Whether you are a director, or a member of an in-house legal, human resources, or internal audit team, there are sensitive scenarios that occur daily in life sciences companies that trigger the need for an internal investigation.

Goodwin has crafted an “In-House Counsel’s Guide” that sets forth a framework of best practices and key considerations for effective internal investigations, including special subject matter and industry-specific considerations; preserving the attorney-client privilege and attorney work product protection; the need for disclosure to and coordination with auditors, regulators, and others; and conducting investigations remotely.

Read the In-House Counsel’s Guide — Conducting Internal Investigations

Goodwin Life Sciences and Healthcare partner Roger Cohen and associate Anne Brendel along with Life Sciences and FDA associate Steven Tjoe kicked off Goodwin’s multi-part webinar series “Disrupt + Innovate + Transform: A Healthcare Webinar Series” with “Key Regulatory Issues for Digital Health Companies” discussing the key regulatory issues affecting digital health, telemedicine and healthcare IT companies.  The webinar series will be presented by a cross-disciplinary team of Goodwin lawyers exploring the topics that are most relevant for the healthcare industry today. From ever-changing regulatory guidelines to digital health, women’s health and privacy, Goodwin will take attendees through these topics and more and provide guidance to help you navigate the current healthcare landscape.

View the Video:

For  information on upcoming webinars in the Disrupt + Innovate + Transform: A Healthcare Webinar Series, visit our mini site.

Innovators in life sciences at companies and universities often collaborate and conduct research under a joint research agreement (JRA). The Cooperative Research and Technology Enhancement Act of 2004 (the “CREATE Act”) was enacted to promote collaboration and cooperative research between different entities. The United States Patent and Trademark Office (“USPTO”) recently proposed new rules for filing terminal disclaimers to address a particular issue in the case of JRAs.

Terminal disclaimers can be filed to overcome obviousness-type double patenting rejections. Under the current rules, parties to a JRA can only file a terminal disclaimer if certain circumstances are met. Under the CREATE Act, two patent applications of different ownership are considered commonly owned if an invention at issue was made pursuant to a joint research agreement, the invention is within the scope of the agreement, and the parties to the agreement are the applicants of the application. Even if these requirements are met, a terminal disclaimer can only be filed if the patent or patent application referenced in the double patenting rejection is prior art.

Under current practice, for example, if a company and a university collaborate under a JRA and file two patent applications of different ownership (e.g., one solely owned and the other co-owned) on the same day so that one is not prior art to the other, a terminal disclaimer cannot be filed. In that case, a petition must be filed and granted to waive the requirement.

The USPTO proposed changes to allow an applicant to file a terminal disclaimer even if the referenced patent or application is not prior art without the need to file the petition. These changes, if implemented, will facilitate the management of a patent portfolio subject to a JRA.

The use of special purpose acquisition companies, or SPACs, as an alternative to the traditional IPO process has gained significant traction over the past few years and in 2020 in particular. While these transactions have historically focused more on the tech space, with top-tier biotech investors such as Perceptive Advisors, RA Capital, RTW Investments, Foresite Capital and 5AM Ventures serving as SPAC sponsors, SPACs have gained more popularity in the biotech industry.

A SPAC is a blank check company that goes through the standard IPO process to raise capital with the purpose of using the proceeds to acquire one or more business targets or their assets. The IPO proceeds are placed in a trust account to be used at a later date to fund the De-SPAC transaction (the process through which a private target combines with the SPAC and begins trading as a public company).

The use of De-SPAC transactions to bring a private company public is gaining in popularity due to the benefits that such transactions offer. These benefits can include:

• More Streamlined: a De-SPAC transaction typically involves both a merger with the SPAC and a concurrent private investment in public equity, or PIPE, which raises additional capital from outside investors and potentially existing investors of the target company and SPAC. Both the SPAC merger and the PIPE are signed and announced simultaneously, which allows for a more streamlined process than the typical two-step crossover financing followed by an IPO.

• Mitigate Risk: because valuation is agreed towards the beginning of the De-SPAC process, a De-SPAC transaction helps to mitigate the potential market volatility risk that is inherent with traditional IPOs.

Given the success of recent De-SPAC transactions in the biotech space, with eight (8) De-SPAC transactions with biotech companies closed in 2020, coupled with the peaked interest of biotech investors, the use of De-SPAC transactions by private biotech companies to go public will likely continue to grow in 2021.

Last month, the European Data Protection Board (“EDPB”) issued additional guidance on the application of the General Data Protection Regulation (“GDPR”) in the area of scientific health research. You can read our summary of the key takeaways here. While the EDPB’s responses offer some clarifications, many obstacles and complications remain for controllers located in the US in a post-Schrems-II world.  Fundamental principles that are well settled in the US, including what is and what is not considered human subjects research, and what future uses require consent under US regulations, may be at odds with the approach in the EU under the GDPR. US-based controllers should consider the following when planning trials in the EU or UK:

• Further processing of previously collected data: The EDPB confirmed that controllers may obtain individuals’ consent for future secondary research without specifically defining the research, so long as the purposes of the research are compatible with the purposes of the original data processing and adequate safeguards are implemented. Accordingly, while US-based sponsors might be accustomed to freely using de-identified data for research purposes unrelated to the original purpose for which the data was collected, these broad unrelated uses may be subject to restrictions under GDPR.

• Broad consent: In the US, sponsors  can rely on broad consent for storage, maintenance, and secondary research use of identifiable private information or identifiable biospecimens. However, the EDPB confirmed that broad consent “cannot be asked and relied on for processing health data for any kind of – unspecified – future research purposes” where the scope of the secondary research is not closely related to the original research purpose for which it was collected.[1] These broad consent limitations can cause complications for US sponsors who are accustomed to relying on broad consent for future unspecified research. Broad consent limitations under GDPR may further restrict the downstream use or sale of de-identified biospecimens and data for future unrelated research.

• Anonymized versus pseudonymized data: US sponsors commonly assume that because health research data has been key-coded and de-identified in accordance with HIPAA standards (if applicable), and they do not maintain the key (but a third party does), that the data has been “anonymized” and is not subject to regulation. At that point, the key-coded data can be used for any purpose. However, the GDPR regulates even pseudonymised data, which can be a surprise for US sponsors accustomed to the HIPAA regime. The EDPB has reiterated that where key-codes exist, and are maintained by a site, investigator, or other third party processor, it is reasonably likely that the individual could be re-identified.  As a result, the key-coded data is still subject to GDPR protections. The EDPB plans to issue future guidance as to whether further downstream recipients of key coded data, who are not permitted to access the key, can consider that data to be anonymized.  This guidance will be crucial for research collaborators or specialized research labs who may receive key-coded data for which they have no intent, need, or ability to re-identify data.

• Transfer of research data and biospecimens: The transfer of research data and biospecimens into the US for processing remains an ongoing and unsettled concern.  Transfers of personal data are restricted unless a US based controller can demonstrate adequate safeguards have been implemented to ensure the rights of the data subjects have been protected.  Most of those specific safeguards are either inapplicable to US controllers, or are unduly burdensome for smaller entities to comply with.  EDPB is expected to release future guidance to address the question of whether US or other controllers can rely on the legitimate interest derogation for transfer of special categories of data for research purposes.

Conducting scientific health research in the EU raises specific and difficult considerations for US sponsors, including assessing legal bases for processing sensitive data and transfer mechanisms to ensure data is processed in accordance with GDPR.  This is not helped by the lack of clarity in the EU around some key issues discussed in this blog.  Until the EDPB issues further clarifications, US controllers and trial sponsors are encouraged to consult with counsel to navigate the complexities of EU scientific health research.

___________________________________________________________________________________________

[1] EDPB Document on response to the request from the European Commission for  clarifications on the consistent appliable of the GDPR, focusing on health research, 2 Feb. 2021, response 31.

Given that artificial intelligence (AI) – historically the domain of software companies – is a new frontier for many life sciences companies, we have assembled five helpful tips to consider for protecting AI technologies:

Tip 1:  Make sure you have permission to use the data

Familiarize yourself with the data privacy rules applicable to the types of data you are collecting and develop an appropriate consent form with all proper disclosures and terms.

Tip 2:  Get IP assignments from everyone contributing to the AI technology

For AI technologies, the universe of contributing individuals may be broader than expected. For example, individuals that: (1) select the data to be acted on by an AI engine, (2) review the outputs of an AI engine, (3) select the algorithms used to train the AI model and tune the modeling parameters, and/or (4) write the source code to implement an AI engine.

Tip 3:  Be careful when using open source software

Incorporate good hygiene around your use of open source software and implement policies and procedures to ensure that no source code is used that could jeopardize the secrecy of your proprietary code.

Tip 4:  Be thoughtful about the type of legal protection you want for your technology

Consider the following factors when deciding between patent and trade secret protection: (1) likelihood of independent invention, (2) detectability of the invention, and (3) speed of innovation.

Tip 5:  If you choose patent protection, employ strategies to maximize chances of success

Describe in your patent applications the AI model’s performance and the improvement(s) over conventional techniques.  Ideally, use statistical data such as ROC curves, measures of predictive values (PPV or NPV), confusion matrices, F1 scores, and other similar data.

Read the full insight