Sandboxes for Data Governance: Global Responsible Innovation | IGF 2023 WS #279

10 Oct 2023 05:00h - 06:30h UTC

Event report

Speakers and Moderators

Speakers:
  • Armando Guío, Technical Community, Western European and Others Group (WEOG)
  • Lee Chein Inn, Government, Asia-Pacific Group
  • Kari Laumann, Government, Western European and Others Group (WEOG)
  • Ololade Shyllon, Private Sector, African Group
  • Lorrayne Porciuncula, Civil Society, Latin American and Caribbean Group (GRULAC)
Moderators:
  • Moraes Thiago, Government, Latin American and Caribbean Group (GRULAC)

Table of contents

Disclaimer: It should be noted that the reporting, analysis and chatbot answers are generated automatically by DiploGPT from the official UN transcripts and, in case of just-in-time reporting, the audiovisual recordings on UN Web TV. The accuracy and completeness of the resources and results can therefore not be guaranteed.

Full session report

Ololade Shyllon

The utilization of sandboxes, which are regulatory frameworks that permit controlled experimentation and innovation in the financial technology (FinTech) sector, has encountered challenges in Africa and the Middle East. Presently, there are only one or two FinTech-related sandboxes in the region, indicating a slow start in this field. This lack of progress is viewed negatively.

However, there is recognition of the necessity for positive outcomes regarding sandboxes across the entire region. Sandboxes can provide a conducive environment to test new ideas, products, and services. Fostering innovation in the FinTech sector is considered crucial for economic growth and development.

In terms of regulatory collaboration and policy-making, there is a positive sentiment towards regional cooperation. This collaboration can enhance the understanding of the FinTech ecosystem and enable stakeholders to learn from one another. By working across borders, stakeholders can share insights and enrich their collective understanding. Moreover, the existence of global treaties provides a basis for common rules, despite variations in individual legal systems. This regional collaboration is seen as a proactive step towards achieving the Sustainable Development Goals (SDG) related to industry, innovation, and infrastructure (SDG 9) as well as partnerships for the goals (SDG 17).

Advocates for a harmonised approach to regulation and policy-making believe that this method can yield positive outcomes. Specifically, the organisation META supports and promotes a harmonised approach, emphasising the importance of collaboration and experimentation. By identifying basic principles applicable globally, a harmonised approach can help to create a more cohesive regulatory environment.

However, the likelihood of increasing harmonisation beyond the national level is deemed to be complex. This complexity arises from various challenges, such as differences in legal systems and the unique data governance challenges faced in the region. Despite the challenges, sandboxes are considered crucial in stimulating innovation within Africa and the Middle East. Implementing sandboxes requires significant resources and time, given the nascent stage of data governance in the region. Nevertheless, the potential benefits and importance of fostering innovation drive the push for sandboxes.

In conclusion, sandboxes in Africa and the Middle East have faced challenges in their establishment. However, there is a recognised need for positive outcomes regarding sandboxes across the region. Regional collaboration in regulation and policy-making is seen as a means to better understand the FinTech ecosystem. Advocates for a harmonised approach believe it can contribute to a more coherent regulatory environment. Despite the complexity and challenges, sandboxes are seen as crucial for stimulating innovation.

Dennis Wong

Singapore has been implementing sandboxes as a policy mechanism to experiment with uncertain applications and technologies. These sandboxes are widely used to explore frontier technologies and collaborate with the industry to ensure clarity and compliance. The use of sandboxes has proved beneficial, providing confidence in data protection, accelerating the deployment of technologies, facilitating regulatory guidance, and promoting business collaborations. Sandboxes also contribute to regulatory understanding and transparency, as the findings from sandbox experiments are published, offering insights into regulatory issues.

It is important to note that sandboxes are not designed for volume but for specific cases with clear objectives. They are intended to provide a safe environment for experimentation and to understand the underlying technology and industry needs more clearly. Sandboxes also facilitate the publication of the experimental findings, enabling regulators and other interested parties to gain a deeper understanding of the regulatory landscape.

However, the process of identifying technology players for companies can be time-consuming, particularly when companies have specific requirements such as a need for privacy-enhancing technology. In such cases, the process becomes longer and more involved.

While sandboxes offer valuable insights and guidance, there are also other policy innovation tools like policy clinics that can provide quicker advice on accountabilities. Policy clinics can expedite the process by offering timely guidance on accountability matters.

Coordinated efforts among regulators are crucial to address sector-specific challenges. If a regulatory question arises in the finance or healthcare sector, the respective authority is brought in to work jointly on addressing the issue. This emphasizes the need for collaboration and partnerships among regulators.

Furthermore, discussions related to sandboxes are primarily domestic but include industry players who operate globally. The sharing of learning and experiences from sandboxes is seen as essential, with the transferability of such knowledge being highly valued by stakeholders.

Dennis Wong, the Data Protection Deputy Commissioner and the Assistant Chief Executive of IMDA, supports broad conversations and principles that everyone can agree on. As interest in sandboxes as a regulatory tool grows, it leads to more tech conversations and meetings with interested regulators, promoting international collaboration.

It is important to understand that the regulatory sandbox is not a decision-making or exemption-providing mechanism. Instead, it serves as a dialogue-based guidance tool to explore areas of regulation where there may be uncertainty. The emphasis is on dynamic and agile regulatory development involving ongoing engagement and a back-and-forth process, rather than providing a final answer at the end.

To conclude, Singapore’s use of sandboxes as a policy mechanism for experimentation and regulation has proven beneficial in facilitating innovative solutions, promoting compliance, and fostering collaboration between industry and regulators. The findings from sandbox experiments offer valuable insights into regulatory issues, supporting the development of transparent and effective regulatory frameworks. Coordinated efforts, both domestically and internationally, are necessary to address sector-specific challenges and promote the transferability of knowledge gained from sandboxes. The regulatory sandbox, as a guidance tool, contributes to dynamic and agile regulatory development by facilitating ongoing engagement and dialogues.

Kari Laumann

During the discussion, the speakers emphasized the significance of learning from the experiences of others when it comes to implementing and operating sandboxes. They highlighted the importance of reaching out to experts in the field, such as the British Data Protection Authority (ICO), to gather insights and knowledge. The speakers stressed that sharing information and learning from established sandboxes, like the one implemented by ICO, can greatly contribute to the success of a new sandbox.

The speakers also highlighted the need to adapt sandboxes to fit specific contexts when transferring them from one place to another. Cultural and other differences were cited as factors that necessitate customized adaptations. The speakers shared their experience of ensuring that the sandbox they learned from ICO was tailored to suit their own context, making it more effective in achieving their objectives.

Another key point raised during the discussion was the importance of tailoring the sandbox to the needs of the target audience. The speakers emphasized that while sharing information is crucial, it is equally important to create a sandbox that is tailored to the purposes and needs of the group it is meant for. This ensures that the sandbox effectively addresses the specific challenges and requirements of the target audience, maximizing its impact.

The regulatory sandbox was explored as a tool that offers guidance and clarity to companies. It allows for the exploration of areas of regulation where uncertainty exists. The speakers clarified that regulatory sandboxes do not provide exemptions or approvals, but rather facilitate the examination of regulatory gray areas within laws like the General Data Protection Regulation (GDPR). It was emphasized that regulations, including GDPR, continue to apply within the sandbox, ensuring that the applicable regulatory framework is not compromised.

Additionally, it was noted that organizations’ regulatory powers, such as those of META (presumably a regulatory authority), are strictly regulated by GDPR. This serves to maintain the integrity and accountability of regulatory bodies, ensuring that they comply with case handling and enforcement actions under GDPR.

In conclusion, the discussion highlighted the importance of learning from others’ experiences and adapting sandboxes to specific contexts. Tailoring the sandbox to the needs of the target audience and ensuring compliance with relevant regulations, like GDPR, are crucial factors in the successful implementation and operation of sandboxes. The exchange of insights and lessons learned from established sandboxes can greatly contribute to the effectiveness and impact of new sandboxes.

Pascal Koenig

During an online discussion on regulatory sandboxes, the participants emphasized the importance of learning from experiences and promoting international collaboration. There was a consensus on the need for sharing knowledge and transferring sandboxes from one context to another, while also acknowledging the need for adaptation. One example cited was Denise’s sandbox, which provided inspiration to others. The significance of cross-border data flows and enabling collaboration between regulators and authorities were also highlighted. The possibility of increasing harmonization of sandboxes on a regional level was discussed, with different perspectives on likelihood. Overall, the discussion focused on the importance of learning, collaboration, and potential harmonization to advance regulatory sandboxes globally.

Lorrayne Porciuncula

This comprehensive analysis delves into the topic of regulatory sandboxes, which are viewed as a means of policy prototyping for experimentation purposes. It highlights several key points that demonstrate the significance and potential of sandboxes in various contexts.

One important aspect discussed is the diverse skills required for the successful deployment of sandboxes. The analysis emphasizes that there is no single skill or set of skills that is universally applicable to all sandboxes and use cases. Instead, the skills needed depend on factors such as national jurisdiction, institutional framework, and the specific issue being addressed. This insight underscores the flexibility and adaptability of sandboxes, allowing them to be tailored to different circumstances.

Stakeholder engagement is another critical factor highlighted in the analysis. It argues that sandboxes should be designed to engage stakeholders from the very beginning, during the design phase. This approach fosters institutional trust and ensures that the sandboxing process is inclusive and representative of diverse perspectives. The analysis contrasts this approach with the current state of sandbox development, which often involves merely posting a consultation online and then leaving it. Instead, it suggests a more iterative and hands-on process that actively involves stakeholders throughout the sandbox implementation.

The analysis also focuses on the importance of capacity building and the creation of a community of practice to share best practices and reduce the cost of implementing sandboxes. It mentions a project in Africa that aims to build such a community through a Sandbox Forum. The forum’s approach prioritizes direct engagement and practical application over theoretical discussions, reinforcing the need for a collaborative and action-oriented approach to sandboxing.

Evaluation of sandbox implementation is another crucial aspect discussed in the analysis. It emphasizes the need to measure and monitor sandbox success using different methods. Factors influencing sandboxing success include stakeholder involvement, risk mitigation, and the technology used. Sharing this knowledge and evaluating sandbox outcomes can lead to improvements in the sandboxing process overall, enhancing its effectiveness in promoting innovation and achieving desired outcomes.

The analysis also explores the role of sandboxes in regulatory frameworks, particularly in the fintech sector. It highlights how sandboxes allow regulators to go beyond traditionally regulated entities, as exemplified by the success of open calls for different companies and innovative solutions in fintech sandboxes, such as Brazil’s PIX payment system. Ensuring fairness and avoiding regulatory capture are identified as important considerations in sandbox implementation.

Mitigating the risk of bias and regulatory capture in sandboxes is further discussed in the analysis. It suggests that regulatory frameworks should be aware of these risks and develop appropriate measures to anticipate and address them. Open conversations about best practices and framework setup are considered essential in this regard.

The analysis also underscores the impact of international collaboration in the deployment of regulatory sandboxes. It highlights the potential of cross-border perspectives to enhance the understanding and deployment of privacy-enhancing technologies and data intermediaries. Furthermore, it notes that new trade agreements can create opportunities for testing business, societal, and regulatory issues among participating countries. This observation emphasizes the crucial role of international cooperation in addressing complex issues related to innovation, data protection, public health, and climate change.

In conclusion, this analysis advocates for a comprehensive and inclusive approach to regulatory sandboxes. It emphasizes the need for diverse skills, stakeholder engagement, capacity building, evaluation, fairness, and international collaboration. By adopting such an approach, regulatory sandboxes have the potential to foster innovation, reduce inequalities, and tackle complex global challenges. The analysis provides valuable insights and recommendations for policymakers, regulators, and stakeholders involved in the design and implementation of regulatory sandboxes.

Moraes Thiago

The speakers highlighted several important points regarding sandbox initiatives in the analysis. One of the main points emphasized the need to foster dynamic discussions on strategies that stimulate innovation while upholding human values. It was acknowledged that sandbox initiatives play a significant role in promoting innovation and ensuring adherence to fundamental values of humanity. The primary goal of this session was to encourage a dynamic discussion among all relevant stakeholders.

Another significant point discussed in the analysis was the launch of the ANPD Regulatory Sandbox on AI and Data Protection. This initiative was created in collaboration with partners like CAF Consultants, aiming to provide a space for innovative ideas while safeguarding individual privacy and data protection. It was recognized that striking a balance between promoting innovation and protecting privacy is crucial in the development of sandbox initiatives.

The importance of international collaborations in shaping the future landscape of sandboxes was also emphasized. It was acknowledged that international collaborations play a crucial role in shaping the future of data governance and AI innovation. Collaboration among different countries and stakeholders is seen as a key driver for advancing regulatory sandboxes and ensuring collective progress.

Furthermore, the analysis highlighted that the call for contributions for the ANPD Regulatory Sandbox will be inclusive by accepting submissions in English. This inclusivity in language aims to make the dialogue more accessible and enable a broader range of stakeholders to participate. By accepting submissions in English, the call for contributions aims to reduce barriers and promote a more inclusive and diverse discussion.

In conclusion, the analysis underlined the significance of sandbox initiatives in stimulating innovation and upholding human values. The launch of the ANPD Regulatory Sandbox on AI and Data Protection aims to strike a balance between innovation and privacy protection. International collaborations were recognized as an essential element in shaping the future of data governance and AI innovation. Lastly, the call for contributions being inclusive and accepting submissions in English adds to the accessibility and diversity of the dialogue.

Axel Klapp-Hacke

Data is considered a critical asset for economic growth and sustainable development. It provides valuable insights for decision-making in areas such as food security, climate change mitigation, and health policies. Data empowers policymakers and private organizations to allocate resources effectively, solve problems, and prepare for risks. However, to ensure the fair and responsible use of data, regulatory frameworks that protect data sovereignty and security need to be strengthened. These frameworks strike a balance between reaping the benefits of data utilization and safeguarding citizens’ rights. Additionally, data and artificial intelligence (AI) have great potential in achieving the Sustainable Development Goals (SDGs). They can facilitate the delivery of medical services, increase efficiency in agriculture, and improve food security, contributing to broader sustainable development objectives. Regulatory sandboxes are also discussed as a means to promote a free, fair, and open data economy. These sandboxes provide a controlled environment for testing and developing innovative solutions while complying with regulatory requirements. By embracing the full potential of the data economy through regulatory frameworks and innovative approaches like sandboxes, we can harness the transformative power of data for economic growth and sustainable development.

Agne Vaiciukeviciute

GovTech sandboxes have emerged as a key component of Lithuania’s innovation ecosystem. These sandboxes, initiated in 2019, have received recognition at the European level for their positive impact on public governance. They provide a controlled environment for testing and implementing innovative solutions in the government sector. Several artificial intelligence (AI) solutions are currently being used by the Lithuanian government, demonstrating the success of GovTech sandboxes in driving technological advancements.

Lithuania places great emphasis on the potential of 5G technologies for innovation. With 90% coverage of the population, Lithuania has invested over 24 million euros in 5G-based projects, with more than 53 projects worth over 124 million euros in the pipeline. The government’s proactive approach to investing in 5G technologies reflects their commitment to harnessing the power of emerging technologies.

The Lithuanian government advocates for a flexible and adaptive regulatory framework that responds to technological innovation. The Sandbox regime in Lithuania enables the government to adapt regulations in line with advancements in technology. This fosters a regulatory environment that supports innovation and allows for the exploration of new possibilities.

To ensure unbiased and inclusive solutions, Lithuania mandates the participation of diverse stakeholders, including higher education institutions and civil society, in the sandboxes. This approach prevents a one-sided approach in the sandbox solutions and promotes fair outcomes in the innovation process.

In Lithuania, sandboxes primarily focus on mature technologies and ideas rather than early-stage testing. This strategic approach ensures that the sandboxes are effectively used to advance technologies with strong potential for real-world implementation.

While collaboration with other countries, such as the United Kingdom, for the establishment of sandboxes is valued, Lithuania recognizes that harmonization may not be necessary in the short-term. Cross-border collaboration is seen as more beneficial, allowing countries to work together and learn from each other’s experiences.

Learning from experiences and sharing knowledge is considered crucial for the regulation of innovations. Collaborations with the UK have provided valuable insights into the establishment and operation of sandboxes. The importance of learning from experiences is highlighted, although it is too early to implement harmonization as the concept of sandboxes is still actively being discussed.

Sandboxes are viewed as a vital tool in Lithuania to test and validate innovations. Government policies are closely aligned with the process of sandbox testing, and policy-makers work closely with those involved in testing systems. This reflects the country’s commitment to fostering innovation and ensuring that policies and regulations are effective in real-world scenarios.

The need for regulations to be dynamic and adaptable to reality is emphasized in Lithuania. Existing regulations without practical use cases indicate a disconnect with the evolving technology landscape. Additionally, sandbox testing may uncover failures or unforeseen challenges, further highlighting the necessity of regulatory adaptability.

In conclusion, GovTech sandboxes have become a central part of Lithuania’s innovation ecosystem, receiving recognition and awards for their positive impact on public governance. The country’s focus on 5G technologies, flexible regulatory frameworks, diverse stakeholder participation, and testing mature technologies in the sandboxes demonstrate their commitment to fostering innovation. Collaborations with other countries, learning from experiences, and the importance of dynamic regulations contribute to Lithuania’s progressive approach to driving technological advancements.

Audience

The discussion focused on the use of sandboxes in different sectors and explored the advantages and concerns associated with their implementation. One pertinent aspect was the AI Act, which stipulates that a national authority should operate a national sandbox. However, concerns were raised regarding the practicality of implementing this legislation. Specifically, there were apprehensions about the significant amount of time and resources required to study and create a test base for each use case.

Sandboxes were also discussed in relation to their potential role in combatting misinformation. CNET, for example, has developed a sandbox specifically designed to address this issue. An audience member raised a question about how civil society can utilise CNET’s misinformation sandbox beyond government use. This prompted consideration of the broader applications and benefits of sandboxes, including their potential use in tracking and analysing the spread of technology-driven misinformation, as well as developing countermeasures.

The value of sandboxes as a space for companies to engage with civil society and build trust was highlighted. It was suggested that sandboxes could serve as a crucial preliminary step before implementing regulations. This approach allows for flexible collaboration between companies and civil society to find appropriate solutions and establish trust-building efforts.

The sandbox approach was deemed particularly useful in the early stages of policy development or policy interrogation, particularly for framing the problem at hand. This experimental tool offers a unique opportunity to explore different policy options, and was seen as an effective way to address complex regulatory challenges.

However, limitations in participation were raised as a potential issue. Due to their nature, the number of firms that can participate in a sandbox is inevitably limited. This could restrict the diversity and inclusivity of the sandbox ecosystem.

Ensuring fairness and preventing distortion of competition were also identified as important considerations when implementing sandboxes. It was questioned how to guarantee that participation in sandboxes does not result in unfair advantages for certain companies. This issue underscores the importance of maintaining a level playing field and reducing inequalities.

Moreover, concerns were expressed about potential regulatory capture in the sandbox process due to the close interaction between regulatory authorities and participating companies. It was highlighted that mechanisms need to be established to prevent regulatory capture and maintain impartiality.

Additionally, the timeframe for operationalising a sandbox was raised as a concern. Some participants questioned the readiness and strictness of regulators in intervening effectively and efficiently.

Overall, the discussion called for advocacy towards adopting flexible, scalable, and dynamic regulatory methods. Sandboxes were viewed as one of the tools to achieve these objectives. While they offer important benefits, such as fostering conversations between regulators and breaking concentration in smaller financial sectors, the limitations and challenges associated with their implementation must be carefully considered to optimise their potential impact.

An interesting observation from the discussion is that sandboxes can facilitate the growth of digital banks and electronic money issuers. As seen in the case of Pakistan, sandboxes enabled these emerging financial entities by providing a regulated environment in which they could operate.

In conclusion, the use of sandboxes in various sectors offers both benefits and challenges. While they provide a space for experimentation, innovation, and collaboration, concerns exist regarding implementation, participation limits, fairness, regulatory capture, and operationalisation. Efforts must be made to address these concerns, and sandboxes should be integrated into a broader regulatory framework that promotes inclusivity, fairness, and effective policy development.

Armando Guío

Regulatory sandboxes are gaining attention as an effective solution for addressing regulatory concerns related to Artificial Intelligence (AI) and data. These sandboxes, which are being implemented worldwide, provide a controlled environment for testing and evaluating innovative technologies without rigid regulatory constraints. They have the potential to facilitate the development and implementation of responsible and ethical AI and data practices.

Different countries have adopted unique approaches to implementing regulatory sandboxes. The fintech sector, in particular, has been a strong advocate and driver of regulatory sandboxes. The experiences of countries such as Brazil, Lithuania, Ethiopia, Germany, Norway, and Singapore have been discussed in relation to their sandbox implementations. These discussions aim to learn from the successes and challenges faced by these countries and inform the development of best practices.

Regulatory sandboxes offer the opportunity for authorities to better understand the real impact of emerging technologies, such as AI and data, particularly in areas like privacy protection, misinformation, and digital power concentration. By providing a controlled environment, sandboxes enable authorities to assess the effectiveness of their regulatory measures and develop capacities to effectively tackle these major regulatory questions. However, there are ongoing debates about whether regulatory sandboxes alone are enough to develop the necessary capacities, and whether expensive and time-consuming sandboxes are beneficial for all authorities.

The value of data is highlighted as an important consideration in future discussions regarding regulatory sandboxes. The experiences of Latin American governments, who have been studying the Singaporean Sandbox, have been particularly influential. The Singaporean Sandbox is regarded as pivotal and offers a balance between flexibility, responsibility, and unlocking data value. By studying its implementation, other countries can gain insights into how to effectively leverage data and strike the right balance between innovation and regulation.

In addition to addressing AI and data concerns, sandboxes also play a crucial role in tackling misinformation. They provide a flexible and neutral space for collaboration between companies, governments, and civil societies to explore and develop effective measures to address the harmful impact of misinformation. By fostering interaction, investigation, and the exchange of ideas, sandboxes serve as a stepping stone towards implementing robust regulatory measures.

Advocates stress the importance of a multi-stakeholder approach in tackling misinformation, involving civil societies, companies, and governments. Civil societies, in particular, have been recognized for their valuable contributions in this area. By working together, these stakeholders can collaboratively develop effective strategies to combat misinformation and promote responsible information sharing.

Overall, regulatory sandboxes are regarded as valuable tools in building trust and understanding before introducing regulatory measures. They create a space for experimentation and collaboration, allowing authorities to assess the impact, feasibility, and effectiveness of their regulations. However, caution must be exercised in terms of their costs and effectiveness. It is crucial for countries to consider their individual capacities and circumstances before implementing sandboxes as a regulatory solution.

Session transcript

Axel Klapp-Hacke:
all of you here to today’s session on Sandboxes for Data Governance, Global Responsible Innovation. My name is Axel Klapp-Hacke. I’m a Director for Economic and Social Development and Digitalization at GIZ headquarters based in Germany. Data for sure is one of the most strategic assets for both economic growth and sustainable development. It can provide key insights to make better decisions around food, security, climate change mitigation, or health policies. Hence, data can help policymakers and private organizations to better allocate resources, solve problems, and prepare for risks. And as the backbone of AI application, its potential for the achievement of the SDGs cannot be underestimated. But for the use of data to benefit all, data sovereignty and data security need to be strengthened. We need regulatory frameworks that help reap the benefits of data while protecting citizens, and I think that is the key assumption of this and the starting point of this session. This panel gathers experts from around the world to discuss how regulatory sandboxes can unlock the value of data for all and promote responsible innovation in AI. I’m very delighted to welcome on this panel today Deputy Minister of Transport and Communication Agne Wajciukiewicz. So, I knew it would be very challenging and I was trying to pronounce it a bit correctly. Now, very welcome, very happy to have you here. From Deputy Minister from Lithuania and she focuses among others on innovation and open data and she will share her perspectives in a few minutes time. We also welcome Dennis Wong as the Deputy Commissioner at the Personal Data Protection Commission of Singapore. She manages the formulation and implementation of policies relating to the protection of personal data. We also welcome, I think she is joining virtually, Skadi Lauman. She is the Head of Section for Research Analysis and Policy and Project Manager for a regulatory sandbox for the Norwegian Data Protection Authority. She collaborated with stakeholders in the AI industry in Norway and is one of the team members ahead of AI regulations in her country. And then we also welcome Lorraine Poggiankula. She is here on the panel. She is the Co-Founder and Executive Director of the Data Sphere Initiative. An international non-profit foundation with a mission to responsibly unlock the value of data for all. She is an affiliate at Harvard Berkman Klein Center for Internet and Society at Harvard University. And last but not least, we have Olalade Shilon. She’s also here on the panel. She’s the Head of Privacy Policy across Africa, the Middle East and Turkey for META. She is a human rights lawyer who has focused on privacy, access to information and freedom of expression. Our panel this afternoon will be moderated by our friend Armando Guillo, who is an affiliate at Berkman Klein Center for the Internet and Society and doctoral candidate at the Technical University of Munich, focusing on social sciences and technology. And finally, we also welcome our online moderator. Hello Pascal, Pascal Koenig, GIZ colleague. He is a Planning Officer at the GIZ Headquarters. He has served as the John F. Kennedy Memorial Fellow at the Minna de Gunzburg Center for European Studies. And he’s also a postdoctoral researcher at TU Technical University Kaiserslautern. Together, they will discuss now the roles of regulatory sandboxes in the promotion of responsible data governance and AI innovation. Secondly, a regional perspective on the enablers and challenges of implementing those sandboxes. And thirdly, the issue of international collaboration on those regulatory sandboxes. As GIZ, we are very, very happy to facilitate this discussion and to support this session. Regulatory sandboxes can be really a great tool to promote regulation for a free, fair, free and open data economy. In this way, the potential of data and AI can be used to achieve the SDGs. They can facilitate medical service delivery, increase efficiency in agriculture and improve food security. Thank you very much, and please enjoy this wonderful session. And now, over to you.

Armando Guío:
Thank you very much. Thank you, Axel, for your kind introductions. And it’s a real pleasure to be here in such a distinguished panel with these experts on the area of regulatory sandboxes, which are gaining a lot of attention and a lot of traction now. There is a lot of fuss about regulatory sandboxes becoming more important nowadays to deal with many of the regulatory questions there are regarding AI, data, many other technologies and innovations, and of course, that will have an impact on technology. And here, perhaps briefly, just as an introductory remark, I would like to provide this context on regulatory sandboxes. It’s not a comprehensive one in the way in which basically we have, and that’s one of the biggest challenges we have right now, a lot of definitions on what a regulatory sandbox is, how they work, how they’re being implemented, and these kind of questions that we’re going to be answering today perhaps are opening the floor for these kind of discussions to take place. So, we want to start, and that’s one of the basic elements that we have to be have very much in mind, is that regulatory sandboxes are having a lot of definitions, and there are many different ways on defining what a regulatory sandbox can be. You can see regulatory sandboxes that look like innovation labs, or that look like many other projects, which are not necessarily even related with regulation. Some others are related with regulatory questions, but are dealing with them in a very different way. So, here, just to take an approach of what the UN Secretary General’s Special Advocate for Inclusive Finance for Development defined as a sandbox, is that a sandbox is a regulatory approach, not even a space, but an approach typically summarized in writing and published that allows live, time-bound testing of innovations under a regulator’s oversight. That’s a definition. Yeah, and that’s perhaps a definition that some share, some will say not necessarily. I don’t see that it has to be a regulatory approach. Perhaps it’s a regulatory experimentation space or an ecosystem of experimentation. That’s one of the challenges that we are facing right now, and that authorities around the world are facing with their approach to this kind of tool to deal with innovative regulatory measures. From there, we have this big question of how have authorities designed and implemented regulatory sandboxes around the world? And that’s a very interesting thing to analyze, and I have been able to look into this in some of my previous work. So, I have seen sandboxes that have been developed mainly by two people within an authority working on learning more about a technology, and this is called a sandbox. In some other countries, a whole sandbox unit is prepared for developing these kind of projects and developing and deploying an adequate sandbox, and we will hear from experiences from all around the world. We have the sandboxes also, and this is something interesting. Of course, we’re going to talk more on the data sandboxes, but we have seen sandboxes, of course, developing on the fintech sector. On the generative AI, of course, there’s all more attention on why sandboxes can be beneficial to understand many of the challenges posed by generative AI systems. And, of course, on the GovTech and public sectors. So, we have seen these areas and these areas of work as areas that can be of interest for many stakeholders that have been working on this. The fintech sector, of course, has been one of the leading sectors on developing regulatory sandboxes around the world, and that has been perhaps one of the biggest promoters of having sandboxes. Other authorities are trying to follow the same path now on many questions about IP, data protection, antitrust, and many other topics. We have seen, for example, in Latin America, sandboxes being developed. For example, in Brazil now, we have this public announcement, and we will hear from the colleagues from the Brazilian Data Protection Authority. They’re going to tell us a little bit more of these new generative AI sandbox and data protection that is going to be developed. At the same time, Columbia has this fintech regulatory sandbox, which has been also quite big, and a privacy-by-design and by-default sandbox being developed there. We have also sandboxes all around the globe. In Ethiopia, for example, we have seen a sandbox unit being developed there, which is going to be a big unit within the Central Bank of Ethiopia that is going to create some kind of regulatory experimentation environment. Germany, of course, also promoting many of the sandboxes, almost all of them at a regional level, and, of course, with this sandbox handbook that was developed some years ago, which has been quite influential not only in Germany, but in many other countries. At the same time, we have seen sandboxes in Kenya, so the Capital Markets Authority, they’re working on a very interesting fintech sandbox, which has also been quite important to develop the fintech ecosystem in the country, and Lithuania, of course, with the GOP regulatory sandbox for the public sector that we will hear more from the Vice-Minister. So that’s perhaps the whole representation that we want to have here, and many of the experts that are here have been very much involved into these kind of projects, have been working on them, so we have also, for example, the experience of Norway and Singapore working on data protection sandboxes, Singapore developing one of the first frameworks on how to have a regulatory sandbox on data protection and on AI governance, which was also very interesting, and Norway trying to open the black box and trying to develop this idea of more transparency with a regulatory sandbox in Norway for this specific purpose. So with this brief introduction and this brief context and definition of what a sandbox can be, it’s that we are facing now this big question on the relationship between regulatory sandboxes and internet governance. What’s there? Why are we talking about regulatory sandboxes in this specific forum, and when we are talking about technologies such as AI, and when we are talking about the future of data and data protection? Basically, because we are having a lot of questions, so for example, three big topics such as privacy, protection, mis- and disinformation, and digital power concentration, which we definitely have to analyze. How are we going to analyze that, and the authorities are going to analyze that? That’s the biggest question. What are the decisions and the regulatory decisions to be made? That’s where sandboxes perhaps can be helpful to understand the real impact of these technologies, and what can be achieved with the current regulatory frameworks that we have? But that’s the question perhaps. Are regulatory sandboxes enough in order for authorities to develop capacities to deal with many of these big regulatory questions? What has been the experience of other countries that we have here and many other experts that have been working on different contexts that can help us to understand a little bit more about that? And that’s perhaps one of the other big questions that we have. Are sandboxes for all authorities around the world? Are sandboxes effective in any country, or there have to be some initial capacities within some countries and some initial elements for these kind of projects to be developed? With the GHC, with the German corporation, we have also been working on this, and with my colleague Pascal Koenig, also trying to answer some of these questions, because we believe that sandboxes can be expensive. You can spend a lot of time working on them. Are they effective? Are they going to be effective to answer many of these internet governance and many other questions about regulation of technologies such as AI and the use of data and data cross-border data flows and many other big questions on the future of these technologies? That’s what we would like to answer and discuss today. So, with that, I would like to start briefly with a video of the Data Protection Authority from Brazil, that they were very generous to send to us this video. They were very much involved in the preparation of this event. Unfortunately, they were not able to join us, but I think it’s also good to hear from them, and then we will start with the questions with the experts here and the experts on the Zoom room. So, I think we can start. Thank you.

Moraes Thiago:
Ladies and gentlemen, esteemed colleagues and distinguished guests, I stand before you today on behalf of the ANPD, the Brazilian Data Protection Authority, filled with immense gratitude and excitement as we co-organize this workshop in collaboration with our esteemed colleagues from the Berkman Klein Center and the Data Sphere Initiative. It’s a privilege to have the active engagement of representatives from various government bodies and methods. Together, we are embarking on a journey that’s not only significant, but crucial for the future of data governance and AI innovation. Our primary goal in this session is to foster a dynamic discussion among all relevant stakeholders. We aim to deliberate on strategies that can pave the way for the development of sandbox initiatives. Initiatives that not only stimulate innovation, but do so while upholding the fundamental values of humanity. In this session, we will delve into three key areas. First, we will explore the pivotal roles that regulatory sandboxes play in promoting responsible data governance and fostering innovation in the realm of AI. Second, we will examine a regional perspective, shedding light on the enablers and challenges faced in implementing these sandbox initiatives. Lastly, we will discuss the importance of international collaborations in shaping the future landscape of sandboxes. I am thrilled to announce a significant milestone in our journey towards responsible innovation. The launch of the call for contributions for the ANPD Regulatory Sandbox on AI and Data Protection. This initiative, crafted in collaboration with esteemed partners like CAF Consultants, including the distinguished Armando Guilho, who is today’s moderator in this session, seeks to create a space where innovative ideas can flourish while ensuring the safeguarding of individual privacy and data protection. I invite our esteemed panelists and the entire audience to contribute actively to this endeavor. Your valuable insights can shape the very foundation of how we approach AI and data protection. You can submit your contributions via our webpage, which you can access via the QR code presented on this screen. I am delighted to inform you that submissions can be made in English, allowing for a broader and more inclusive dialogue. As we embark on this collective journey of exploration and innovation, let us remember the profound impact our discussions can have on the future. Let us collaborate, ideate, and inspire one another. Together, we can create a future where innovation and ethics coexist harmoniously, fostering progress that benefits all of humanity. With that, I wish you all a very productive session. May our discussions today be illuminating, and may they pave the way for a future that we can all be proud of. Thank you.

Armando Guío:
Thank you. With that, we have this invitation from the Data Protection Authority from Brazil, this very exciting sandbox. We can move then to our first question, and perhaps here for our panelists and vice ministers, I would like to start perhaps with your approach to sandboxes and your experience on this work. For you, what is your practice concerning sandboxes? What are the benefits of sandboxes that you have seen in your experience in Lithuania and the work you are developing right now? It will be very much interesting to hear how the sandboxes have been evolving in your experience and what you have learned from that.

Agne Vaiciukeviciute:
Thank you very much for having me here. I think sandboxes is one of my passions, and while it’s very important to speak about the future of the Internet, it’s sometimes very important to speak on the practical matters, how all those innovations will bring closer to us. In Lithuania, you mentioned one of the good practices is GovTech sandboxes. These are a little bit more on my colleague’s side, but this is already an award-winning way of looking into problem solving. It started in Lithuania in 2019. I think last year it got an award on European level of sandboxes that helps for public governance, to solve issues within the governance, to make it more accessible to the customers. I just figured out I will maybe just tell you some of the examples. For example, there are some examples based on AI solutions to measure the quality of digital government in an innovative way, Kodami solution to automate the detection of illegal gambling operations online, Burbi solution to improve the environmental risk assessment of companies, Open Assessment Technology solution to perform remote examination for civil servants, and many, many solutions that are already used in Lithuanian governance in one or another way. I think that platform was so successful that from the government side, the investments into these kind of sandboxes grew, and now it became a huge part of innovation ecosystem in Lithuania. But what I would like to talk a little bit more, which is more on communication side. Countries these days invest a lot into infrastructure, especially infrastructure for 5G technologies, and we are doing the same. In Lithuania, we do have the coverage of 90% of population, almost the same as here in Japan. But when we want to see the value cycle, so to see the demand side, we do not see enough of technologies there. So I think that’s where the need of Sandbox is coming from. So what we did in this sense, we dedicated more than 24 million euros for applications and solutions based on 5G. And it concerning not only innovations in transport sector, but in any sector. So we are very happy of this possibility to do it a bit in a niche way. So it’s not coming from the whole innovation policy within Lithuania, but the initiative comes from the Ministry of Transport and Communication. So we really want to see what the 5G technology is capable of. And there is a lot of interest from business side, where we just called the tender. So just imagine maybe 53 projects are in the pipeline, more than 124 million euros worth of projects of testing. Testing within the Sandbox regime and in Lithuania, those new technologies and applications. I think why it was so interesting for the companies, because we created the Sandbox in the manner that technology and the result of the innovation will belong to the owners. The only wish from the government side is that the application, the testing side would be in Lithuania. And the idea is that we want as a policy makers to be able to be very flexible and dynamic and respond to all the innovations and changes needed in the regulation framework. And I think this is not only to create more applications on 5G technology based solutions and to solve some of the problems in Lithuania, as it is more of the exercise for the government as well to adapt on the regulation matter as well. So we are very, very excited on this Sandbox regime, because we do believe that now we kind of fill the whole value chain. So we’re not only creating the infrastructure, but we’re encouraging private sector as well as public companies to participate and create applications in autonomous driving, in healthcare, in all other industries. And we’ll see what’s gonna happen. I’m very happy and hope that at the middle of next year, we will see some very great results and we will be able to share about it. So maybe it is for first intervention, that’s it. And later on, we can continue. Thank you.

Armando Guío:
Thank you, Vice Minister. Very interesting to hear many of those, some of those points, especially on the flexibility, attracting the private sector, presenting the results of a Sandbox, which seems to be sometimes an easy task, but it is not as easy as we can imagine. And from there, that I would like to join to perhaps one of the Sandboxes I have been studying the most, and that basically I have been working with governments, especially in Latin America, and they always say, look at the Sandbox in Singapore. What are they doing in Singapore? And how the Singaporean Sandbox is working? How do they were able to achieve these results? And from that, Denise, we would like to hear from you, because your experience, of course, in Sandboxes has been pivotal for Sandboxes to become a reference around the world. I would like to hear, and we would like to hear perhaps some elements on that experience, and how do you think, especially a data protection Sandbox has been helpful to achieve this balance between being responsible, being also flexible, but at the same time, like unlocking the value of data, which is also very important for many of these future conversations that we’re having. So the floor is yours.

Dennis Wong:
Thank you. Thank you very much. And thanks for having me. As you’ve seen, Singapore has experimented in Sandboxes for quite some time. It’s been a very useful tool for us in policy experimentation, and also in experimentation of frontier technologies generally. We tend to use it as a policy mechanism where there are uncertainties in application, as well as use cases. And it’s very much a tool that we use in partnership with industry, where we need clarity on certain technologies or solutions surrounding different types of use cases. We also look at it where organisations need support for compliance, and also to understand the integrity of their business use cases, and their intended sort of business commercial pathways forward. I wear two hats, both as the Data Protection Deputy Commissioner, but also as the Assistant Chief Executive of IMDA. And in that role, I also look at data promotion and growth. And those are, to us, two sides of the same coin. And so we view Sandboxes as a crucial tool to support industry, but to also help them to find appropriate safeguards, guardrails, and protections for the end user. We’ve had a few Sandboxes for a while now. We specifically had a Data Regulatory Sandbox that eventually grew to become the Privacy Enhancing Technology Sandbox. And that’s been something that’s been running for about a year now. We’ve just closed the first stage of it. And I’d just like to highlight sort of pockets of benefits that we saw. There were certainly benefits to individuals because it gives them assurance and confidence that data’s not being misused. It helps with transparency and to flesh out sort of questions of ethical use. We find that with Sandboxing, experimenting in a safe environment cuts down time and efforts for technologies to be deployed. We also see benefits to the organizations that participate in our Sandboxes because they can safely experiment with cutting edge technologies that give them a competitive advantage. And of course, I mean, realistically, that’s what companies are trying to do. We find that organizations very often come to us to provide regulatory support and guidance. They want to understand the potential of technology solutions, but they also want to comply with what the regulator wants. And I think, interestingly, we also find, and this is talked about a little bit less, it also creates opportunities for B2B data collaborations. Very often, companies come with their own use case. They may not necessarily understand the ecosystem the way we see it from a more central point of view. And a lot of what we do in Sandboxes is also putting together different parties within that ecosystem, matching them to technology providers or to end users or to intermediaries that allows that sort of ecosystem to be created in a specific sort of sector or specific use case. That’s not to say we don’t benefit at all. We benefit a lot because it helps us as regulator understand about technology, understand what industry needs, and it allows us to focus on areas that could potentially require regulatory guidance. But I just want to clarify that we don’t necessarily think that Sandboxing must lead to regulatory guidance. For us, it’s just one of a broad range of policy levers and tools that we have. We do, as a modality, I don’t know whether I’m jumping forward a little bit, but do tend to publish use cases and reports at the end of each sort of experiment. And that in itself, sometimes it just ends there, but it gives the sort of sector and people who are interested a sense of what were the regulatory issues, what were the obligations and allocations of responsibility that arose out of us working through that use case. I would just say that as regulator, we do get our hands quite dirty. We do spend a lot of time working through the mechanics of each individual use case to try and understand what the concerns are, what the issues are. We bring other regulators on board where there are issues that don’t fall within our sort of purview. So it is quite an intensive process for us. Thank you.

Armando Guío:
Thank you, and it’s a very amazing experience, and of course, elements that you shared there. And with that, I think, so Lorraine, we have heard about this case. I don’t know if we can already call it a successful case of a sandbox being applied to data protection. We have seen some of the elements that have been used also in Lithuania for the development of the sandbox in Singapore. In your experience, you had work from the DataSphere Initiative, working with different governments, working on reports on how to build this kind of projects. What do you think governments should do? What are like that checklist of elements to develop sandboxes that have the capacities, that have the impact that we would like to see on such projects that have a lot of work to do, that have a lot of resources to be used? We want to be effective on those. What do you see are the best practices, perhaps?

Lorrayne Porciuncula:
Thank you so much for the question. And it’s a pleasure to be here in this panel because sandboxes is also a passion of mine. And so seeing one workshop that we get to discuss this in the IGF, it’s just a pleasure. So on the question on the skill, I think that there isn’t a particular set of skills or a skill that is needed for you to deploy a sandbox. I think there are as many skills as there are sandboxes and there are as many sandboxes as there are use cases because no sandbox is going to be the same depending on the national jurisdiction where it’s located, what’s the institutional framework, what are the core partners that we need to be involved? What is the issue that you’re trying to solve? What’s the timeframe? And the complexity of all of this is just makes it exponential, the number of different skills that you need to have and the people you need to bring in the house. And I think that’s sort of an important step into this mystifying what sandboxes are. And that’s sort of the campaign that I’m trying to lead from my own corner in the Datastore Initiative. We have a report that we published last year called Sandboxes for Data, Building Agile Spaces Across Border to addressing the issue. And in that report, we try to look into the good practices and I consume a lot of the reports that are coming out of experiences such as the one from the Singaporean government, but also in terms of what other actors are doing in different countries and trying to be systematic about understanding what has worked and what hasn’t. We’re still at the early stages of understanding how that can be deployed to other use cases, right? But there is a maturity in terms of trying to understand what are sandboxes and we can all agree that it’s an umbrella term that captures a whole lot of things, right? And I think depending on who you ask what sandboxes are, they’re going to have a different kind of definition and that’s okay. And we should be okay with it as well in terms of seeing it as an anchor for a policy prototyping for experimentation. And the second aspect that we’re looking to also is in terms of the potential of using this internationally, which I’m going to come to later in the panel. And what I realized is that having done that study and that analysis of the experiences internationally and then talking to a number of governments, there’s still a lot of, people are still very much afraid of what it means in terms of resources and skills that are necessary because they’re under the impression that’s something that you need to be a very sophisticated regulator in order to be able to deploy. And I think the first step is trying to exactly say that actually it should be simpler. It should be about looking at a different way in before you design policy and then regulation in terms of engaging stakeholders rather than doing something where it’s sufficient for you just to post a consultation online and then forget about it. How do you actually engage stakeholders from the design phase onwards? And how do you build that trust, that institutional trust with the private sector and civil society and technical community and government and regulators in order to come together and as Denise said, get their hands dirty. And that’s not something that a lot of institutions are prepared to do or have the frameworks that allow them to do it. So for me, it’s less about the skills in itself but rather than being allowed to do that, to actually engage purposefully with stakeholders. And this is an important part of the capacity building that we’re doing now and we are with the support of the Hewlett Foundation now started a project in Africa and through Africa Sandboxes Forum where we’re bringing together stakeholders to create that community of practice in terms of sharing what can be done and what are the issues that you would like to solve from a multi-stakeholder iterative fashion. And doing that in terms of we have a course which we design that takes you through in terms of what sandboxes are and their potential. So that’s an important part into sort of building that skill in terms of words and vocabulary that we are using in the space but also in terms of how do we turn this into practice. So rather than just being a talk shop where we’re talking to them about sandboxes and what it should be, we are actually in the best way of a sandbox bringing them together in terms of can we identify an issue that we can address and can we do so in a way that helps with issues that are relevant among different countries at the same time or different stakeholders through dedicated sandboxes that we are piloting and we’ll be simulating until next year onward. And I think that is a step in terms of just being able to define what are the appropriate stakeholders that need to be involved depending on the use cases, what are the technologies that might be necessary if you’re looking to operational sandboxes and to be transferred data as was mentioned. But also in terms of what are the arrangements in terms of mitigating risks that may emerge, what are the different kind of ways for you to look into measuring and monitoring and evaluating the success of that sandbox as well. And so we are in a process where we are, and I like to say, and I’m not joking, but it’s sandboxing sandboxes really in terms of how they can best function. And I would like to see a space where we are able to share more of those good practices so that we can reduce the cost of actually implementing those sandboxes in sharing resources among each other.

Armando Guío:
Thank you, Lorraine. And I really like this idea of exactly of sharing and we definitely should talk a little bit more later on the global forum for sandboxes and sharing these kind of ideas and having these kind of forums for this interaction. We have two colleagues, actually three colleagues that are on the Zoom connection and I think they’re in Africa and Europe and we would like to very much say good morning to them, I think. So I will start with Kari Laumann from the Data Protection Authority in Norway. Is Kari there?

Ololade Shyllon:
In terms of having like a, you know, good outcome in terms of sandboxes across the board. And just to flag, like I said earlier, that there’s been challenges with getting this going in the region. The only data related, so we have one or two FinTech related sandboxes in Africa as well as in the Middle East, but the only data related one so far started a couple of months ago in Saudi Arabia, still at very early stages of development. So there’s not much to sort of share about, you know, the lessons that were learned in that regard. I think I’ll stop here. Thank you very much.

Armando Guío:
Thank you. We wanted to also finish this first round with your remarks, which I think are very interesting because that idea of building trust among different stakeholders, it’s always a big challenge and I think it has a lot to do with the design of many of the sandboxes and the participation spaces that we have. And talking about also participation, we would like to open the floor for this first round on questions that you have. I think you can stand up over here to the microphones and please, if you could present briefly yourselves, give your name and your questions, we will be more than happy to hear you.

Audience:
Good morning. My name is Claudio Agosti, I’m a platform auditor. And mostly my question is for the expert from Singapore and from Finland. I’m concerned because soon the AI Act will be in place so that we exist a national authority, this national authority need to run a national sandbox. So the question is, in average, for a use case, how many days per person is necessary to study it and to create the test base? Because it seems that is the potential bottom line to handle a lot of cases.

Dennis Wong:
I think you’re right, we don’t handle a lot of cases. So to us, a sandbox is not a tool for volume. It’s not meant to, it’s not like a framework or policy where you set at the general principle level or even an obligation level, and then it applies to thousands or hundreds of thousands of cases. It’s a tool for a lot of cases. In a year, maybe we work on six to 10 cases where we are really just working through what the use case is. I think one of the things we find helps a lot is to set very clear use case objectives. So if it’s fairly tight in scope, the parties already know what they want to do. It’s really about just working through the accountabilities, then it is more straightforward, easier to do. If it’s about the use case, easier to do. If it’s about helping companies to find players, technology players, they know they need, they have a data problem, they want to use a privacy enhancing technology, they don’t know which one, that becomes a longer process, a more involved process, and it can take many months to sort through. So I would say, unfortunately, the way we do it, at least it’s fairly customized to the use case, and it can take usually an average of maybe three to six months to work through a use case. Sometimes even longer than that. But of course, we have other policy innovation tools such as policy clinics, where we’re just giving quick advice on how on accountabilities that one can be much faster.

Armando Guío:
Thank you. I have also additional small remark, but later.

Audience:
Good afternoon. This is A H M Bozulu Rahman, come from Bangladesh IGF. Thank you panel, thank you moderator and honourable minister. We learn so many thing regarding the sandbox from this session. I learn from your presentation, Mr. Moderator, CNET has developed one sandbox regarding the misinformation. So how can we utilize this sandbox regarding the misinformation from the civil society side apart from the government? Thank you.

Armando Guío:
Thank you. Well, that’s a big question. I think that we’re having sandboxes on misinformation. Definitely what we would like to analyze is to gather some good evidence on how these technologies are actually spreading misinformation and what kind of measures can be used. I think that’s one of the biggest questions that we have right now, like what are the kind of measures that can be used and how to implement some of those. That’s where sandboxes become so attractive because you have this kind of flexible space in which basically you can interact with some companies and basically try to make them get involved into these kind of questions, concerns. Let’s work together, let’s involve civil society that has been doing some great work on this area, and let’s try to show you basically what could be the measures there to put into place. I don’t know if the sandbox in misinformation is actually a sandbox on providing flexibility. I think it’s more on providing trust-building efforts and perhaps this multi-stakeholder approach, but that’s how I see it. I think there’s interest in many countries to start with this kind of work even before regulating because of course there’s a lot of regulatory pressure also. Why don’t we regulate these kind of practices? Sandboxes are seen perhaps as a first step before going into that. That’s how I think we will see some sandboxes and misinformation more and more, I think, in the near future. Thank you.

Audience:
Good afternoon. My name is Bertrand de la Chapelle. I’m with the Data Sphere Initiative. I just want to make a quick comment. The word umbrella term has been used, and I think it’s an illustration of the fact that the sandbox approach is a spirit of experimentation, and there is a growing toolkit or toolset for governments to experiment various approaches depending on the topics. You mentioned the clinics and so on. The consequence is that it is particularly adapted to the early stages of any policy development or policy interrogation, which is the agenda setting and the issue framing, which is a stage that is usually skipped because the moment people have identified a problem, they run to say, my solution is A, my solution is B, instead of taking enough time early on to frame the problem as a problem that people have in common rather than a problem that they have with each other. Thinking about sandboxing as sometimes an early tool to identify how to shape the problem before you get into drafting whatever guidelines, regulation, or just code of conduct is probably an important element in the sandbox approach.

Armando Guío:
Thank you. I don’t know if there are any reactions to that. Okay. Thank you.

Audience:
Yes, please. My name is Christian Rumsfeld from the OECD, and I have a question related to one of the risks or potential risks of sandboxes. Given their very nature, the number of firms that can participate in the sandbox are obviously limited, so the question is how can we make sure that there are no distortion of competition going on that is favoring those companies participating, and also how can we avoid regulatory capture given exactly that closer interaction between the regulator and the companies? And so, in general terms, how can we make the sandbox more fair and non-discriminatory? Thank you.

Lorrayne Porciuncula:
Thank you so much, Christian, for a great question. I know very well, having worked and written about sandboxes and all the risks that we actually need to balance, and that’s one of them, right, in terms of competition and regulatory capture, and I think that’s part of the process of trying to ensure that you’re building trust with a broad spectrum of stakeholders, and what’s interesting about sandboxes is that it does allow the regulator usually the flexibility to go beyond the traditionally regulated and regulated entities. That’s been the case around fintech, right, and so for those of you that know the experience around fintech, I mean, it’s a very regulated sector, right? Central banks have banks that they regulate, and that’s, I mean, financial institutions, and that’s a very tightly knit group. Here with the experience with fintech sandboxes, what happened is that they did open calls for different startups and companies to come in and provide different services and innovative services to answer to a demand or to a problem, and here there were telecom companies that came in, startups, a whole bunch of innovators, and the solutions that came through those fintech regulatory sandboxes has been really, really impressive in terms of providing, in the case of Brazil, for example, instantaneous payment system that right now four out of five adults use, so it’s the fastest growing payment system in the world. It’s called PIX, fastest growing than the ones in India and China, surprisingly, and it was the concerted effort that went beyond the traditional companies, the traditionally regulated companies, so in terms of spirit, it is something that it’s meant to be more encompassing than what a traditionally regulated sector looks like. Of course, there are risks that’s not going to be the case, that we’re going to choose our champions and just invite the ones that we know best, but I think being cognizant of that risk is a first step in terms of trying to mitigate it, particularly so there isn’t a regulatory capture, which is always a concern when we look into healthy regulatory frameworks. How do you build the governance of the spaces? Having more conversations in terms of good practices and also on the frameworks that we need to set up at least the minimum condition for regulatory sandboxes, I think is the first step to go to mitigate those risks and anticipate them.

Agne Vaiciukeviciute:
If I may just very shortly to add from Lithuanian perspective, what we’ve done so far as an obligation to participate in sandbox and get the financing for any testing purposes, there should be a group of stakeholders involved, so it’s obligatory to involve higher education institutions, someone from civil society, so there is a range of compositions that is an obligation to be a part of, so we don’t want to, I mean, I clearly understand the threat there, we don’t want to see one side of sandboxes and solutions, therefore the broader stakeholders group has to be involved, and I think that we clearly put it into the rules of participation just to avoid this obstacle.

Armando Guío:
Thank you. I will have to perhaps provide space for one more question, yes, and of course at the end I will, we will have the space, please, I’m so sorry about that, because we have also the online moderator and everything, so thank you.

Audience:
Thank you. Sandboxes in my experience actually break away the concentration that takes place usually in smaller, you know, like financial sector. I was on a committee as a tech lawyer for the Middle East, for Pakistan’s central bank, we did a, exactly right, innovation challenge fund, so there was money as well as the ability to have your idea, you know, sandboxed and approved, and what we noticed was that basically by going through that process we got, you know, start-ups, et cetera, nobody was interested in the money as much as they were interested in the approvals, and then the most amazing thing was that it had a multiplier effect, and I’ll speak about that in a second, but the more important thing was that it started having conversations between regulators, saying you’re not the only ones, you need to actually get approval from another regulator, so the conversations broadened, that was helpful for the ecosystem, and as a result of these things that happened, the central bank was confused about things like should we allow cloud in the financial sector, should we do core treasury systems on cloud, and electronic money issuers and digital banks were enabled because of this exercise, so that was very, very helpful, but I have a question, my question was what I just mentioned regarding the learnings between regulators, have you found that that has been something that you’ve also experienced, that, you know, there’s one regulator maybe that’s doing financial services and there’s other regulatory approvals that are required, and how do you interact and coordinate that effort when you do a sandbox, I’d love to know, thank you.

Dennis Wong:
It’s a great question, we do work, I would say more domestically, because as IMDA we hold the horizontal sort of regulations for data protection, but obviously in a use case of, often they are sectoral and vertical, so for example where we have a finance use case and a finance regulatory question comes up, we will bring in the monetary authority, for example, to sort of work out joint guidance, if it’s a healthcare one, then we’ll bring in the relevant regulator, because very often from the business’s point, or the industry’s point of view, there are regulatory questions, they don’t really care which regulator is going to answer the question, or they realise that it crosses different silos. So that’s also been a fairly sort of interesting way to solve problems, and it’s been quite a helpful exercise, not always the easiest, but I think quite important to move things forward.

Agne Vaiciukeviciute:
If I may just very shortly, it’s a very interesting topic, we could talk about it hours and hours. Once again, in Lithuania case, where we were focusing mostly, was there technologies or ideas which would be at the very high TRL, so we are not talking about sandboxes where the ideas are tested or tried on the very not mature sense, because the money is quite huge, we’re talking about the last TRLs that would later on be scaled on. So it’s really sometimes important to speak on what side of the sandboxes and the ideas maturity we’re talking at.

Armando Guío:
Thank you, thank you for all the questions, and hopefully we have some final minutes for those questions that are left, and many others. I will give the floor then to the online moderator, to Pascale Koenig, from the GAC, Pascale, the floor is yours, I know you have also some interesting questions and the challenge of making this in 30 minutes or less, so the floor is yours, and thank you for also joining, I know it’s early morning for you.

Pascal Koenig:
Yeah, thank you Armando, it’s my pleasure to join you online and to now direct you and guide you through the next set of questions, and I would like to shift the attention a bit and pick up on something that especially Lorraine has already commented upon, and that is I want to adopt a bit more of a regional perspective and look at aspects of international collaboration and cooperation. So my first question is, I’m interested in how important is it to learn from other experiences when implementing and operating a sandbox, and perhaps more specifically you can also say something about how transferable are sandboxes from one context to another, how much work has to go into adapting them when you transfer them, and since I’m online I would like to direct the first question to Kari.

Kari Laumann:
Yes, so I think we were one of the first data protection sandboxes in Europe, but there was one before us and that was the ICO, the British Data Protection Authority, so when we were starting our sandbox we did reach out to them and they were very generous in sharing their experiences and even documents, so we learned so much from them. Of course we had to adapt, we didn’t just implement because there are cultural differences, there are so many differences, so we did adapt it, but that was super useful, and I think also the spirit of sharing we have kind of carried with us, and we’ve had so many different countries in Europe and beyond reaching out to us because we’re one of the first sandboxes, so we’ve also tried to share all that we can from what we have learned and what we have built, and I think it’s been really useful since the sandbox concept is kind of new and a little bit fussy for a lot of people, so I think you know sharing their experiences that are there is very important, and I also agree with what has been said earlier in this panel that there’s not like one definition of sandbox, you can make it your own and make it fit your own purpose, so I think you know sharing is important, but also you know listening to the needs of the target group that you’re trying to reach is very important and tailor it to your own purposes.

Pascal Koenig:
Thanks very much for these insights, and for the panellists in presence I will also direct the question at you, also perhaps at Denise, since your sandbox has been an inspiration to others as we’ve heard before, what’s your perspective on the importance of sharing learning from experiences and the transferability of sandboxes?

Dennis Wong:
No, it’s a great question, I think so far I would say honestly a lot of it has been domestic focus, there isn’t an APEC or an ASEAN framework in the areas that we operate in, a lot of it was about helping industry, and we do work with industry players who operate all over the world, so there is an international element, but I think more and more as we have tech conversations like this, as we meet more and more interested regulators, as the interest in sandboxes grows as a regulatory tool, I think there is a lot that we can learn from each other, and a lot that we can learn from the use cases that we all sort of get our hands dirty on it and do, so very supportive of the sort of broader conversations and principles that we can all buy into, and I think absolutely a lot of these questions about data protection or misinformation or AI are transferable, just by the very nature of the theme, and so we have a lot that we can learn from each other.

Pascal Koenig:
Thank you very much, I would go one step further and also ask about in what ways can international collaboration and exchange on the regulatory sandboxes be most helpful for regulators, for authorities, what do you think are important areas for collaborating, which areas are especially important currently to advancement, and since Lorraine has already said a bit about the importance of exchange and collaboration, I would direct the question to you.

Lorrayne Porciuncula:
Thank you so much for the question, and I think it’s important to consider that while sandboxes have been deployed nationally, there’s so much potential, not only for sharing those experiences internationally, but also on co-constructing and building those internationally from a cross-border perspective. In the report that I mentioned that we published last year, we list a number of different areas where they could be tested, so for example in testing privacy-enhancing technologies, which was already mentioned here, but from a cross-border perspective, by looking as well through issues like new data intermediaries as well that are emerging, so think about the role of data fiduciaries, or for example data commons, data collaboratives that may exist in one country and may want to be certified or recognized in another jurisdiction, so how do we do that, how do we create that space that actually allows for this exchange of what are the minimum requirements, how do you actually get that transferred across borders as well, so we can think through technologies and issues that are more transversal that are emerging within the digital space, but also within more vertical sectors in terms of how cross-border sandboxes could be used, for example to address issues that are already included within trade agreements. Actually DIPA, which is a trade agreement, one of the new trade agreements, Digital Economy Partnership that Singapore is actually a signatory to, together with New Zealand and Chile, with Canada also acceding to it, includes already a provision on the potential of having a data sandbox within DIPA. Now no one knows how to do that right now, but it’s already included as a provision, and I see that I mean this new generation of trade agreements may as well include beyond the lengthy process that it takes to negotiate and balance multiple interests into a static text, that it actually creates the fora for us to test what are the issues that businesses and society and regulators within those different countries care about, care about enough to work together to solve a solution, right, so it’s very much around how do we get, how do we operationalize a lot of those issues that we spend a lot of time negotiating under closed doors, and so trade agreements for me it’s an issue and it’s one that we include in the report. The other one is around health, so think about the issues around transferring sensitive data across border, but also on the opportunities of using that for research and innovation, particularly in the moment of pandemics, right? But also on the complexity of balancing those objectives of innovation and research in public health with issues around data protection and other regulatory systems that somehow interact with health objectives. About the issue of climate change, which is the most transversal challenge that we have in our planet, how are we going to actually get through working on solutions if we don’t have the space to collaborate together, right? And what for me is very encouraging is that we can use this as a blueprint to think about international cooperation in a different way. So I have a career having worked in different international organizations, at the ITU, at the OECD, before I co-founded the DataSphere Initiative. And for me, we need to think about not ways to supplant multilateral processes, but at least to collaborate with them and create a space where we think about solutions and we are concrete about it, right? And so for me, that’s where it lives, the opportunity for cross-border sandboxes, for us to create that space where we are between just do nothing and regulate and forget. We have, we find this sweet spot, so it’s sort of the go-to-lock spots where we can actually work, test solutions.

Pascal Koenig:
Yeah, thank you so much for these interesting comments. Certainly important issues and I have several GSF colleagues who also were interested in this question of enabling cross-border data flows. So that’s certainly something to continue the discussion on. Now I would also like to invite a private sector perspective on the question of international collaboration and those areas that are especially important. Ololade, would you also say a bit on that, perhaps?

Ololade Shyllon:
Thank you, thank you so much, Pascal. I fully agree with what Lorraine has said. Excuse me, I think by their very nature, sandboxes are, they require stakeholder collaboration and there’s a lot of things that can be learned across the board if they’re given a chance. So definitely broadening this kind of collaboration across borders will definitely enrich the learnings and help policymakers definitely better understand the ecosystem and be able to figure out the kind of policies and rules that would apply in different contexts and in different environments. And this in a way would help with harmonization. So for us at META, we believe in having a harmonized approach to regulation and policymaking. And so in a way, whilst we know that different countries will have different rules and different laws or legal systems, but there’s a lot to be learned in terms of working together and collaborating on this kind of approaches because at the end of the day, we all, I mean, globally, there are a lot of treaties that exist even though each country has their own like domestic legal systems. So in the same kind, working together across borders with regulatory sandboxes and the like, for us it’s very, very important to ensure that there’s widespread collaboration across the board and consensus. Of course, there’s cultural nuances, there’s specific nuances, but at the end of the day, at high level, there are basic principles that apply across board and that one can learn from experimenting and collaborating in this space.

Pascal Koenig:
Thank you, Ansel. And yeah, moving, maybe going a bit further in that direction, what are your observations regarding the need, but also how likely it is that there’s an increasing harmonization of sandboxes both beyond the national level, either through new sandboxes that are being created on the regional level, or perhaps through a stronger harmonization of existing sandboxes?

Ololade Shyllon:
Oh, likelihood is a very tough question because I think it’s a complex issue. There’s a lot of factors that come into play in this room. Like I mentioned, differences in legal systems, but like zeroing in on the region that I cover, which is Africa and the Middle East, there is a lot of challenges that I think that exist with sandboxes that are probably more acute in the region. So things around the time it takes for this to be executed, things around the costs that it involves. And the reality is that we have data protection, if you’re talking about data governance related kind of initiatives or sandboxes, it’s fairly nascent in the region. And so most of the regulators are literally trying to figure out exactly how to build the infrastructure. Build their organizations. And at the same time, there’s a lot of impatience from ordinary people with them being able to enforce and being able to show that they’re actually relevant in the ecosystem. And so you find many of them trying to say, okay, how do we prioritize being legitimate and being able to do what we need to do, what we are established to do? In that case, if we have to prioritize that, we don’t have enough resources, financial or technical to be able to focus on sandboxes, which take too much time for us to be able to see any benefit. So that’s, I think, one of the challenges that we’re seeing in the region, but we’re hopeful that with organizations such as Doreen working on this issue in the region, we can see some push and some movement towards having sandboxes, because there’s no doubt that they are very important for ensuring innovation in the ecosystem in the region.

Pascal Koenig:
Okay, great, thanks. And maybe to get a perspective also on a different region, and to get a bit of an insights on the perspective from Lithuania. Darkne, what is your perspective on the need for harmonization on a regional level and how likely is this to be?

Agne Vaiciukeviciute:
Thank you very much for the question. I think that there was already a lot of discussion and there was already a lot of good things said. I think that if we talk in the short-term perspective, harmonization, maybe it’s not the way to go. Maybe I would use a better word, collaboration across borders. That’s what I would expect more happening in the short period. I think that harmonization is always better for those who are not first movers, for countries like Singapore or others who has a lot of experience already there and openly shares it with other countries. This is something that would be maybe not so interesting in a short perspective. I think that we are talking about innovations at this point. So innovations are very important, not only to have a safe space to test it, but also to have a freedom to explore the potential there. I think what our experiences in this field, we also were not unique in the sense of with our sandboxes and I’m proud to say that we got the experience, of course, from UK. We had a very close collaborations. We went there, we invited them. We had a huge conference on the sandboxes just to share their experience because there was a lot of things which they said that we should not do. So it was also very valuable for us. So I think that the harmonization, and maybe it’s too early to have this question at this point. I think now, today, we’re talking a lot about what is the concept of sandboxes, what kind of sandboxes we do have. Then we have some just good initiatives already. So I think what we really need, we need to catch up with the scale on sandboxes in so many different levels and just to show maybe for other policy makers how valuable it is. I’m convinced already, but that’s not enough. I think if we want to make huge changes within the governments, we need to think further. So during this panel, I got so many ideas about how fast we need to go to Singapore with our minister and so on. So I’m joking, of course, but thank you very much.

Armando Guío:
Thank you, Minister. Thank you, Deputy Minister. Yeah, I have more questions and I would love to hear more from you, but I think while keeping an eye on the clock, I think we should leave some time for another round of questions from the audience. And I can see questions online, but of course I cannot see them in the room. So Amanda, you can gladly go ahead. Great. So I will start with a question here in person and I would like to get the questions in the Zoom room because I don’t have them. I don’t know if you can help me with that, but please.

Audience:
Thank you very much. Thanks for the very insightful panel. I’m Claudio Lucena, Paraíba State University Law School in Brazil. And I’m also the co-coordinator of the Open Loop Experience in Brazil. We are addressing privacy enhancing technologies. I’d just like to add a bit on Lorraine’s comment about the happiness of having sandboxes discussed in a privileged space like this. For years, we have talked about the necessity to regulate in a more adequate, dynamic, flexible, scalable way. And bringing sandboxes to this privileged space means that we’re considering it one of the tools to operationalize that smart regulating. Yes, for the digital space, but definitely not only to it. So my question is a little bit more mundane though. It’s a question about timeframe. And I’d like to have these experiences here of Lithuania, maybe Norway and Singapore. You have a framework to operationalize a sandbox and there is a space where you weigh back in as a regulator to say if and which measures are going to be taken out of the experience you have. How strict, the question is how strict you intend to be or have been in these measures? Do you wait until the whole process is finalized as the regular framework foresaw or are you ready to intervene in a point where something stands out as very important not to be waited for? Thank you very much.

Kari Laumann:
Thank you. I don’t know, Carrie, if you want to start there. Yes, I think this is a very good question and very relevant for us as regulators. I think for META it’s a bit different if you’re a private actor and you have a sandbox, but as a regulator, our kind of powers are very strictly regulated in the GDPR. So we are to case handle, we are to do enforcement action and we are to give guidance. And for the sandbox for us, this is a guidance tool. So we call it dialogue-based guidance. So for us, it’s very important to be clear that this is not a decision. We only give guidance in the sandbox and then the company who is participating can decide themselves for what they will actually do. And also we are very clear that we don’t give any exemptions from the regulation. So even if they’re in the sandbox, the regulations still apply. So our sandbox is more about exploring those area in the regulation where there might be questions or uncertainty of how it should be implemented in practice. It’s not about giving exemptions or giving like a stamp of approval. It’s basically guidance. So I think that’s an important kind of also, it’s important to be clear about what the sandbox is and clearly define that for anyone who participates or wants to take part in it.

Dennis Wong:
It’s a great question. I would say that for us, it’s a fairly sort of dynamic process because we waited right from the start of the use case. Very often, right from the get-go, we’re trying to understand what is the regulatory issue they’re trying to solve for. And well, at the end of the process, we come up with the case study or with the published report. So obviously there is that process. But I think throughout in the engagements, we are working on the ground with them to work out what are the regulatory issues, where are the inter-jurisdictional issues, where are the interdisciplinary issues. And we are going back and forth on that process all the time throughout. So it’s definitely in the realm of guidance. For us, it is a fairly agile and dynamic process. And I agree completely with what you said earlier in your speech, which is really, it’s about agile policymaking. So it’s very much in that space for us. And we don’t really sort of see this as, okay, you go figure it out and then we’ll give you an answer at the end of it. It doesn’t really work like that.

Agne Vaiciukeviciute:
So thank you very much. Very good question. I think our perspective is a bit from different angles just because I’m not from the regulatory kind of authority. I’m from the policymaker’s kind of side. This was initiated from our side. So we understand sandboxes as a part of work, working very closer with the ones who are testing all those systems. You know, testing all those innovations. And once again, obviously it’s a very dynamic process. Nobody wants to implement or change any rules that is absurd or whatever. But the idea was to kind of open it and be dynamic in regulation as well. Because we have some of the regulations already in place, but there are no usage cases. So it means that it’s written on the paper, but the reality does not work. So that’s what we are having. So our perspective with sandboxes try to kind of close this gap. And obviously we understand that nothing could be taken for granted or fully within the process because we did not even touch upon the fact that while doing those sandboxes, there could be some not usable cases in the future. You’re just testing some, there could be some failures as well. So we are looking into this more in a relaxed manner, just to see what’s going to happen, just to create a playground for everyone. Thank you.

Armando Guío:
Thank you. This has been an amazing panel, very much on a topic that is still on the making. I think there are many things coming on the way, global forum, sandboxes, Lorraine, perhaps, of course, that will be coming and projects on different sites, Lithuania working on these, Norway still continue the good work, although I think META is going to be also very important actor on many of these conversations and as a participant of the sandbox, Singapore continue the great work. So this has been already amazing. Also with GIC working on this assessment on how to help countries to be more efficient on implementation of sandboxes, something that we’re working with Pascal. So this has been already an amazing experience. Hope that you continue the great work. Hope that you continue with all the great questions and thank you again for joining and this has been an amazing experience. Thank you again. Thank you very much. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you.

Agne Vaiciukeviciute

Speech speed

151 words per minute

Speech length

1687 words

Speech time

670 secs

Armando Guío

Speech speed

193 words per minute

Speech length

3113 words

Speech time

969 secs

Audience

Speech speed

172 words per minute

Speech length

1071 words

Speech time

375 secs

Axel Klapp-Hacke

Speech speed

169 words per minute

Speech length

718 words

Speech time

255 secs

Dennis Wong

Speech speed

189 words per minute

Speech length

1707 words

Speech time

542 secs

Kari Laumann

Speech speed

166 words per minute

Speech length

541 words

Speech time

196 secs

Lorrayne Porciuncula

Speech speed

173 words per minute

Speech length

2284 words

Speech time

794 secs

Moraes Thiago

Speech speed

169 words per minute

Speech length

464 words

Speech time

165 secs

Ololade Shyllon

Speech speed

199 words per minute

Speech length

756 words

Speech time

228 secs

Pascal Koenig

Speech speed

164 words per minute

Speech length

491 words

Speech time

179 secs