Sandboxes are becoming an increasingly important testing tool to identify and address challenges associated with emerging technology. A few governments have already set up sandboxes to better understand the impact of potential regulatory frameworks. However, there is still a long way to go before sandboxes are fully embraced to help actually design data policy frameworks, especially in a cross-border regulatory context. More dialogue, education, and investment in active testing are needed to fully bring their potential to life.
A workshop held at the Internet Governance Forum in Kyoto, Japan on October 10, 2023, organized by Brazil’s Data Protection Authority Autoridade Nacional de Proteção de Dados (ANPD) and the Datasphere Initiative sought to debunk some of the myths around sandboxes and bring policymakers, private sector, academia, and civil society together in an exchange. This blog explores common misconceptions surrounding sandboxes and their potential to tackle data policy issues regulators face.
#Myth 1 – There is one definition of a “sandbox”
No sandbox will be the same and depending on who you ask, the definition of a sandbox is different. This shouldn’t alarm stakeholders but rather fuel openness and enable sandboxes to be used as an anchor for policy prototyping.
“There is not one definition of a “sandbox” – you can make it your own and make it fit your own purposes,” said Kari Laumann, Head of Section for Research, Analysis and Policy & Project Manager for the Regulatory Sandbox, Norwegian Data Protection Authority.
In the report Sandboxes for Data: Creating spaces for agile solutions across borders, the Datasphere Initiative also stipulated that there are two types of sandboxes: “operational” or “regulatory”. Broadly speaking, operational sandboxes are testing environments where hosted data can be accessed and used, while regulatory sandboxes are collaborative processes where regulators and firms evaluate new technologies within a regulatory framework. More succinctly, operational sandboxes actually handle data, and regulatory sandboxes provide dialogue and guidance on how data is handled.
#Myth 2 – Regulators need specific skills to start a sandbox
There’s not one skill-set that regulators need to set-up a sandbox. Because all sandboxes are very different in nature, issue, and design, there are no particular skills required apart from regulators having the understanding and knowledge about what a sandbox is and an approach to take.
Speakers at the IGF workshop shared how governments have been calling on each other to share experiences with sandboxes as many lessons can be transferable even across geographies, cultures, sectors, and policy issues. A challenge that governments often experience is rather the regulation constraints to implement sandboxes and engage purposefully with stakeholders.
“People are still afraid about what resources and skills are necessary for sandboxes, under the impression you need to be a sophisticated regulator to deploy a sandbox,” shared Lorrayne Porciuncula, Executive Director, Datasphere Initiative.
With the support of the Hewlett Foundation, the Datasphere Initiative has prepared an Online Guide to Cross-border Sandboxes for Data. This online course builds on the report Sandboxes for Data: Creating spaces for agile solutions across borders and provides a policy roadmap for regulators looking to start a sandbox related to data. With an entire module on Africa in the context of the Datasphere Initiative’s Africa Forum on Sandboxes, the course offers a first step to understanding the opportunities and risks of setting up a data sandbox.
#Myth 3 – Sandboxes are a way to deregulate
Sandboxes can help regulators better understand a problem. This can clarify policy challenges or new tech applications and how to develop user safeguards. Sandboxes can promote responsible data governance and AI innovation by understanding the impact of technologies and regulatory capacities. Bringing together different actors into regulatory discussions, sandboxes can create a space where innovative ideas can flourish while safeguarding privacy and data protection.
“We view sandboxes as a crucial tool to support industry and help them find appropriate safeguards for the user,” said Denise Wong, Assistant Chief Executive, Data Innovation & Protection Group, Singapore Infocomm Media Development Authority (IMDA).
“As policymakers, we want to be flexible, dynamic and respond to changes needed in regulatory frameworks,” said Agnes Vaiciukeviciute, Deputy Minister of Transport & Communications of the Republic of Lithuania.
For example, Brazil’s Data Protection Authority Autoridade Nacional de Proteção de Dados (ANPD) has launched a consultation on a Regulatory Sandbox on AI and Data Protection in Brazil. In this case, given the complexity of the subject, a sandbox will be used as a regulatory tool to obtain elements for the elaboration of regulation, increase algorithmic transparency, and foster responsible AI innovation, among other objectives. In the call for contributions, open until November 1, 2023, information and data relevant to the regulatory sandbox will be collected to understand the perspectives of different interested sectors that might be affected by future regulation regarding Artificial Intelligence and data protection, in addition to other benefits listed in this analysis.
Another interesting resource on Regulatory Sandboxes in AI is this OECD report released this year, which points out opportunities, challenges, and policy considerations for AI sandboxes.
#Myth 4 – There aren’t many examples of sandboxes out there to learn from
Often with many new technologies or policy approaches, investors or regulators hold their breadth to anticipate how the market or legal environment will react to first initiatives before launching their own. This might be the case for data sandboxes where the complexity and nuance of policy dynamics often with technical implications or cross-cutting risks can stifle innovation or address a problem head-on. While not often showcased, there are many interesting examples of sandboxes and useful lessons learned that could help support other initiatives.
For example, through the FutureFlow sandbox, the UK’s Information Commissioner (ICO) got valuable insight into the financial sector and how banks and other financial institutions might choose to leverage and share data to detect financial crime. In 2020 the National Bank of Angola set up a sandbox to allow fintech start-ups to test their products and services in a real market environment, providing guidance on regulations, and helping form new laws. This was followed by a Fintech “Regulatory Sandbox” platform in 2023.
“We seek to create a space where innovative ideas can flourish while safeguarding privacy and data protection,” mentioned Thiago Moraes, Coordinator of Innovation and Research, Brazil’s Data Protection Authority, Autoridade Nacional de Proteção de Dados (ANPD).
#Myth 5 – Everyone is talking about sandboxes
On the one hand, increasing numbers of regulators are talking about sandboxes and starting consultations and initiatives to take forward and design such approaches. For example, the European Commission has launched various sandbox consultations and initiatives from blockchain to AI. On the other hand, opportunities for recurring or structured dialogue across countries and regions are sorely lacking. Without such a space, knowledge sharing, capacity building, and collaboration are lost. “Sandboxing” sandboxes could reduce costs and share resources on what can be possible. More experimentation and sharing of experiences could help unpack the opportunities and challenges of setting up sandboxes for data in a particular sector or regulatory environment.
The Datasphere Initiative plans to launch a Global Sandboxes Forum, to bring together a global cross-sectoral community of experts to design cross-border sandboxes for data, build trust, and share experiences. The goal of such a forum would be to bring: 1) More cross-sectoral innovation, involving different and potentially conflicting national regulatory frameworks, 2) Increased data availability, accessibility, and shared technical standards, 3) The creation of digital public goods through new data intermediary models, 4) More robust and diverse coalitions of stakeholders than what has been seen to date.