At the Internet Governance Forum, an annual event for multistakeholder policy dialogue on issues of Internet governance, the Datasphere Initiative brought together researchers and regulators designing or studying sandboxes to share their experiences on their use and potential as an example of the “multistakeholder approach” in practice. Speakers from Latin America, Africa, US and Europe identified the need to build trust and share experiences to inspire sandbox design and participation and raise public awareness about their potential as tools to address the opportunities and risks of digital technologies.
“A sandbox is a way for people to address policy issues in a different way, turning the problems actors have with each other into addressing a problem people have in common. When there’s a new technology a regulatory sandbox can help explore: how an existing regulation applies, should it be changed?, or how it should be adapted.” Bertrand de La Chapelle, Chief Vision Office, Datasphere Initiative.
There is an incredible diversity of sandboxes around the world with differing objectives, scope, intended impact and regulatory flexibility.
The concept of a “sandbox” – safe spaces to test new technologies and practices against regulatory frameworks or experiment with innovative uses and means of governing data – has generated a lot of interest and it is a practice that is growing. Research by the Datasphere Initiative shows that many countries have in some way or another used: Regulatory sandboxes (collaborative processes where regulators, service providers and relevant stakeholders test innovative technology and data practices within a regulatory framework), Operational sandboxes (testing environments where hosted data can be accessed and used) or Hybrid sandboxes (a combination).
A regulatory sandbox can come early on in a regulatory process to anticipate the way a new technology may challenge an existing regulatory framework. It can be used to explore whether an innovation may hinder regulation or require a new technique. Sandboxes can also be used in the particular development of legislation to organize the engagement of specific actors and gain insights from non-governmental experts and/or affected communities. While sandboxes did first arise in the fintech sector, their use has expanded. For example the way privacy regulators have been dealing with sandboxes has been different to financial regulators where they give flexibility and lower barriers to entry. Data protection regulators are usually concerned about how innovations interact with data protection frameworks.
“The main difference between the approaches to sandboxes is this question of regulatory flexibility and objectives of the sandboxes and what the government goal is in the sandbox” Adam Zable, Research Fellow, The GovLab
Whether regulatory, operational or hybrid, the design stage of a sandbox is very important and can impact intended results.
When setting up a sandbox, a regulator can face a range of questions in the preparatory phase which is crucial to the success of any sandbox initiative. Questions may include: How to define the purpose of the sandbox? Who are the stakeholders that need to be included? What type of data may need to be accessed? How will security be ensured? Who will be in charge of managing risk and deployment? A sandbox may also need to include multiple regulators as one technological solution may cut across many different sectors.
The preparation phase of sandbox design is also important from a communication standpoint. The goal of a sandbox needs to be communicated clearly to ensure the most relevant applications apply or are invited to participate.
“As the Data Protection Authority of Brazil, we have worked immensely on designing a sandbox process that is inclusive and launched a public consultation.” Thiago Guimarães Moraes, Specialist on AI Governance and Data Protection, Brazilian Data Protection Authority – ANPD
More resources are needed to support governments and SMEs interested in designing and participating in sandboxes. Sharing of practices and experiences among those who have sandbox experience is very important.
Sandboxes can be costly in terms of time and resources for regulatory authorities and participating SMEs or start-ups. While some regulators may have the resources to build teams and hire staff to design and manage a sandbox, smaller regulatory authorities may struggle to find the bandwidth. This makes discussion and knowledge sharing amongst regulatory peers important and many lessons can be drawn from sandbox experiences across sectors and geographies.
While there is generally little documentation on sandboxes and their results, some regulators do invest in reporting on the outcomes and findings of sandboxes to make these learnings publicly accessible. For example, the government of Norway produced a podcast on their sandbox as a way to communicate about the work to the public.
The European Union’s AI Act states that member states should ensure that their competent authorities establish at least one AI regulatory sandbox which shall be operational by 2026. Governments within the EU with little resources may find this challenging due to the resource burden, and some regulators could risk being left behind.
“Regulatory sandboxes as described in the EU AI act is a very expensive exercise when we are looking at this from the perspective of a member state” Katerina Yordanova, Senior Legal Expert, KU Leuven
“As the Data Protection Authority of Brazil, we have worked immensely on designing a sandbox process that is inclusive and launched a public consultation.” Thiago Guimarães Moraes, Specialist on AI Governance and Data Protection, Brazilian Data Protection Authority – ANPD
The design of sandboxes must consider the incentives for participation and the need for trust building and transparency.
Sandboxes rely on the participation of non-governmental actors including companies who may be invited to “test” a service or product within a sandbox. There is therefore a need for trust in the sandbox process and while in certain environments or contexts, the private sector may have have high appetite to participate in a sandbox as a way to ensure legal clarity or to gain a “stamp of approval”, there may also be many cases where companies are weary about regulatory scrutiny or intellectual property infringements.
Regulators can help address concerns by clearly articulating the goals and format of the sandbox and offering protections and confidentiality. When regulatory flexibility cannot be offered, some regulators may also offer financial incentives to participate in sandboxes for SMEs or offer to share data-sets that can be useful for innovators when developing their products.
“Incentives for sandbox participation can move beyond regulatory clarity but also take the form of data access and sharing. Regulators must be well equipped to run a sandbox and take the necessary steps for due diligence and fostering an understanding of what they are regulating” Morine Amutorine, Research Associate, Datasphere Initiative
Learn more
- 5 minute introduction to sandboxes by the Datasphere Initiative
- Sandboxes for Data Report by the Datasphere Initiative
- About the Internet Governance Forum
