Intellectual Property & Data Protection: What You Should Know

1. Introduction

The convergence of Intellectual Property ("IP") rights with data protection has become a topical issue due to the increased dependence by individuals and companies on technology to create, manage and leverage their intellectual assets. In Nigeria, the intersection between both regimes is becoming noticeable, fuelled by legislative reforms, global compliance standards and increasing digital adoption. A single innovation may be simultaneously protected by IP rights and also be subject to data protection regulations.

Still, the goals of these seemingly interconnected regimes can be viewed as 2 sides of a coin. While IP law seeks to reward and protect innovation and creativity, by granting exclusivity and control to creators and owners, data protection law safeguards the personal information of individuals, giving them control over how their data is collected, processed, and shared.

This article aims to provide a practical overview of what individuals and businesses should know about the intersection of IP protection and data protection, and how they can navigate both legal frameworks to ensure adequate protection on both fronts.

2. Conceptual Frameworks

2.1. Understanding Intellectual Property

The Word Intellectual Property Organizations describes IP as creations of the mind; literary and artistic works; designs; and symbols, names and images used in commerce.¹ In Nigeria, as is the case in many jurisdictions around the globe, IP exists in several forms. Some of the common IP rights are briefly clarified below:

2.1.1. Copyright

This is the protection offered over an author's novel work(s) which vests in the author, the exclusive right to the exploitation of the work(s) over a duration. In the context of copyright law, the term "works" encompasses literary, artistic and musical works, cinematograph films and sound records.² These rights are transferrable by way of an assignment or a testamentary disposition of by the operation of the law.³

2.1.2. Patent

This right confers on inventors of novel products and processes a right to exclude others from the exploitation of the said invention. Patent is regulated by the Patent and Design Act⁴ and under the Act an invention is patentable if it is new, results from inventive activity and is capable of industrial application, or if it constitutes an improvement upon a patented invention and also is new, results from inventive activity and is capable of industrial application.⁵

2.1.3. Trademark

This confers on the registered proprietor, the right of exclusive use of the mark in respect of the goods or classes of goods to which the marks were registered. It is regulated by the provisions of the Nigeria Trademarks Act⁶ and the Trademarks Regulation of 1967.

2.1.4. Industrial Design

Industrial Design is a combination of lines, colours or both and any three – dimensional form, whether or not associated with colours, if it is intended by the creator to be used as a model or pattern to be multiplied by industrial process and is not intended solely to obtain technical result.⁷

2.1.5. Trade Secrets

Trade Secrets offer a form of protection to confidential information belonging to a business and which gives that business a competitive advantage⁸ Trade secrets are intellectual property rights offered to confidential information, the unauthorized disclosure, use or acquisition of which in a manner contrary to honest commercial practices by others constitute a violation of the trade secret protection.⁹

2.2. Data Protection

2.2.1. Key Legislation Guarding the Right to Data Protection

The recognition of data protection and privacy in Nigeria Jurisprudence began with the Constitution, as the first statute that guarantees the right to data privacy. Particularly, Section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended) guarantees Nigerians the privacy of their homes, correspondences and telegraphic communication.

On the above foundation, we have the primary piece of legislation that regulates the collection, use and disclosure of personal data as the Nigeria Data Protection Act enacted in 2023 ('the "NDPA''), and the soon-to be effective General Application and Implementation Directives (the NDPC-GAID). These legislations provide the granular mechanisms for dealing with personal data and regulating the activities of relevant stakeholders.

2.2.2. Salient Provisions of the NDPA

1. Application

The NDPA applies to the processing of personal data either (i) by a data controller or data processor domiciled in, resident in, or operating in Nigeria; or (b) where processing of personal data occurs within Nigeria; or (c) by a data controller or the data processor though not domiciled in Nigeria, but processing personal data of a data subject in Nigeria.¹⁰

Personal data includes the name, location data, identification number and factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual as well as sensitive personal data.¹¹

b. Lawful Basis for Processing Data

Section 25 of the NDPA outlines the lawful basis pursuant to which personal data can be processed, namely:

I. the performance of a contract to which the data subject is a party;

II. compliance with a legal obligation to which the data controller or data processor is subject;

III. the protection of the vital interest of the data subject or another person;

IV. the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor; or

V. legitimate interests.

c. Rights of a Data Subject

The first point of call in this regard is understanding who a data subject is. The NDPA defines a data subject as an individual to whom personal data relates.¹² Hence, juristic persons are not contemplated under this definition. Every data subject ordinarily has the following rights:

i. To receive information about the purpose of processing personal data.¹³

ii. To withdraw consent to processing of personal data at any time.¹⁴

iii. to request the rectification or erasure (right to be forgotten) of personal data by the data controller;¹⁵

iv. to restrict or object to the processing of personal data;¹⁶

v. not to be subject to a decision based solely on automated processing of personal data, including profiling.¹⁷

vi. to lodge a complaint concerning data breaches with the NDPC.¹⁸

3. Where Intellectual Property Rights intersect with Data Protection

IP and data protection might seem like separate worlds, but in reality, they cross paths more often than not. This intersection can be seen in how data is used to create, codify, or encapsulate an IP asset; how the exploitation of IP rights may encroach upon data protection rights; or how certain IP protections, particularly those based on confidentiality, may require individuals to sign away some control over the use of their personal data. Understanding where these two areas meet is key to navigating the legal and ethical challenges that may follow.

3.1. Using Personal Data to Develop IP Rights

From the creative industry to the technology space, businesses are constantly leveraging data for the purpose of creating unprecedented value. Businesses such as Google, Jumia, Amazon collect user information, which is used for behavioural analysis and profiling and automated decision making. Supplier information which consists of confidential personal data sets are often times protected as commercial assets of a business. This information can enjoy intellectual property protection as trade secret since they are confidential and give the companies concerned a commercial advantage.

As it relates to patentable creations, such as biometric devices, financial technology and other emerging technologies that rely on the processing of personal data to carry out their functions, the creators of these technologies often seek and obtain the protection that IP offers, either by patenting the mechanisms underlying these technologies, trademarking the name and logo associated with the brand, or registering the drawings or visual appearance of the software associated with their creations as industrial design. Likewise, personal data may also form part of a compilation which could enjoy copyright protection. ¹⁹

Notably, many of these IP protections are granted or obtained without reference to the legal requirements governing the collection and use of the data sets from which the IP is derived. However, where such data sets contain personal or sensitive data, they are subject to privacy and data protection laws. These protections frequently exist in tension with the exploitation of IP rights.

For example, seeking to claim IP protection over data that was unlawfully obtained such as in breach of consent obligations or without another lawful basis under the NDPA may not only expose the claimant to regulatory sanctions but could also render the IP claim unenforceable. In such cases, the equitable maxim ex turpi causa non oritur actio (no action arises from an immoral cause) could apply, preventing a purported proprietor from asserting rights over IP developed from unlawfully acquired data.

To ensure lawful and sustainable IP creation, businesses and individuals must embed data protection compliance into every stage of the IP development lifecycle. This includes recognising and upholding the rights of data subjects, obtaining valid consent or other lawful bases for processing, and implementing safeguards to ensure that the exploitation of the resulting IP does not infringe privacy rights.

3.2. Rights over Personal Data vs Proprietary IP Rights

A recurring central tension in the protection of proprietary IP rights arises when such protection overrides the individual's right to their personal data. For instance, the Copyright Act safeguards original photographs as artistic works, and grants the right of authorship to the photographer, not the individual depicted in the image. This creates a gap when an individual seeks to control or prevent the use of their own likeness, especially where they are not recognised as the copyright owner. In contrast, the NDPA recognises a person's image, where it constitutes personal data, as being subject to strict principles of fair, lawful, and transparent processing. This recognition potentially offers individuals a legal avenue to object to unauthorised use of their likeness, but its scope and application in commercial contexts remain underdeveloped in Nigerian jurisprudence.

Another unresolved area concerns the requirement for consent. Consent must be affirmative, freely given, informed, and capable of being withdrawn.²⁰ In essence, the use of a person's photograph or likeness for advertising, endorsements, or online content without explicit consent will breach these provisions, unless another lawful basis under Section 25 of the NDPA, such as performance of a contract or legitimate interest, applies. Further, the Copyright Act contains no equivalent requirement for consent from the subject; the photographer or rights-holder may legally license or sell the image without reference to the person depicted. This mismatch leaves individuals vulnerable to commercial exploitation of their image, despite the personal data protections ostensibly available under the NDPA.

Likewise in a collection, Section 2 (5) of the Copyright Act states that the copyright in a compilation does not confer any exclusive right in the pre-existing data. Thus, even when the compilation of data is copyrighted, the law still considers the data subject as the owner of the personal data so collected. The holder of the intellectual property right cannot rely on its protection to override its data protection obligations to the data subjects whose data is contained in the compilation. If the data subject, being the owner of the data forming a part of the compilation withdraws consent or requests for the deletion/rectification of the data, the copyright holder needs to comply, although the structure as a whole, will remain protected.

4. Practical Safeguards

Now that we have seen the many ways data protection affect the validity of IP, care must be taken to ensure respect for the data protection rights of the data subject. Since these technologies and creative works process user data, including data classified as sensitive²¹, it behoves on the creators of such IP rights to ensure that processing of data is done in a manner that complies with the parameters set by the NDPA in order to safeguard the data protection rights of their users. Besides upholding the rights of data subjects, obtaining valid consent or processing for lawful bases, the IP right holder should also:

1. incorporate data protection by design and by default, meaning that at the onset of devising technical and organizational measures, developers or creators must prioritise privacy considerations at the design, development and implementation stages of their project and embed safeguards directly into their respective systems; ²²
2. Include clear privacy policies and terms of use in order to ensure that informed consent is obtained before processing data; and
3. Ensure data collected is stored securely and employ techniques such as pseudonymisation and de-identification of personal data, encryption of personal data, etc.²³
   
   On the part of the users of technologies or subjects of works enjoying intellectual property protection, they must ensure that:

i. They are aware of their rights as contained in the NDPA, particularly to challenge misuse of their data, through unauthorised data processing or data sharing; and

ii. They read and understand privacy policies before consenting to the processing of their personal data.

5. Conclusion

The Intersection of IP rights and data protection is more than a theoretical overlap. It is a practical reality that shapes the creation and use of innovations.

For developers and owners of intellectual property rights, it is not enough to secure exclusive rights over groundbreaking innovations or creations; they must also respect and safeguard the personal data which those creations inevitably process. IP protection offers the legal exclusivity needed to monetize innovation, while data protection compliance builds trust, mitigates regulatory risk, and ensures ethical use of personal information. Creators who align creativity with compliance are not only securing their present work but also future-proofing their innovations against the challenges of a fastchanging legal and technological landscape.

For users, this convergence means access to legitimate, well-protected products and services, coupled with enforceable rights over their personal data. However, it also places a duty on them to remain informed, read privacy policies, and actively assert their privacy rights under the law.

Ultimately, harmonizing IP and data protection and understanding what these two regimes stand for is a strategic imperative. Equipping the creator or the inventor with the knowledge to navigate the complexities that may arise when dealing with these commingled areas of law.

Footnotes

1. https://www.wipo.int/en/web/about-ip/

2. Copyright Act, 2022, S. 2

3. Copyright Act, 2022, S. 30

4. Patent and Designs Act, Cap P2, LFN 2004.

5. Patent and Designs Act, S. 1

6. Trademarks Act, Cap T13, Laws of the Federation of Nigeria (LFN) 2004 (the Trademarks Act)

7. Patent and Designs Act, s.12

8. A.T Anthony and E.S Chinedu (Ph.D), Intellectual Property Rights in Nigeria: A critical Examination of the Activities of the Nigerian Copyright Commission [2015] Journal of Law, Policy and Globalization (35) pg 56. Available at <https://www.iiste.org/Journals/index.php/JLPG/article/viewFile/20899/21200> accessed August 7, 2025.

9. WIPO, Trade Secrets. Available at <Trade Secrets> accessed August 6, 2025