DPDP Compliance • 5 min read
Navigating IP Enforcement Under the DPDP Act 2023: Lessons from UPL's Action
The recent multi-state enforcement actions by UPL against alleged patent infringers highlight the critical intersection of intellectual property protection and data privacy. Businesses undertaking such rigorous legal efforts must ensure their data processing activities fully comply with the Digital Personal Data Protection Act 2023, particularly concerning lawful processing, transparency, data minimisation, and data principal rights. This article, from ComplyDP, outlines key DPDP compliance considerations for companies engaged in investigative and enforcement actions, drawing parallels with scenarios like the UPL case to ensure robust data governance.
Last updated:
The business landscape in India is rapidly evolving, with companies increasingly taking decisive action to protect their intellectual property rights. A recent example that underscores this trend is UPL's intensified enforcement efforts against alleged manufacturers and sellers of lookalike herbicides, Triskele and Trishuk. Following coordinated multi-state raids across Uttar Pradesh, Haryana, and Punjab, UPL has vowed stringent legal action against entities found to be infringing its patent rights, citing confusion among farmers and substantially lower-priced, similar products in the market.
Such robust enforcement, while crucial for safeguarding innovation and fair competition, inherently involves the collection, processing, and storage of personal data. This brings businesses like UPL, and indeed any entity involved in investigations, legal action, or intelligence gathering, directly under the purview of India's new Digital Personal Data Protection Act 2023 (DPDP Act). For ComplyDP (complydp.com), it is imperative for businesses to understand how these critical operational activities must align with the DPDP Act to avoid compliance pitfalls.
The DPDP Act establishes a comprehensive framework for processing digital personal data, empowering Data Principals and imposing significant obligations on Data Fiduciaries. When a company embarks on identifying alleged infringers, gathering evidence, and pursuing legal remedies, it inevitably becomes a Data Fiduciary processing personal data of individuals connected to the alleged infringing activities – be it manufacturers, distributors, retailers, or other parties. Therefore, every step in such an enforcement drive must be meticulously reviewed through a DPDP compliance lens.
One of the foundational principles of the DPDP Act is that a Data Fiduciary may process personal data only for a lawful purpose and after obtaining the consent of the Data Principal OR for certain 'Legitimate Uses'. In an enforcement scenario, directly obtaining consent from alleged infringers is often impracticable or counterproductive. This necessitates a careful examination of the 'Legitimate Uses' provision.
The DPDP Act outlines several categories of 'Legitimate Uses' where consent is not required. These include processing for purposes such as employment, public interest, medical emergencies, or the discharge of any function under law. Crucially, it also mentions 'processing for fair and reasonable purpose as may be prescribed'. While specific rules detailing what constitutes a 'fair and reasonable purpose' are yet to be fully prescribed, businesses engaged in IP enforcement must diligently assess whether their data processing activities can align with 'processing for discharge of any function under law' (e.g., when acting on a court order or cooperating with statutory authorities) or potentially fall under a future 'fair and reasonable purpose' justification, which necessitates robust internal legal analysis.
Beyond establishing a lawful basis for processing, transparency is paramount. The DPDP Act mandates that Data Fiduciaries provide a notice to the Data Principal, specifying the personal data being collected and the purpose for which it is being processed. In the UPL example, where the company urges 'stakeholders dealing in 2,4-D Sodium Salt... to immediately cease such activities and inform us', such a call for information, if it involves personal data, triggers notice obligations. Entities gathering information for enforcement purposes must clearly articulate what data is being collected, why, and how it will be used.
The principle of data minimisation is equally critical. Businesses should collect only that personal data which is necessary for the stated purpose of IP enforcement. This means avoiding the collection of superfluous information. Similarly, the principle of purpose limitation dictates that the collected personal data should not be used for purposes other than those for which it was originally collected, unless a new lawful basis is established. For instance, data gathered solely for identifying patent infringers should not be repurposed for unrelated marketing campaigns without fresh compliance measures.
Data Principals, even those identified as alleged infringers, retain significant rights under the DPDP Act. These rights include the right to access information about their personal data, the right to correction or erasure of personal data, and the right to grievance redressal. Data Fiduciaries undertaking enforcement actions must be prepared to honor these rights, ensuring mechanisms are in place for Data Principals to exercise them effectively and efficiently.
Accountability lies at the heart of the DPDP Act. Data Fiduciaries, such as companies pursuing IP protection, are responsible for complying with the provisions of the Act and for implementing appropriate technical and organizational measures to protect personal data. This includes safeguarding data from unauthorized access, accidental loss, or misuse, particularly when dealing with sensitive information related to ongoing investigations and legal proceedings.
For stakeholders who might be asked to 'inform' companies like UPL about alleged infringements, it is also important to consider their own data protection responsibilities. Before sharing personal data, even if it is to assist in a legal enforcement action, these stakeholders should understand what data they are providing, its purpose, and ensure they are doing so responsibly and in line with any applicable data protection principles, if they themselves are Data Fiduciaries.
The UPL case serves as a powerful reminder that in an era of heightened intellectual property vigilance, data privacy compliance can no longer be an afterthought. Businesses must integrate DPDP Act compliance into their enforcement strategies from the outset. This holistic approach not only mitigates legal and reputational risks but also builds trust with all stakeholders, including those in their supply chain and the wider market.
ComplyDP (complydp.com) specializes in assisting businesses navigate the complexities of the Digital Personal Data Protection Act 2023. Our expertise ensures that your enforcement actions, investigations, and all data processing activities are not only effective in achieving their business objectives but are also fully compliant with India’s stringent data protection regulations, safeguarding your operations in the evolving legal landscape.
Partner with ComplyDP to build robust compliance frameworks that protect your business, your data, and your intellectual property, ensuring that your pursuit of justice aligns seamlessly with your data protection obligations.
ComplyDP