Securing your Data with the Trade Marks Registry

Data privacy has been a cause of concern for individuals and corporates, however, when sharing personal information with government authorities, we tend to overlook this concern. Has one ever wondered how secure her confidential, proprietary, or personal information is while sharing it with a government agency like the Trade Marks Registry?

Indian Intellectual Property Offices come under the Ministry of Commerce and Industry; therefore, they are under the control of the Central Government. The Trade Marks Registry, established in 1940, primarily acts as a facilitator in matters relating to the registration of trademarks in India.

The Trade Marks Registry (TMR) is a public filing system. That means once a trademark application is filed with the TMR, a lot of information is placed on record, including the applicant’s and its representative’s personal data, such as mailing address, and the proof of use of the trademark. The digitization of the Registry in 2017 prompted the current practice of recording information on a public access system.

 

Fundamental Concerns

Mailing Address: Open and easy access to such personal information exposes an applicant to scams and other unwanted solicitations. For instance, scam emails (that appear to have been sent by the TMR seeking maintenance fees) from third parties attempt to deceive applicants into paying additional fees. Everyone recalls how anyone who filed an international application between 2005 and 2015 was duped by international scammers who obtained their information from the WIPO. By oversight, many people were duped into paying huge amounts of money.

If an attorney represents an applicant, the TMR does not send correspondence about the trademark application directly to the applicant. In such cases, the Registry directly communicates with their authorised attorneys. Hence, if an applicant receives any mail relating to their trademark, they should consult their attorneys, who may evaluate it to guarantee that a scam letter is not mistaken for real contact.

Documents to support the use of the mark: Applicants are frequently required to submit documentary evidence to support their applications and commercial use of their marks. Such evidence is often public, but an applicant might disclose information they would not intend to make public, such as bills, financial papers, reports, and other confidential information. There is no mechanism to have them masked or deleted from the TMR’s database if such information is uploaded or disclosed.

 

Initiatives by the Trade Mark Registry

In recent times, the TMR has adopted the practice of restricting public access to evidentiary documents submitted during opposition/rectification proceedings that the competing parties upload on the TMR. However, similar documents filed during any other stage, such as filing and pre-opposition prosecution, are still exposed to public access, even if they are documents or information relating to commercial confidence, trade secrets, and/or any other form of confidential, proprietary, or personal information.

However, the advantage of such an open and publicly available database is that it serves as a countrywide “notice,” which means that an alleged infringer of your trademark cannot claim ignorance of your brand. However, disclosure of such information exposes applicants to email scams and other unwanted solicitations and can also harm their competitive position in the market.

In September 2019, on account of various representations made by numerous stakeholders regarding the TMR’s display of confidential, proprietary, and personal information,[1] a public notice was issued by the Registry, inviting stakeholders’ comments on the aforesaid concerns.

The TMR proposed the classification of such documents into two categories:

  • Category I: Documents that are fully accessible and available for viewing or downloading by the public.
  • Category II: Documents for which details will be available in the document description column, but viewing and downloading will be restricted.

 

Roadblocks and Viable Course of Action

Notably, the Right to Information (RTI) Act, 2005, obligates public authorities to make information on their respective platforms available to the public in a convenient and easily accessible manner. There are some notable exceptions to this rule, i.e., information related to commercial confidence and trade secrets is exempted from being disclosed or made accessible to the public in so far as their disclosure leads to a competitive handicap for the disclosing party. Personal information is also exempted to the extent that its disclosure leads to an invasion of privacy or if it has no relation to public activity or interest.

Hence, it is crucial to understand that while such a classification, as has been suggested by the TMR above, might seem like a good initiative on the surface, the lack of any concrete boundaries assigned to the terms “confidential” or “personal” information leaves the Registry with unquestioned discretion to generalise datasets and to restrict access to documents on the TMR website. A simple example could be data collected by the TMR through pre-designated forms, including Form TM A, Form TM O, etc. Most of these forms generally mandate the submission of certain personal information, including the proprietor’s name, address, telephone number, etc. However, this cannot simply mean that the TMR denies the general public access to such trademark application forms, as this would defeat the primary goal of advertising such marks on the Registry, which is to seek any opposition or evidence against such marks. Thus, while the objective behind such a classification of documents might be well-intended, restriction of access to certain documents might lead to a conflict of interest for the TMR, and it might end up over-complicating the due-diligence processes, leading to increased costs and resources.

Such generalised classifications are, hence, only viable in theory. The TMR might end up entertaining hundreds of RTI applications if it decides to limit access to certain documents, which might be necessary for proper due diligence and prosecution. The free and open availability of documents enables the public to have smoother and easier access to essential records and credentials of the trademark proprietors, thereby allowing the masses to have a better understanding of the prosecution history of important trademarks of the target company.

In the long run, a rather sustainable alternative for the TMR might be introducing a multi-factor authentication system for the parties interested in carrying out due diligence or prosecution against a mark. A multi-factor authentication system for gaining access to the records and documents on the Registry might lengthen the entire process in the short run. Nonetheless, the move could be game changer in the long run because it would allow the Registry to restrict access to confidential and personal data of its users to parties with an original or vested interest in the registration of a mark.

Such an approach would not only enable the Registry to provide open and efficient access to necessary documents to the parties who have an original or vested interest in the registration of a mark, but it would simultaneously vest it with the flexibility to protect the sensitive, confidential, as well as personal data of its users from scammers or non-interested parties.

 

Privacy-by-Design

A Privacy-by-Design approach is the future of the modern-day web, and as long as the Registry does not implement more elaborate internal safeguards on its website and databases to protect the privacy and integrity of public data contained therein, it is always recommended that applicants work with an experienced trademark attorney who can assist applicants in reducing the exposure of their information to individuals or a class of individuals with ulterior motives and mitigating the harm associated with the usage of their data.

References:

[1] Public Notice dated 06/09/2019 re Categorization of Documents on the TMR. Accessible at: https://ipindia.gov.in/writereaddata/Portal/Images/pdf/Catergorization_of_Docs.pdf.

The Trade Marks Registry (TMR) is a public filing system. That means once a trademark application is filed with the TMR, a lot of information is placed on record, including the applicant’s and its representative’s personal data, such as mailing address and the proof of use of the trademark. 

Related Posts

POST A COMMENT

Bulk Data Sharing & Procedure Notification - A Data Breach?

  • 31 July, 2019
  • Indran M.B

In this digital era, data has become one of the most valuable assets to own. Elections have been won and international alliances have toppled because of support that could be garnered by utilizing data analytics. While heated debate surrounding data breaches by private entities baffles the world, at home, it is accused that the Indian Government has monetized from sale of personal data of Individuals, in the pretext of public purposes” under a notification released by the Ministry of Road Transport and Highways in March 2019 titled “Bulk Data Sharing & Procedure”.

In July 2019, a parliamentary debate pertaining to “sale of data” by the State was raised because the Government had provided access to databases containing driving license and vehicle registration details to private companies and Government entities and generated revenue out of them.  The two databases of Ministry of Road Transport and Highways named Vahan and Sarathi were under discussion.  These databases contained details such as vehicle owner’s names, registration details, chasis number, engine number, and driving license related particulars of individuals.  These details amount to personal information by which an individual could be identified (“Personal Data”).  

The sale of data was pursuant to a notification released by the Ministry of Road Transport and Highways in March 2019 titled Bulk Data Sharing & Procedure wherein a policy framework on sale of bulk data relating to driving license and vehicle registration was introduced.  Among other things, this writeup discusses whether such sale of Personal Data for revenue generation is acceptable in light of privacy as a fundamental right and the Data Protection Bill 2018? and whether such access constitutes data breach? 

 

Bulk Data Sharing & Procedure Notification 

The “Bulk Data Sharing & Procedure” notification by the Ministry of Road Transport and Highways states the purpose for which bulk data access would be  provided: 

it is recognized that sharing this data for other purposes, in a controlled manner, can support the transport and automobile industry.  The sharing of data will also help in service improvements and wider benefits to citizens & Government. In addition, it will also benefit the country’s economy”.  

As per the notification, only such entities that qualify the eligibility criteria would be provided access to bulk data.  The eligibility criteria are that an entity should be registered in India with at least 50% Indian ownership, such bulk data should be processed/stored in Servers/Data Centers in India, and the entity should have obtained security pre-audit report from CERT-In empanelled auditor.  The bulk data access would be provided for a price.  

Commercial organizations could have such data for an amount of INR 3 crores and educational institutions could have them for 5 lakhs.  As per the notification, the bulk data will be provided in encrypted form with restricted access.  Such entities would be restricted from any activity that would identify individuals using such data sets.  The entities would be required to follow certain protocols for data loss prevention, access controls, audit logs, security and vulnerability.  Violation of these protocols is punishable under the Information Technology Act, 2000. 

The Ministry of Road Transport and Highways has in accordance with this policy framework provided database access to 87 private companies and 32 government entities for a price of 65 crores resulting in Personal Data of all individuals being accessible to them.  The Data Principal (the individual whose information is in the database) has no knowledge or control over any use or misuse of his/her information.   

In any data protection framework worldwide, the Data Principal’s consent should be sought stating the purpose for which data ought to be used.  It is only pursuant to Data Principal’s consent that any information can be processed.  On the contrary, providing access to Personal Data to third party private companies without any consent of the Data Principal will keep them out of effective control.  This is against the basic principles of data protection. 

 

Proposed Legislation for Data Protection 

India is on the verge of a new Data Protection Act as the bill is being placed in the Parliament.  The Data Protection Bill, 2018 contains certain provisions to address the above-mentioned issues.  Section 5 of the Data Protection Bill states when personal data can be processed.  Personal Data shall be allowed only for such purposes that are  clear, specific, and lawful.  Section 5 is extracted below: 

  1. Purpose limitation— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.

Moreover, the relevant enactment regulating driving license and vehicle registration i.e. Motor Vehicle Act does not explicitly permit the State to sell or provide third parties access to Personal Data for generation of revenue.  Therefore, there is no clear, specific, or lawful indication of such access in the enactment.  The question arises whether access to bulk Personal Data can be interpreted as an “incidental purpose” that “data principal would reasonably expect”.  The data principal has provided this information only for the purpose of grant of motor vehicle license and vehicle registration.  The Data Principal ought not have expected his/her data to be sold by the Government. 

Section 13 of the Data Protection Bill is also of relevance here because it authorizes the State to process Personal Data for provision of services, benefit or issuance of certification, licenses or permits.  Section 13 is extracted below: 

Section 13 – Processing of personal data for functions of the State. — Personal data may be processed if such processing is necessary for excise of the functions of the State authorised by law for: (a) the provision of any service or benefit to the data principal from the State. (b) the issuance of any certification, license, or permit for any action or activity of the data principal of the State. 

 

By this section, the State is authorized to use Personal Data for grant of license or permits or to provide any benefit or service.  However, whether the State is authorized to give access to Personal Data to third party private companies is unclear. 

Section 17 of the Data Protection Bill tries to shed some light on this anomaly.  The section states that Personal Data may be processed for “reasonable purposes” after considering if there is any public interest involved in processing the same.  What constitutes reasonable purpose is yet to be specified by the Data Protection Authority to be constituted.  Section 17 is extracted hereunder: 

  1. Processing of data for reasonable purposes. — 

(1) In addition to the grounds for processing contained in section12 to section 16, personal data may be processed if such processing is necessary for such reasonable purposes as may be specified after taking into consideration— 

(a) the interest of the data fiduciary in processing for that purpose; 

(b) whether the data fiduciary can reasonably be expected to obtain the consent of the data principal; 

(c) any public interest in processing for that purpose; 

(d) the effect of the processing activity on the rights of the data principal; and 

(e) the reasonable expectations of the data principal having regard to the context of the processing. 

(2) For the purpose of sub-section (1), the Authority may specify reasonable purposes related to the following activities, including— 

(a) prevention and detection of any unlawful activity including fraud; 

(b) whistle blowing; 

(c) mergers and acquisitions; 

(d) network and information security; 

(e) credit scoring; 

(f) recovery of debt; 

(g) processing of publicly available personal data; 

(3) Where the Authority specifies a reasonable purpose under sub-section (1), it shall: (a) lay down such safeguards as may be appropriate to ensure the protection of the rights of data principals; and (b) determine where the provision of notice under section 8 would not apply having regard to whether such provision would substantially prejudice the relevant reasonable purpose. 

 

Section 17, therefore, clarifies that when there is any public interest involved, the State may provide access to publicly available personal data to third parties.  This read with Section 13 indicates that State is not required to get the consent of Data Principal in order to provide services and benefits.   

 

Whether the State has provided access to personal data for public interest or to provide services and benefits? 

The Bulk Data Processing & Procedure notification states that the purpose of providing access of bulk Personal Data is to “support the transport and automobile industry” & “help in service improvements and wider benefits to citizens & Government”.  Supporting the transport and automobile industry and improving services may qualify as public interest, whereas, mere revenue generation will not.  However, there is no clarification from the Government as to how these private companies to whom database access is being provided assist in public interest.  Further, whether all driving license and registration details related data can be classified as publicly available information is again contentious and questionable as the information provided therein is intended to be provided only to license holders & vehicle owners and is partially masked. 

In the event if this Personal Data is not construed as public data or these public companies have been given access to personal data in the absence of any public interest, it would result  in personal data breach by the Government Departments where the head of Department will be held liable as per section 96 of the Data Protection Bill. 

It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.  Whether it results in the exploitation of personal and private data on the pretext of public interest without an individual’s consent needs to be ascertained. 

Image Credits:

Photo by Markus Spiske on Unsplash

 

It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.

Related Posts

POST A COMMENT