phases, the;

a. Prosecution Phase and;

b. Enforcement Phase

The Prosecution Phase; this is the more detailed stage of patent analysis. The analysis in this phase is conducted by the Patent Office which would scrutinize the application for Patent made, to ensure its compliance to the requirements and standards for the issuance of Patent. If the application does not follow the procedural guidelines, it would be rejected. If the subject-matter fails one or more requirements, it certainly should be rejected.

The Enforcement Phase; this phase of validity analysis only arises when there is an infringement. Whenever there is an infringement of alleged infringement of Patent, the validity of the Patent is directly a fact in issue or relevant fact or any other fact envisaged by Part II of the Evidence Act 2011 and therefore constitutes an issue for determination, unless the defendant does not join issues with the claimant on the infringement.

The validity analysis of assessment here is done by the Court through the litigation process; parties lead evidence while the court gives its pronouncements based on such evidence before it. The Court in this phase would examine the requirements for the issuance of Patent vis-à-vis the Patentee’s application to assess the validity of the Patent (the subject-matter of the dispute). The basis for this is because the defendant can plead that the Patent was wrongly issued, he may claim to be the inventor of the subject-matter as his defense. If the defendant is successful, the Court would rule that the Patent was wrongly issued and thereby grant an order of revocation or withdrawal of the Patent.

NOTE: An invalidity determination is final, but a ‘no invalidity’ determination is not. This means that even if a claimant successfully defends his Patent in an action, the validity can still be attacked on the same issues in a different action by a different party. This seems contrary to the rationale behind the legal principles of “estoppel” and “autrefois acquit” but then, IP is civil in nature. In any case, IP is sui generis as well. In light of this, Patentees may be caught up consistently in litigation defending their Patent during the 20 years they should be enjoying exclusive rights over it.

PRESUMPTION OF VALIDITY

There is a “presumption of validity” in the Enforcement Phase of a Patent. The law presumes that the Patent Office performs its due diligence before issuing Patent. This presumption however is rebuttable; if the defendant can lead evidence to convince the court to the contrary or that a requirement was not satisfied, the Patent would be pronounced void by the Court.

The implication of such a judgment is that such a Patentee’s right over that subject-matter in question ceases to exist. He can however re-apply to the Patent Office for a fresh Patent after meeting the requirements it did not satisfy, according to the Court’s judgment (if possible). Within that period within which there is no Patent over that subject-matter however, other persons may apply for Patent over it or something very similar, subject to the requirements of Patent.

BURDEN OF PROOF

One jurisprudential question in the validity assessment in the Enforcement Phase is this, “On whom (should) the burden of proving originality lie”? Even though Sections 131-136 of the Evidence Act 2011 are crystal clear on burden of proof, the rationale for our answer should take into consideration the reality that the subject-matter of Patent has been registered.

Registration needs to be accorded some sort of value, otherwise, it is useless. This makes sense and seems to flow from the rationale behind the principle of “Better Title” in property claims. It is that both the Claimant and Defendant have some sort of evidence of title in the land.

In the case of an infringement of a registered patent, what title does the defendant have to even compete for a “Better Title”? Why should the defendant even be allowed a defense that raises questions on the validity of a Patent?

“He who asserts must prove”. The patent holder who asserts the infringement of his right over an innovative subject-matter is required by law to prove the infringement, but (NOT) the innovation in the subject-matter for which he has a Patent. If the defendant admits the infringement but denies the novelty of the subject-matter, should he still be liable? If he denies the infringement because of the absence of novelty as his defense, is he making a mere academic argument? The fact still remains that the claimant’s title was valid at the time of infringement.

Are we allowing moral rights question legal rights or simply giving legal rights room to validate themselves? It may seem too academic to imagine, but the economic implications of our answers cannot be academic. People invest in enterprises, and a Registration Certificate is certainly a document an investor can rely on for investment. To know that the Certificate doesn’t guarantee anything on the subject-matter on it certainly raises eyebrows.

RECOMMENDATIONS

The Patent Registry must be thoroughly equipped for the rapid and numerous innovations going on in Nigeria in terms of training, resources and other things it would need to be standardized. It has to broaden its search beyond its records to actually deploying personnel to check the novelty of subject-matters brought before it for registration.

Also, our laws and IP Policies must be frequently updated to respond to modern trends and development in the IP Industry.

Sensitization in rural and urban communities on IP should be done and encouraged; social media platforms could even be used to educate and enlighten people on the need for registering their products, particularly about the moral, economic and legal value of Intellectual Property.

Stricter penal measures should be meted out on those who deliberately infringe on people’s IP rights. Also, stricter penal measures should be issued on those who are discovered to have stolen people’s ideas and products by beating people to the registration of their own creation.

Finally, there should be an IP tribunal to enable quicker dispensation of IP cases owing to the delicate nature of IP and the negative effects delayed dispensation of cases may have on its economic value to IP owners of Copyright, Trademark, Patent and Design as the case may be.

CONCLUSION

Intellectual Property rights are sui generis and should be treated as such. While efforts are being made to tackle the challenges bedeviling the Patent Office and its administrations, the priority remains to give original creators adequate protection, value and reverence for their works and this should remain so. Undue relevance and priority should not be placed on Certificates of Registration such that the challenges, rules and malpractices in administrative institutions do not prevail over the essence and moral right in the Intellectual Property sector.

The content of this article is intended to provide a general understanding to the subject matter. For specific consultancy relating to your circumstance, feel free to reach out to us today at hello@thefirmaadvisory.com.

Hello TheFirma

May 4, 2022

Are Nigerian Data Controllers Mandated by the Law to Maintain State-of-the-art Network Systems Guarding Against Data Breach?

Hello TheFirma

May 4, 2022

One important aim of data protection laws is to prescribe minimum standards for the protection of information obtained from a person (data subject) by another (data controller). A data controller is anyone who requires and collects data to process certain sets of actions and who determines how the data is processed. Examples of data controllers include: MTN, Access Bank, Flutterwave and Jumia. Anyone whose data is collected for processing is a data subject; for example, all subscribers to MTN network are data subjects.

The increased reliance on the internet and other technologies for commerce and daily personal activities has brought with it varieties of cybersecurity risks. At the root of the hunt is data. According to the Economist, "the world's most valuable resource is no longer oil, but data''[1] and this makes protection of data a critical subject. Also, it is getting easier to hack information systems to harvest data as hacking technologies are improving rapidly. There are multiple examples of recent cyber attacks targeted at the information systems of countries and businesses, the data breach at Tuckers LLP[2] being one prime example. There is, therefore, an urgent need to ensure an across-the-board state of art security of network systems to guard against possible breach.

However, is there a legal obligation on data controllers to maintain such secure network systems to guard against both foreseeable and unforeseeable data breach or to mitigate possible loss in the event of a breach? And if such an obligation exists, what is the standard of security required?

The simple answer to the first question is Yes. Article 2.6 of the Nigeria Data Protection Regulation creates this obligation. It requires data controllers to, among other things, implement measures to protect systems from hackers; set up firewalls; store data securely with access to specific authorized individuals; employ data encryption technologies and develop organizational policy for handling Personal Data. Other laws like the Nigerian Communications Commission Act, Cybercrime Act and CBN Regulations and Guidelines equally create this obligation to varying degrees.

This legal obligation is achieved when data controllers doggedly ensure there are adequate organizational policies to anticipate and guard against possible data breach, and in the event of a data breach, the onus is on a data controller to show that there was no negligence in the handling of collected personal data.

Clearly, prevalent industry standards for network security go beyond encryption and setting up firewalls. Does the NDPR or any law in Nigeria set a higher standard for network security?

The answer to the above question is also Yes. As a general application for data controllers collecting and processing data for government use, Article 2.6 Guideline for the Implementation of the NDPR (within Public Institutions in Nigeria) provides for the implementation of "ISO 27001:2013 or any similar standard". Article 2.3 CBN's Guidelines on Operations of Electronic Payment Channels in Nigeria stipulates some standards compliant with international best practices (like the PA DSS; PCI PED; Triple DES and EMV). Other stipulations may be found in CBN's Risk-based Cybersecurity Framework and Guidelines and requisite NCC Guidelines. For Nigerian data controllers collecting and processing data of European Union data subjects, Article 32 General Data Protection Regulation, mandates the implementation of "technical and organisational measures'' to data security, considering "the state of the art, the costs of implementation and [...] the risk of varying likelihood and severity for the rights and freedoms of natural persons." (Emphasis mine).

A breach of Article 32 of GDPR cost Tuckers LLP £98,000 in fine. Tuckers LLP failed to implement certain security measures like implementing multi-factor authentication (MFA) for remote access; applying a critical vulnerability patch for a period of 4 months after being notified of a possible breach that might result therefrom and addressing issues highlighted in a failed Cyber Essentials assessment causing a cyber attack on their information systems, resulting in the encryption and permanent loss of 972,191 civil and criminal case files stored on an archive server.

Other examples of global industry standards of network security practices that Nigerian data controllers can implement include: ISO27000 series, the National Institutes of Standards and Technology ("NIST"), the National Cyber Security Centre ("NCSC"), the Solicitors Regulatory Authority ("SRA"), Lexcel and 'NCSC Cyber Essentials'.

On a final note, it is not only imperative that all data controllers in Nigeria implement data security measures to anticipate and guard against cyber attacks, it is also an obligation imposed by law, breach of which may amount to being sanctioned by the appropriate body. The law also prescribes standards for these security measures taking into account the sophistication in hacking technologies and the prevalence of it. Nigerian businesses and data controllers must therefore, ensure they implement the prescribed high network security standards, or risk an organizational failure and the wrath of the law

References

The Economist, (Article) The world’s most valuable resource is no longer oil, but data. Available at https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data accessed on March 28 2022
Data Guidance (Article) UK: ICO fines Tuckers Solicitors LLP £98,000 for data breach. Available at https://www.dataguidance.com/news/uk-ico-fines-tuckers-solicitors-llp-%C2%A398000-data-breach accessed on March 28 2022

Want to reach out?