Legal Considerations for Artificial Intelligence in the Life Sciences Sector
This article is the second part in a series on AI and the EU Artificial Intelligence Act (AI Act). Here, we focus on how the AI Act intersects with the life sciences sector, touching on medical device regulation, data protection, and intellectual property. AI plays an increasingly important role in areas such as drug discovery, diagnostics, personalized medicine, and clinical trials. While AI offers efficiency and innovation, it also brings legal challenges specific to this sector.
Life Sciences, the AI Act and Medical Device Regulation
The EU AI Act (Regulation 2024/1689) introduces a risk-based framework that applies across all sectors, including life sciences. It categorizes AI systems into four groups: prohibited practices, high-risk, limited-risk, and general purpose AI. In life sciences, many AI systems are classified as "high-risk," especially those integrated into medical devices governed by the Medical Device Regulation (MDR) and the In Vitro Diagnostic Medical Device Regulation (IVDMR).
The MDR covers devices, including standalone software, intended for medical purposes like diagnosis, prevention, or treatment. An AI system qualifies as a medical device if it serves a medical purpose independently and is intended for patient use. Devices requiring third-party conformity assessment under MDR or IVDMR and incorporating AI fall under the AI Act’s high-risk category. Examples include AI-enabled hearing aids or remote monitoring devices linked to active implants.
The AI Act complements existing MDR and IVDMR obligations without duplicating them. It does not create separate conformity assessments but requires AI-specific demands—such as data governance, transparency, and human oversight—to be integrated into existing regulatory procedures. This avoids overlapping or conflicting requirements for manufacturers.
Beyond medical devices, AI systems used for biometric categorization in life sciences—like hospital access systems using facial recognition—may also be high-risk. AI chatbots interacting directly with patients or healthcare professionals fall under transparency rules concerning realistic content generation.
The primary compliance responsibility lies with the AI system provider. For high-risk AI components of medical devices, the manufacturer is deemed the provider. Users, including healthcare professionals and researchers, must follow provider instructions, monitor system performance, and report serious incidents or malfunctions. Their operational vigilance and reporting duties are critical under the AI Act.
Data Protection Considerations
AI in life sciences often depends on large datasets containing sensitive health and genetic data. This includes direct sensitive personal data, such as medical history and test results, as well as indirect sensitive data, like location data linked to hospital visits. Under the GDPR, these fall under special categories of personal data, with processing generally prohibited unless specific exceptions apply.
Many organizations process health data initially for treatment and later seek to repurpose it for AI training or pharmaceutical research. The GDPR requires a compatibility assessment for such secondary uses. If the new purpose aligns closely with the original one, no new legal basis is needed. Notably, scientific research has a special status, generally considered compatible with initial data collection purposes.
The European Data Protection Supervisor (EDPS) distinguishes genuine research, aimed at societal benefit, from research primarily serving commercial interests. Only the former typically qualifies for the research exception. This distinction remains debated, especially in commercial medical research. Thus, commercial AI training may not always benefit from compatibility exceptions and may require separate legal bases such as consent or legitimate interests.
Data controllers must also uphold core GDPR principles when processing sensitive data for AI, including privacy-enhancing techniques like pseudonymization or anonymization. Robust technical and organizational measures must protect personal data throughout AI training and use.
Intellectual Property Challenges
Developing AI applications in life sciences demands significant investment, prompting inventors to seek patent protection. European patent law, governed by the European Patent Convention (EPC), allows patents for inventions that are novel, involve an inventive step, and are industrially applicable. However, mathematical methods and computer programs “as such” are excluded unless they produce a “technical effect.”
The European Patent Office (EPO) assesses this on a case-by-case basis. AI systems delivering technical solutions—for example, improving medical device control or data security—can qualify. A system measuring blood glucose variability via AI has been recognized as patentable. Conversely, AI systems performing purely non-technical tasks, such as aesthetic improvements, are not patentable.
Challenges remain around AI-driven drug discovery, especially when inventions lack direct human input. The EPO requires a human inventor, complicating protection for AI-generated inventions. Another issue concerns disclosure requirements, which must enable the “person skilled in the art” (PSA) to reproduce the invention. The EPO has indicated that disclosure may include sensitive or commercially valuable training data. For instance, in a case involving AI to measure cardiac output, the EPO ruled that the neural network’s training data must be disclosed.
Life sciences entities should carefully plan IP strategies when developing or using AI, balancing protection with disclosure obligations.
Conclusion and Future Outlook
AI’s growing role in life sciences introduces a complex regulatory environment. The AI Act applies a sector-agnostic, risk-based approach, impacting medical devices and other AI applications. Alongside, organizations must comply with the GDPR and intellectual property rules, each with distinct challenges. Future articles will explore AI Act intersections with other sectors and regulations.
Your membership also unlocks:
