WS #35 Unlocking sandboxes for people and the planet

Summary

This discussion focused on the concept of regulatory sandboxes, a tool for experimenting with new technologies and regulations in a controlled environment. Bertrand de La Chapelle introduced the topic, explaining that sandboxes can be used to test innovative applications, explore regulatory challenges, and foster collaboration between public and private sectors.

Participants shared experiences and insights from different regions. Thiago Moraes discussed Brazil’s approach to AI-focused sandboxes, emphasizing the importance of preparation and stakeholder engagement. Adam Zable provided an international perspective, highlighting the diversity of sandbox implementations worldwide and the distinction between European and East Asian approaches.

Maureen Amutorine shared insights on sandboxes in Africa, noting the prevalence of fintech sandboxes and the challenges faced by regulators. Katerina Yordanova discussed the European context, particularly the AI Act’s sandbox requirements and the need for clear incentives for participation.

The discussion explored various challenges in implementing sandboxes, including resource constraints, trust-building between regulators and innovators, and protecting intellectual property. Participants emphasized the importance of transparency, clear methodologies, and addressing potential disincentives for companies to participate.

The conversation also touched on the potential of sandboxes to bridge knowledge gaps between regulators and innovators, particularly in rapidly evolving tech sectors. Participants stressed the need for better communication about sandbox initiatives and their benefits to encourage participation and build trust.

In conclusion, the discussion highlighted sandboxes as a promising tool for agile regulation and innovation, while acknowledging the complexities and challenges in their implementation across different contexts and sectors.

Keypoints

Major discussion points:

– The concept and purpose of regulatory sandboxes for testing new technologies and regulations

– Different approaches to sandboxes in various regions (e.g. EU vs. East Asia)

– Challenges and incentives for both regulators and companies to participate in sandboxes

– The importance of preparation and methodology in setting up successful sandboxes

– Building trust and transparency between regulators and companies through the sandbox process

The overall purpose of the discussion was to explore the concept of regulatory sandboxes, share experiences from different regions, and discuss best practices and challenges in implementing them effectively.

The tone of the discussion was largely informative and collaborative, with speakers sharing insights from their experiences and research. There was an emphasis on the potential benefits of sandboxes, while also acknowledging the challenges in implementation. The tone became slightly more cautionary towards the end when discussing potential disincentives for participation, but remained constructive in proposing solutions.

Speakers

– Bertrand de La Chapelle – Chief Vision Officer of the Datasphere Initiative (Moderator)

– Moraes Thiago – Data Protection Authority of Brazil

– Adam Zable – Research fellow at the GovLab

– Morine Amutorine – Resource associate at the Datasphere Initiative

– Katerina Yordanova – Senior legal expert at the University of Leuven

Additional speakers:

– Farouk Yusuf Yabo – Permanent Secretary at the Federal Ministry of Communications, Innovation and Digital Economy in Nigeria

– Luis Fernando Castro – Former member of PGI, the Brazilian Internet Steering Committee

– Sophie – Mentioned as putting information in the chat, likely part of the organizing team

Regulatory Sandboxes: Exploring Innovation and Regulation in Controlled Environments

Introduction:

This discussion, moderated by Bertrand de La Chapelle of the Datasphere Initiative, focused on regulatory sandboxes as tools for experimenting with new technologies and regulations in controlled environments. Participants from various regions shared insights on sandbox implementation, challenges, and best practices.

Purpose and Types of Sandboxes:

De La Chapelle introduced the concept of sandboxes, noting that they exist along a spectrum. Examples include regulatory sandboxes focused on compliance and testing existing regulations, and operational sandboxes used to test new applications and technologies. Adam Zable from the GovLab elaborated on how different regions emphasize various aspects of sandboxes, with the European Union approach tending to focus more on regulatory compliance and risk mitigation, while East Asian countries like South Korea emphasize economic growth and regulatory flexibility.

Regional Approaches and Experiences:

Participants shared diverse experiences from their respective regions:

1. Brazil: Moraes Thiago discussed Brazil’s preparation to launch a sandbox focused on the applicability of data protection regulation articles to AI. He emphasized the importance of thorough preparation and stakeholder engagement before launching the sandbox.

2. Africa: Morine Amutorine shared insights on sandboxes in Africa, noting the prevalence of fintech sandboxes and the challenges faced by regulators. She highlighted examples including the EcoBank Pan-African sandbox and Kenya’s Communications Authority using a sandbox to identify innovations not covered by existing regulatory frameworks.

3. European Union: Katerina Yordanova discussed the European context, particularly the AI Act’s sandbox requirements. She noted significant differences in member states’ needs and approaches to regulatory sandboxes across various sectors.

Methodology and Best Practices:

Several key points emerged regarding the implementation of successful sandboxes:

1. Thorough preparation and stakeholder engagement

2. Transparency and public engagement to build trust

3. Clearly defined stages in the sandbox process

4. External evaluation of sandbox effectiveness

5. Addressing intellectual property protection concerns upfront

Challenges and Incentives for Participation:

The discussion explored various challenges in implementing sandboxes and potential incentives for participation:

Challenges:

1. Resource constraints and lack of expertise for regulators

2. Trust issues, particularly in Eastern Europe where companies may be hesitant to share information with regulators

3. Knowledge gaps between public authorities and tech developers

4. Potential risks for regulators in implementing sandboxes

Incentives:

1. Access to valuable data sets for companies

2. Regulatory clarity for innovators

3. Removing fees to lower barriers to entry, especially in low-income areas

Building Trust and Transparency:

Speakers emphasized:

1. Clear communication about sandbox initiatives and their benefits

2. Addressing potential disincentives for companies to participate

3. Using ‘closed room’ arrangements to protect sensitive information while allowing necessary sharing

4. Engaging the public through various means, as exemplified by the Norway Data Protection Authority’s podcast about their sandbox

Global Initiatives:

De La Chapelle mentioned the Global Sandboxes Forum and Africa Sandboxes Forum initiatives, demonstrating ongoing efforts to share knowledge and best practices in this evolving field.

Unresolved Issues and Future Directions:

The discussion highlighted several areas requiring further exploration:

1. Developing standardized sandbox practices while accommodating regional differences

2. Effectively bridging knowledge gaps between regulators and innovators

3. Balancing incentives for both large companies and smaller startups to participate

4. Creating a framework that addresses common challenges for companies participating in sandboxes

5. Exploring ways to mitigate risks for regulators implementing sandboxes

Conclusion:

The discussion underscored the potential of sandboxes as tools for agile regulation and innovation while acknowledging the complexities in their implementation across different contexts and sectors. The Datasphere Initiative announced plans to release a series of use cases and experiences from past sandboxes at a meeting in Paris in February, demonstrating ongoing efforts to share knowledge and improve sandbox practices globally.

Bertrand de La Chapelle: Maureen. And then Maureen, if you can, as well. She hasn’t turned on her video, so I’ll just… Oh, she’s coming. My video is coming one shortly. I’m trying to seek something, but I’m here, I’m online. Okay, we don’t see them on the screen at the moment, but can you display… Can you display the Zoom feed? And for people in the room and online, hello, everyone. We’re going to start literally in one minute. I’m just trying to get the people on the screen. Two left. But can you display them so that when they come back, we have them? Because… Okay. So, as we wait for people to be displayed, because they are supposed to be online, it’s my pleasure to welcome all of you here physically and online. And actually, if you can grab the bottle of water that is there, I think it would be great if I have one. Yes, there they are. So, as I said, it’s my pleasure to welcome you both online and offline. My name is Bertrand de La Chapelle. I’m the Chief Vision Officer of the Datasphere Initiative. And today, we’re going to talk about sandboxes. So, sandboxes is a term that is emerging very strongly around, and it’s a little bit mysterious for a lot of people. So, before we get into the discussion, I want to paint a very quick picture about what we’re talking about and why do we think it is important to have a discussion about sandboxes. You know, the term refers to what we’re all familiar with when we have kids. It’s this place where you can play. And it’s also a place where you can experiment. You can build something, see if it works. If it doesn’t work, you restructure, you organize something different. It’s something that is limiting the consequences of the experiment to the sandbox itself. It’s been used in research. You can have a sandbox to experiment some techniques. You can have a sandbox in various environments. And what we’re going to talk about today is this tool for experimentation in an environment that is connected to technology and the public authorities and the rules that apply to technology. And when I say rule, it’s not only regulation. It can also be the guiding principles, the self-organizing principles or the self-regulatory principles that a particular sector is adopting. And so this notion of sandbox, and we’re increasingly in the work in the Datasphere Initiative using this also as a verb, like to sandbox, meaning using a sandbox to experiment. This is something that is increasingly considered around the world as a tool for agile frameworks or for developing agile frameworks and providing an experimentation space for things that are innovative. It’s either to foster innovation or it is to deal with an innovative application and see what is the interfacing, for instance, with regulation. Which means, in particular, that we can make a rough distinction. It’s a little bit, not a caricature, but a strong distinction. But you can see sandboxes that are regulatory sandboxes or operational sandboxes. Without delving too much in the detail, you can have a sandbox that is mostly about what are or should be the rules. And another that is about literally experimenting, particularly with certain types of data, especially when it is sensitive data, you want to have a space that is enclosed. And actually, there’s an analogy that comes to mind as I speak, which is we’re all familiar with the notion of an air gap computer. An air gap computer is something that is not connected to the internet. So if something is wrong on the system, if you’re testing a malware or something like that, you don’t want this to go on the network. And so you create an environment that is under certain rules and protected. That’s what we’re talking about when we’re talking about sandboxes. And the studies that we’ve conducted as part of the Datasphere Initiative have recorded at that stage more than 70 countries who have in one way, shape or form used sandboxes in their preparation of a law, in the implementation of the law, or in thinking about whether a particular law applies or whether a particular law should be changed. You can have also hybrid mechanisms, but what is important is that it can come at different stages of a process. And we will discuss that a little bit further in the meeting. It can come, as I said, very early on to anticipate the problems that may be caused by a particular technology. And in the context of AI, it’s particularly relevant, even the speed at which the technology changes. But it can be also regarding existing regulations, whether they hinder innovation or whether they are applicable to a new technique. It can also be in the course of the development of a legislation to organize the consultation and the participation of different actors. I was mentioning the regulatory sandboxes and the operational sandboxes. What we’re going to talk about today is mostly about regulatory sandboxes, i.e. when there is a public authority that has a responsibility or takes the initiative to set up a particular process to engage a group of private and civil society actors in the experimentation or the exploration of the challenges around a particular technology. And what is important is whatever the shape or form, whether it is early in the process, whether it’s purely regulatory or operational, most sandboxes actually go through predetermined stages. So you have a very early phase that is basically dependent upon the readiness of the public authority to launch a sandbox because it’s a new type of interaction. It’s different from the traditional, I would say command and control adoption by purely the processes of the parliament and traditional consultations. So there is a question of do the public authorities have the preparation to organize and manage a sandbox? The second thing is the early stage of setting up the sandbox exercise is extremely important. How do you identify the relevant stakeholders, the different actors that should be participating? What is the exact purpose of the sandbox? And if you miss the early stage, if you do not spend enough time, you actually are launching into an exercise that will not produce what you’re actually wanting to produce. So the concept of sandbox has generated a lot of interest. It’s a practice that is growing on many different issues. And this is something that we’ve documented in the DataSphere initiative. But it is something that is relatively new, that is still intimidating for a lot of actors because let’s be honest, it is wonderful when it works well, but there are challenges in setting it up. If the methodology is not implemented correctly, it can incur risks for the public authorities, but also for the private actors who engage in the process. And so the methodology is important. And overall, to summarize, sandboxing is a form of, it’s an approach, it’s a spirit. And it is very complex. It’s a process, it’s a process. And it is very close to the multi-stakeholder approach. And I think it’s very topical to have this session here at the IGF, because it’s a way to insert a multi-stakeholder spirit or approach at the national level, not necessarily at the global level, but at the national level. And sometimes as a sub-national level, because it can also be used by municipalities, for instance, but a way to introduce multi-stakeholder consultation and participatory processes in the traditional rule-setting procedures. So, as the DataSphere initiative, we have launched in Rio. We have done a report that you can find online at the website, thedatasphere.org, a report that we produced for the UK government in the context of their presidency of the G7 in 2021. And we also launched in Rio, Brazil, on the occasion in July this year, on the occasion of the G20 presidency of Brazil, a global sandboxes forum that I’d be happy to discuss with you afterwards, which has the purpose of bringing together the actors who are doing sandboxing or are intending to do sandboxes to exchange experiences and connect. And Sophie here is putting in the chat more connections to the work online. And so our goal is to socialize the concept, and it’s the reason why we have this session here. And I have a few people around the table, physically and virtually, with the purpose of actually exploring two things with a big emphasis on the first one and a little bit on the second one. The first thing is to delve more in detail within the concept itself around people who have actually have the experience of doing sandboxes or studying how they work, and basically addressing the why to sandbox, when to sandbox and how to sandbox. And the second thing afterwards is that sandboxing is a trust building exercise between actors who don’t necessarily have a lot of confidence in each other. And so one of the prerequisites for an effective sandboxing is that we work on having buy-in and increasing the trust between the different actors so that they can engage. So without further ado, and sorry, I forgot to mention that apart from the Global Sandboxes Forum, we also have underway a dedicated program for Africa, which is an Africa sandboxes forum. And Maureen can say more in particular about this. So without further ado, getting into the first thing, and don’t hesitate to use the chat to make comments, ask questions, and Sophie will be following this. I now turn to the person on my right, who is Thiago Moraes, who is with, among other things, with the Data Protection Authority of Brazil, because they have, and they are embarking into a sandbox effort on a very interesting topic, which is the applicability of the articles of the data protection regulation in Brazil to AI. And what is interesting, and I’d like you to elaborate a little bit on this, is that you did also a very intense preparatory work beforehand, illustrating what I was saying earlier, that preparation before launching a sandbox is an important thing. And there’s also the question of the connection between different regulatory authorities on some of those topics. So Thiago, if you wanna shoot first.

Moraes Thiago: Yeah, and thanks Bertram for the invitation from the data sphere. And I think it’s very relevant opportunity to have the discussion in such important forum for us, because as you said, the collaborative approach that sandboxes should have embedded in it, and the IGF is all about this in its principles. And it’s also very curious, and maybe I’ll start from here, saying that we started looking in sandboxes because they were like two years ago, actually, when we were delving more and more in the AI governance, AI regulation topic, and how it connects with data protection. We start to hear this new buzzword, which was the sandbox, the regulatory sandbox. And I have to acknowledge that it’s very important that the work of the Data Sphere at that moment, you had one of the main reports on the topic. I mean, there was also, of course, a nice work from the World Bank Group. The German government also had some nice publication, but yours were the first report focused on our data-oriented sandbox, which has a lot to do with what we do, since there is a big chunk of data, which is personal data, that’s the role of DPAs to be concerned with. So, yeah, first of all, I’d like to thank for the nice report that you published some years ago. But from that, we saw, okay, actually here, it’s something that can be really, truly hands-on, which is important. I work in this unit in the DPA that’s related with how to cope with innovation and how we make, actually, regulation for and with innovation. And, of course, not any kind of innovation, but the responsible ones, innovation that’s adequate to regulations such as the Data Protection Legislation. Because of that, we decided to, okay, let’s do a throughput study. So, we started with a benchmark research. I think that was the first step of what we should look about, so we could understand more of the methodology of the sandbox. And, of course, your work was part of it, but many of these others that I mentioned. And also, we did some interviews, not only with other regulators in Brazil, from other economic sectors, agencies, but also with our peers. So, we talked with data protection authorities from other countries, like Norway, who has a very interesting AI-focused privacy sandbox. We talked with the ICO in the UK, Canal, Singapore, and also Colombia. So, this was very interesting, because we saw that the way that privacy regulators have been dealing with sandbox is a bit different from what we see in, for example, financial sector, where one of the main outputs of the sandbox is to really give this bigger leeway, giving more flexibility, to lower barriers to the innovative process developed there. In the meanwhile, what privacy regulators are usually concerned about is how often the innovators are being able to cope with this complex legal framework. framework, which can be the protection ones. So there was a lot of like guidance and support involved with it. And from there, we all that like partnerships were important. We did a first cooperation with the Development Bank of Latin America, in the Caribbean’s CAF, where one consultant, Mr. Armando Guia worked with us. So we did with that design of what we were aiming in our sandbox, we saw that we needed to understand better some provisions of our data protection law that was connected with the topic. So most specifically, we have this Article 20, which is about algorithmic decision making. So very similar to what we have in the GDPR, Article 22. And we saw that among several things, the topic of transparency was there. So this another buzzword, algorithmic transparency, okay, maybe we could look what that means, the sense of our relationship. And with that, we shared with society, we did an open consultation to collect input. This was done in the last year. And from then, we now have been advancing to actually start launching it because now we have a better idea where we want to go. This, the results of the consultation has not been shared yet, but we are going to share it just because we want to make sure that everything that our technical teams has analyzed is a consensus with our high board. So we are in this phase right now. And in parallel, what we’re doing in the meanwhile, we are gathering some expert support because we saw that that was differential in several cases, like for example, Norway, because countries that didn’t do that, they had a lot of trouble thinking that the sandbox can be an interesting tool, but they couldn’t see the complexity of it. So I mean, when we have a more mature institution, like let’s take the ICO in the UK, which has been running on for 20 years as a DPA, and they have put in 300 staff, so they could have a dedicated unit for that. That’s not our reality. We are a three years old DPA, our innovators unit has four people that cannot deal only with sandbox and not only with AI, we have blockchain, we have pats, we have several other technologies to follow up, and not only sandbox work. So we decided, okay, we need experts with us. And we did this partnership now with the UNDP, who is helping us to bring a partner university to work with us. So we’ll have a more stakeholder group working on that with us. And we also see that a last part that we still miss are missing before starting the launch is awareness raising campaign, because after all this trouble, if we cannot connect with, with potential participants, like going to incubators, talking with startups, or just like data driven companies that would be interested in knowing more, we can have a risk here of like making the call for for projects and no participant being really interested. Because as you said, trust is important part of that. I will, I’ll keep that for the next part. But this is definitely key, if we want to make a successful sandbox. So thanks for an opportunity. And I pass the floor to you.

Bertrand de La Chapelle: Thank you so much, Diego. I think one thing that I want to emphasize is that, in many cases, people understand the notion of sandbox in one angle in particular, which is the temporary lifting of some of the regulatory constraints to enable the testing of new applications. This is particularly what has been done in the fintech environment. which has been one of the first test bed and testing grounds for sandboxes. What I think it’s important to understand is that it may be one feature sometimes on a sandbox, but it’s not a necessity. And in the case of the Brazil DPA, it is not about lifting a regulation. It’s about looking at how a particular article applies to a particular type of sector. The second thing is, you highlight very clearly, and I was asking a little bit, the why, the when, and so on. I think the effort that you’ve made to talk to other actors and the comment that you made regarding the maturity of an operator is a very important one, because you use the expression, which is basically having a dedicated unit. I think it makes sense to consider that in the future, as sandboxing becomes a more widespread practice, every government, every regulator, and so on, will have to have a pole of competence to help people who need to implement a sandbox. And in that regard, given the levels of maturity that are different, the sharing of practices and experiences among all of those who have done sandboxes is a very important element, and that’s one of the reasons why we generated the Global Forum on Sandboxes. Which leads me, actually, to another dimension, and I will pass the floor to Adam Szabo, who is a research fellow at the GovLab, who has been following those issues for quite some time, to ask you, Adam, to offer perspective on sandboxes for certain regions of the world, because we’re talking a lot about sandboxing, particularly in the European Union at the moment, because of the explicit mention of the use of sandboxes on the AI Act, because you may know that the AI Act requires all governments in Europe to put in place a sandbox by 2026. But what I would like to hear from you is, how do you see, for instance, the differences in approaches between different regions, and particularly in Asia versus Europe or the US, in your view, given your experience in that regard? Adam, the floor is yours.

Adam Zable: Thank you. Can you hear me? Okay, fantastic. First, thanks so much for inviting me to speak. As Bertrand said, I can provide something of an international comparative perspective, because over the past year, I have been working as a Datasphere Initiative Fellow on sandboxes. So I’ve been doing research on sandboxes for data and AI around the world. And so that’s pretty much the question I can answer about the differences between regions in terms of sandboxes. And I would just like to, I mean, I think my comments here are going to really put a finer point, a pin in the point that both of the previous speakers, Bertrand and Thiago, have already mentioned, which is, so right now, there is really an incredible diversity of sandboxes around the world. They differ so much in terms of their objectives, their scope, intended impact, and the regulatory flexibility allowed for the participants. You have local sandboxes, you have international sandboxes, and you have national sandboxes, which are by far the majority in terms of data and AI sandboxes. My research has shown that there are around 19 data and AI sandboxes at the national level, 15 of which are regulatory sandboxes, which are the, I think, the main focus of this session. And the other two are operational or data sandboxes, and the other two are, you could say, hybrid of some kind. But I think the main difference that I have seen in the approaches to sandboxes in different regions, is this question of regulatory flexibility, and really just the the underlying objectives of the sandbox, what the government, the implementing entity, what their goal is in creating the sandbox. And I have seen two main camps here. The first can be considered kind of the European approach. It is built off of, I think, a number of EU member states’ governments’ data sandboxes, and some now for AI. And again, as Bertrand has said, in the AI Act, every member state is required to establish an AI sandbox within the next few years. These sandboxes, as well as others from other countries that have taken the model, they really focus on regulatory certainty, risk mitigation, and compliance. The idea, I think, of many of these sandboxes is to, you know, as sandboxes do, they provide a controlled testing environment with collaboration between the innovators and the regulators. But here, the focus is really mostly on identifying risks, ensuring compliance with existing regulations, and promoting the sharing of best practices. Fostering competitiveness is an element here, but they are primarily aimed at ensuring regulatory compliance, making sure that the regulatory environment, which is taken as a given, they take that as a given and they ask, how can we better enable companies to compete while complying with this regulation? So that is, I would say, perhaps the main or most, in terms of number of countries implementing sandboxes, this is a very prominent approach. But there is another camp that is… is very different, right? So the sandboxes, there’s just an incredible variety of implementation. But the other main camp that I see can be considered in a reductive sense to be at the East Asian approach, I would say. Singapore and South Korea specifically have done this a lot, also Japan. But taking just one, you can see it very prominently in the South Korean approach. South Korea has, for a number of years, implemented a regime of sandboxes in different fields and different sectors. But the focus of the South Korean sandboxes is much more on economic growth, technological innovation, and regulatory flexibility that encourages experimentation rather than compliance. The South Korean example specifically, they specifically shift the paradigm from restrictive regulation and compliance to permitting activities in the sandbox unless they are explicitly prohibited. So they can temporarily, in these kinds of sandboxes, they can temporarily restrict the application of certain regulations. Whereas in the EU, the regulatory environment is taken as a given. And the regime in South Korea that includes sandboxes includes other elements of agile governance as well, such as rapid regulatory confirmation and temporary permitting and other measures that allow businesses to begin their operations after safety checks but before legislative updates. And just in the same vein as legislative updates, in these sandboxes, when the regulator and companies come together, it’s not only to make sure that the company is complying with the law, but also to make sure that also to bring the company and the regulator in to help understand where the law might be changed to better accommodate the new technology that is being experimented with in the sandbox. If I may interject here, my understanding is that it can even go as far in the case of Singapore, of doing something on a completely exploratory manner, like in a very early stage, just to get the different actors to have a better mutual understanding of what the challenges might be, even without the objective of developing a legislation or changing the legislation. Is that indeed the case? Yes. So Singapore has a very interesting, Singapore has a few different sandboxes, but the one that I think is most relevant here, they have a generative AI sandbox where it’s very different from other kinds of sandboxes you see elsewhere, and it can’t really be classified, I think, as a regulatory or operational sandbox necessarily. But that one brings together the main, you know, some of the biggest companies in the world. And I believe the goal there is they, the Singapore, the IMDA, they developed some guidelines, and they bring all these companies together to work on these guidelines and to implement them and to develop them further. So in a very, and they’re guidelines for trusted use of generative AI, if I’m not completely mistaken.

Bertrand de La Chapelle: Yeah. So all distinctions, thank you, Adam. All distinctions are always a little bit caricatural, because it’s, of course, there are applications in the EU that will be more flexible, and some in Asia that will be different. But it’s interesting to look at the huge diversity. And I would make an analogy here. You know, if you look at countries as different as European and US, I mean, the US, the UK, France, and, and Germany, they’re all representative democracy countries with a parliament with a different institutional structure. But the arrangement within those countries in terms of institutions is extremely different. And I think we can consider the same thing for sandboxes. The spirit of sandboxing is an experimental, proactive, participatory and discussion building and trust building exercise. There are many different ways to implement in terms of purpose in terms of how it’s structured, when, or the reason why it is being set up. There are common elements. But just like you can have a parliament a Prime Minister and a Supreme Court, you can have very different organizations of the relationship between those two entities, three entities, and in sandboxing it’s the same. You can have different stages, different roles of the public actors and the private actors. Sometimes you can even have a sandbox that is triggered or initiated by a private actor saying, I really would like the landscape to be explored together because there’s a new technology and I don’t know how the regulatory frame is going to apply. So thank you for this distinction between the different regions and I would like to continue the exploration of the globe in a certain way by going to first Maureen Amoutourine, who is a resource associate at the Datasphere Initiative and who is in charge in particular of what I mentioned earlier, which is the Forum on Sandboxes in Africa. Maureen, can you give us a little bit of a perspective on how the notion of sandboxes is being used in Africa or envisaged in Africa?

Morine Amutorine: Yes, sure. Thank you, Bertrand. I hope you all can hear me well. Perfect, thank you. So under the Africa Forum on Sandboxes for Data, one of the recent activities that we’ve been involved in to feed into our report on an outlook on Africa when it comes to sandboxes is mapping sandboxes across the continent. Where are they? What are they focusing on? Who’s running them? And, you know, to really get insights about what’s happening on the continent. And so we have come across a number of case studies over of sandboxes, and surprisingly, most of them are in the FinTech sector. Over 90% of the sandboxes on the continent are in the FinTech sector. So the goal there is, of course, for competitive advantage, really, for most of them. But maybe for my insights, really, about Africa today, I’m going to share about a case of one sandbox that is run by a government organization, which is the Kenya Communications Authority. And their sandbox is focusing on anything ICT. And so one thing that we have identified is there, well, from engaging with the people in that sandbox, is there is the need for the experimentation of regulations and guidelines for innovators is high. And that’s one of the things that we have learned across all case studies. When a sandbox is set up, the applications are usually overwhelming, which means that the appetite of the people to understand, to have regulatory clarity is there, both in the private sector, but also in the public sector. And so one of the things we identified for the Kenya Communications Authority, for example, they were interested in learning what innovations cannot be covered by their former frameworks of regulation. Because they realized there’s lots of innovation happening, but they were not sure their old frameworks would be able to regulate these emerging solutions. And so that was their motivation for starting the sandbox. And when they did, one of the other things that they learned along the way was the need for multi-regulators in the same sandbox. Because they realized one solution can cut across different sectors. And this is a sandbox that is actually new. They have not yet started having many participants. because one other lesson that we have been picking up is most participants sometimes are not ready for the sandbox, the application will come in and you realise whatever is coming in people are not yet ready for the sandbox, rather to participate in the sandbox maybe based on the level of their innovation, where they are at, their understanding of the sector for which they are trying to innovate and so there are also those cases of accepting people into a sandbox takes long, why? Because the regulator has to take on the responsibility of making sure that people who are getting into the sandbox are ready to participate in the sandbox. But why this case is interesting is because again it’s a government entity, the Kenya Communications Authority is a government entity, it’s one of a kind because the rest of the sandboxes in Africa are about fintech and the way that it’s been approached is the level of experimentation, as much as I must mention that there’s not much documentation online that we have found about sandboxes, so we have had to look for people to interview, have one-on-one which sometimes of course takes a bit of time, but for the few that we have engaged, the idea of regulatory experimentation is very welcome and is picking ground on the continent because even with a few stakeholders that we have engaged, there is so much interest in setting up sandboxes, but the lessons we are learning from people who are already running these sandboxes is this idea of preparation before starting a sandbox, for the goal of the sandbox to be very clear, because we’ve had people talk about this issue where a sandbox is supposed to say, based on a cohort, it’s supposed to test a particular type of technology but then you’re getting people applying with all sorts of other things. because there was not good communication probably with the public for them to understand exactly what happens, what is expected in a sandbox. So I think in a nutshell I can say that almost, let me see, about 34 countries on the continent have sandboxes, of which of course most of them are in the fintech sector, in the financial sector for fintech, but other sectors are picking interest because of dialogue that is happening, but also the community that we as the Data Sphere Initiative have been trying to put together through the Africa Forum on Sandboxes for Data project. Yes, I’ll stop here for now. Thank you, Maureen. I think this is something

Bertrand de La Chapelle: that is becoming recurrent, the degree of interest that is being triggered and in the regard the uncertainty about how to do it and whether actors are actually ready. This is why it is so important to, one, have the preparatory process to bring people up to speed and I want to give another example in that regard. In Lithuania, somebody who was participating in a workshop, an online workshop we were doing, was mentioning that for an upcoming sandbox that they are planning to do, they will have actually a few weeks bringing together the actors who are going to participate in the sandbox, both from private and public authorities, to actually do a preparatory work before the sandboxing exercise itself. This is why the methodology is so important and the methodology may vary a little bit depending on the purpose, as was mentioned already, but in all cases the preparatory work is absolutely a key criteria for success and this is why it is so important to share the lessons from the different experiments. If there is a domination of fintech sandboxes, not all lessons can be transposed identically, but still you can learn and have information from other regions or people who have developed sandboxes in other topics than the ones that a regulator is contemplating. Thank you, Maureen. Let me move to Catherine now, who is a senior legal expert at the University of Leuven and you’ve heard the different perspectives on how to do it in Brazil, the other regions, the different types, the different reasons why people want to do sandboxing, when they should do it and how they should do it. What comes to mind when you listen to those elements and can you share what are the lessons from what you’ve been working on?

Katerina Yordanova: Yes, first of all, thank you, Bertrand, for organizing the panel. for organizing this workshop and also for inviting such inspirational speakers. I was really listening very carefully for what they shared from their respective regions. And yeah, what comes to mind really is that something that you started the workshop with by emphasizing that when we’re talking about sandboxes, we are really having a problem or more like a challenge to identify what exactly is this that we are talking about, because there are so many approaches to them and there are so many ways to do them. And I personally don’t think that’s a bad thing, because I do not really subscribe to a one-size-fits-all approach, not only worldwide when we’re talking about sandboxes, but also inside the European Union. Because I mean, I work inside the EU framework and legal framework, and also if we talk about regulatory sandbox framework. And even inside EU, where we have so many laws that are basically the same for all of us, I see many differences in terms of the needs of member states that want to have regulatory sandboxes, not only when we’re talking about AI sandboxes, but in other sectors as well. But also the way that they need to approach them, so those sandboxes can actually be useful for them and their economies. And in the recent years, I would say that maybe I have the fortune to work mostly with member states that have zero experience with regulatory sandboxes inside EU, which is kind of an exciting setting, because you actually need to start from scratch and be creative, but also be wise. Because a lot of those countries, including my country of origin, which is Bulgaria, we don’t have these kind of resources that the UK would have, and Tiago already mentioned some of those differences that are quite obvious, and at the same time we also do have these lessons that we learn from GDPR, because GDPR was a huge monumental threshold that changed a lot of things in the regulatory landscape in the EU, and of course one of those things was the creation of this network of competent authorities that had to monitor GDPR, which was a challenge, and this challenge became more apparent the more time passed, so if you look at this report that the Fundamental Rights Agency came up, I think it was last June, they actually had some very, not surprising, but concerning remarks, and it was that different member states like Bulgaria, like Slovenia, that do not have that rich resources, do not really succeed in implementing GDPR in a meaningful way compared to countries like France, for example, and it’s going to be the same when we talk about the AI Act, because of course those resources are not just magically going to appear, and that’s when we are talking about the sandboxes, which of course the AI Act establishes an obligation for the member states to have at least one working by 2026, there we have a problem, because the regulatory sandboxes, the way that they are described in the AI Act, are a very expensive exercise, and that’s why when we are looking at this obligation from the perspective of a member state that has zero experience with sandboxes in general, then this price becomes even greater, because you need to learn how to do it, first realise why you have to do it, okay, you have the obligation. but then you need to realize how you can do this to actually attract some people to apply in the sandbox. And then you have the methodology part where you need to figure out what’s the best methodology that works for you, for your structure, for the fact if you’re a federal-like state or not, because there’s, of course, a lot of differences there. And when you figure all this preparatory work, which can take more than a year or two, depends on how many people work on it, it’s just then when you can start informing the society, informing the other stakeholders, and try to prep them to get excited for the opportunity to work in the sandbox. So I would say that these differences, realizing those differences, and working within the limitations inside the member states, and inside countries in general, but it’s very vital because, yes, the idea of experimental regulation and legislation is super exciting, especially for legal scholars, but at the end of the day, we need to figure out what’s the maximum that we want to achieve, and what’s the realistic results that we can achieve. And of course, it’s better to have something than have nothing. So I’m very pragmatic about the whole approach to sandboxes in general.

Bertrand de La Chapelle: But Katarina, do you feel that the AI Act is sufficiently making the case of the benefit of using a sandbox instead of basically presenting it as an obligation? Because there’s a sort of feeling that it basically says you have to do a sandbox, but the reason why you should be doing this is not necessarily elaborated fully, and this resonates very strongly with the problems that we in this community at the IGF have when explaining why we should have a multi-stakeholder approach. Because in many cases, it’s an injunction to use a multi-stakeholder approach with a lot of uncertainty on how you can do it. Do you think the case for why to use this is sufficiently made?

Katerina Yordanova: No, I personally don’t think it is. sufficiently made. I mean, if you ask the Brussels bubble, yeah, it’s amazing. It’s great. We want to do it. It’s perfect. It’s not really. And it’s not only that we can’t explain to the companies that are the potential participants in the sandboxes, why would they want to participate. But it’s also that sometimes it’s hard to explain to the regulators why would they want to do it. And I would say that because we talked about those different types of sandboxes, where you have wavering of certain rules of the laws that serve as an incentive for participants. And of course, in EU, that’s not something that we can do to that extent, maybe we can lift certain administrative rules here and there. And Hungary, actually, in their fintech sandbox, they have a good, a good use case. But it’s not, in my opinion, sufficient to inspire someone to dedicate, let’s say, six months of their time to work in the sandbox, especially if you’re talking about SMEs that have limited resources. So one of the things that I personally feel strongly about is that if we don’t have in Europe, if we don’t have the ability to offer this waiver of certain rules, also, because we get this common laws on the European level, maybe we can offer something else. And that’s what the data, where data comes into play. And again, I will give this example from Bulgaria, where we are currently trying a very weird bottom up approach to make a sandbox. And one of the things that we offer as an incentive is our data sets that are privacy preserving. So you can be sure that GDPR is sufficiently, the rules of GDPR are sufficiently implemented in this data sets, but also offering data sets that not necessarily have anything to do with personal data, because we have a really vast amount of non personal data that can be useful for innovators. when they’re developing their products.

Bertrand de La Chapelle: Thanks, I think it’s what came to mind as you were speaking about lifting rules. If you look at a structure like the European Union where you have different instruments regarding directives or regulations, lifting rules is harder to do when the instrument was directives because it would require coordination between the different States. Whereas when it is a regulation, it’s probably possible to decide to lift something, but I’m not sure that the competence of the commission is sufficient to take the unilateral decision to lift a particular provision on something that has been adopted by the whole community of 27 nations. So I don’t want to belabor on this, but thank you for the remark regarding the difference between putting something in a text and having to actually implement it and developing it when there’s no past experience. I want to pose here before we get to the second thing, because actually what you mentioned, Katharina, on the incentives is a very good segue to the second part that I wanted to raise regarding the trust question and why is it beneficial, but also why different actors may want or not want to participate in a sandbox. But before that, let me open the floor and the room to anybody who would want to ask a question, including online, if Sophie, you see anybody in the chat having a comment. And if you want to ask a question, please introduce yourself beforehand. Anybody? Yeah, looks like it’s working.

Farouk Yusuf Yabo: Okay, thank you very much for a very interesting presentation. My name is Farouk Yusuf Yabo. I’m the permanent secretary at the Federal Ministry of Communications, Innovation and Digital Economy in Nigeria. So I have two questions. One is to find out whether there is a standard methodology, if you like, or framework that is generally used for running a sandbox. Now, I’ve had two versions of the sandbox, the regulatory and the operational. I also want to check which part does the one we are running falls in, because it appears to me to be somewhat in between. So our goal was to create opportunity for individuals and small startups that do not have the resources to navigate around the regulatory space or even around payment for certain government owned rights. For example, access to frequency. So we wanted to create a pre-frequency that will allow for technologists to come in and then run frequency related technology projects. And it’s meant to be a national thing because we noticed there are so many people around who are into different things, but who may not necessarily be able to come on, follow the process. Is it mostly on access to free spectrum, for instance? Yes, access to free spectrum, but not free in this case. We issue spectrums for non-commercial uses, but you pay. So, but many of the people may not be able to pay or follow the process. So we just decided to create an access and run a competition of some sorts. Is it, for instance, applicable to rural access? Yeah, it could be for anything. Could be rural access.

Bertrand de La Chapelle: The reason why I ask is because there were references in some sandboxes being developed particularly or explored in Brazil regarding lifting some constraints regarding local communities, municipalities, making community services when the operators are not.

Farouk Yusuf Yabo: Yeah, so that’s part of it, but we wanted to make it very wide open. Community, it could be materials, it could be for some podcasts, it could be for anything that somebody wants to use. It could be for metering, it could be for anything that young talents can come in and demonstrate. So I wanted to know where does this fall? Is it a regulatory, is it an operational one? The goal is to allow access for people who ordinarily cannot pay or cannot get access based on the constraints of payment and other procedures. Thank you very much.

Bertrand de La Chapelle: Thanks for the question. A very quick answer on the two questions. One, as always, nuance is always the name of the game. So whenever you make a dichotomy between a regulatory or an operational, I mentioned later on that there is the hybrid notion and that most often it is on the spectrum. I mean, the comment that Katerina was mentioning is that even if you do something on the regulatory, you may have an incentive, which is you get access to a particular data set to work with it, which you wouldn’t have access to in normal conditions. The second thing is I can respond with three letters on the question, is there a standard methodology or framework? No, actually it’s two letters. It’s three letters in French. It’s no. There is no standard established methodology. However, nuance is the key word again. This is precisely the kind of work that we’re trying to do by gathering the experiences. What are the lessons you can draw? And I mentioned at the beginning, what is emerging clearly is the stages. You have the preparatory stage, which can be on the responsibility of the initiator of the sandbox or the actor wants to do a sandbox. Then you have the actual setting up of the procedure with a certain number of questions or what is the exact purpose? What is the range of stakeholders that have to be engaged? What is the type of data that has to be accessed if that is the case? Or what is the problem that has to be solved? And who is going to be in charge of this? Like as Thiego was mentioning, sometimes you have multiple regulators that may be involved. Who’s taking the lead? Is it something that is one regulator organizing it or is it something where there is a sort of third party facilitator in the government or outside that comes and organizes the discussions? Then you get the actual operation of the thing. But the preparatory phase is fundamental. The operation can last for a certain period of time. And one thing that people forget as well as not paying attention enough to the early phase is the exit of a sandbox is an important thing. How do you implement the solutions that have been developed on the occasion of the sandbox on an ongoing basis afterwards? Particularly if the sandbox has involved certain actors in the private sector and not others. How do you ensure that there is not a… distortion of the competitive environment. So, formalizing the methodology is clearly one of the objectives of the Global Sandboxes Forum that we’re having. The first phase being that people will listen to what is happening in the different other countries. Any other comments? Yes. Go ahead.

Luis Fernando Castro: Quick question. Thanks Bertrand. I’d like to ask any of you. Can you tell who you are? Sorry, I’m Luis Fernando Castro from Brazil, former member of PGI, the Brazilian Internet Steering Committee. I’d like to ask you, all of you, if you can bring any concrete experience that showed successful in this matter of sandbox.

Moraes Thiago: Yeah, go ahead. Yeah, I guess I’m from Brazil. So, I mean, as I said, in the case of the DPA, we’re still finishing the design phase. So, of course, talking the success of implementation is not yet ready. Although, I could say that the design itself has been quite mature. So, yeah, we have some expectations. I think we’ll start working from the next year. But even now in Brazil, we already have like some very nice experience from the financial institutions. Like in Brazil, there was something very interesting that this central bank has done a partnership together with the security, the stock markets authority and also the security. So, exactly. So, basically, the three of them have three independent but also interdependent sandbox in the sense that any participant can join any of these three. And if whatever they are doing has synergy with the other markets, they actually go together and work together in the initiative. So, it’s a model for this kind of joint corporations. Of course, it’s still all within the financial sector, but so that’s something to look for the challenge that come when it overlaps. And yeah, you can find a nice experience talking about other DPAs or the data protection authorities. You can look for the ICO and in Norway, I can share with you like we did a benchmark study that’s in Portuguese that has some interesting use cases. There are also these reports from the World Bank Group that I mentioned focused on fintech sandboxes. So, definitely, there are a lot of interesting use cases. And of course, there’s always room for growing more maturity, but yeah, sure, there are.

Bertrand de La Chapelle: Maybe to move to the next thing I want to also mention, unless there is a question from the online part, Sophie. One thing that I want to highlight is that we will have a dedicated meeting in Paris in February on the occasion of the summit on AI that the French government is going to host at the end of February. And on that occasion, one of the things that we will be releasing that we’re finalizing at the moment is precisely a series of use cases and comments about what have been experiences in the past. Because as Thiago was saying, there’s a lot about fintech, but for the fields that we’re talking about, there are some different elements and it’s good to be able to document and the paper will have a certain number of elements. I want to shift and please, if you have specific examples that you want to share on the occasion of the comments afterwards, don’t hesitate. What I want to finish with and explore a little bit is what I mentioned at the beginning. A sandbox is an exercise to bring people together and make people address policy issues in a different way. It’s basically turning the problems that different actors have with each other, like governments considering that the private sector is not doing what it should be doing, or the private sector considering that the governments are not regulating the way they should be regulating. It’s turning this into addressing a problem that people have in common by saying there’s a new technology. How does the existing regulatory framework apply? Should we change it? Should we improve it? Should we develop a new one? This is something that is important because the implementation of the new agile regulations needs to be iterative. It needs to be able to adapt to the evolution of the technology itself. There’s no better way than having a space for the different actors to talk to one another. All this is wonderful. There is a real interest for sandboxes. There’s an emerging methodology that’s being developed on the basis of experiments. There are benefits, but as Thiago and others were saying, it can be costly. It requires an awareness and a preparation to run it correctly. It can take long. The outcome is not certain. If you embark on a legislative process, you basically know what are the steps, and especially if there’s a majority in your parliament, you know how it’s going to go. There’s a bit of negotiation, but you know how the voting is going to go in the end. When you embark in any type of multi-stakeholder process as a government entity, it is less predictable. There’s an irony. A tool that is intended to produce legal predictability is a process that cannot guarantee that the thing will be successful. This is why the methodology is so important. But that is on the governmental side, and there’s also, because we have to be transparent, there’s also the personal challenge for the people who are the regulators, because there’s a risk. If this doesn’t function properly, are you going to be blamed for not having fulfilled the objective? There may be reasons for government authorities to hesitate to launch a sandbox. This is why I was asking Katharina, making the argument on the benefits needs to be strengthened, and the methodology as well. But now I want to go to the other side. Are there disincentives to companies to get into a sandbox? Is there a fear that what you’re going to explain to a public authority is going to be taken against you, because you have revealed how your system is going to operate? So I want to throw the question on the floor and maybe start in the reverse order, starting with Katharina. What are the disincentives?

Katerina Yordanova: And I like you mentioning the access to data as an incentive. Well, yeah, the disincentive… It really depends on where we are looking at all over the world, because again, coming from Eastern Europe, I would say that companies in general are very, very unwilling to talk with the regulator and explain how their system works, precisely because they think that at some point in the future, what they shared could be used against them. So there’s a lot of distrust, which is I guess in some way historical, but it’s still there. And another concern that I’ve met with companies I talked about sandboxes was regarding their IP rights. So the rights of like patents and trade secrets, these kinds of things, especially when their product is in an earlier stage of development, and some sandboxes actually offer the ability of participants to communicate between each other. If you look at the digital sandbox in the UK, that’s the case. So in that particular instance, they are very worried that somewhere among this process, they may have their rights infringed in some way, and they are looking for some more guarantees on the side of the regulators.

Bertrand de La Chapelle: When I listened to what you were saying, you know that, for instance, in the procedures for mergers and acquisitions, you have the notion of closed rooms where you can access the data about the financials of a company and so on, if you are the acquirer. I see a sort of analogy, actually, when you can talk about the IP and so on, but there needs to be a framework, to come to your question, that establishes clearly what can be used and cannot be used, which is not easy, I suppose, because how do you take into account an idea that emerged from seeing what somebody has shown? This is why sometimes exploring how an existing legislation applies to a new technology is a little bit different from really revealing everything about the new technology and having to test it and making it. Can you elaborate, Catharina, just briefly on this notion of incentivizing actors by providing access to a data set, because I think it’s an important element.

Katerina Yordanova: Well, this. This was actually something that we were inspired by the digital sandbox, actually. And it’s a very interesting type of sandbox that ICF developed. And it was basically what they were doing there in a very limited use cases. They were asking the participants that were already selected if they need specific data that they can provide for them. And that was done either by connecting them with a data, with someone acting a bit like a data intermediary in a way, or by curating certain data set either by using real data or synthetic data. So that was the idea that ICF had. So we took that and complemented it with, first of all, with what we have in terms of specific data sets in this institute that we are working together to create the sandbox. So that could be mostly like data related to urban environment, because that’s a bit of a specialty of the institute. But also, we assigned some curators of data sets that contain personal data that can basically make a bit of a, if you wish, compliance exercise of the data set. So they helped the companies to use data sets that had data that was already in compliance with GDPR. So they were a bit more certain that they are compliant, not with the AI, because, of course, not enforceable and applicable yet, but with GDPR, which is currently, in my opinion, the biggest problem for SMEs, at least in Bulgaria. They still haven’t figured out how to apply it correctly. But yeah, that helped quite a lot as an incentive.

Bertrand de La Chapelle: Thank you very much, Maureen, and Adam, and then Thiago. Any thoughts on this question of how to overcome these incentives?

Morine Amutorine: So I can go first. and probably share something that I have learned from the EcoBank’s Pan-African sandbox, which ideally is EcoBank providing an API to solution.

Bertrand de La Chapelle: Can you put your video on or is the bandwidth not good enough?

Morine Amutorine: Yeah, my bandwidth is not good enough actually.

Bertrand de La Chapelle: We prefer to be able to hear you. Go ahead.

Morine Amutorine: Sorry, yeah. Yeah, so yes, I was saying that the EcoBank sandbox is literally EcoBank providing APIs to the developers to be able to build on top of what they already have. And so the incentive there for the developers has been the ability to access a small percentage of data about their clients because Africa has had financial inclusion as one of the biggest goals for the financial sector. And so having access to like the bankers’ information, not in its entirety, it’s definitely, I mean, from what they explained, the process that they do for the developers to access the APIs, they definitely have done their systems well over time. So that alone is an incentive that the developers are able to use their API and build on top of it and they’re able to access some bit of data. But other than FinTech, which of course both the clients, the solution providers and the bank are both benefiting, I’ve noticed that for sandboxes, regulatory sandboxes, which are not necessarily for FinTech, regulatory clarity has been just good enough for the people to want to participate in these sandboxes, at least for the few cases that I’ve looked at. But I also know that I’ve come across some opinion papers about participants in sandboxes who have thought that probably the regulators were not well-equipped to… run the sandbox. But we know also that that sometimes comes from the point that regulators, their background probably doesn’t put them in the best place to understand everything about technology and the new emerging technologies. So sometimes you’ll find cases where things are taking long, but that’s because probably the regulators are trying to do enough due diligence on the technology to be sure that they understand what they are regulating. So but the idea of just innovators getting regulatory clarity has been good enough incentive, at least for the cases that we have looked at for now.

Bertrand de La Chapelle: I think one of the one of the challenges is the gap of understanding between public authorities and the tech developers, where a lot of the public policy actors are confronted to a rapidly evolving technology and are having difficulties keeping up with the changes. Also, because some of what is being developed is not made public yet. And so you are thinking in terms of regulating what is visible, but you’re not regulating for what is going to come up. And vice versa, when the private actors are developing something, they don’t necessarily know what is fully the applicable legal landscape, if it is a sector where they were not before. I’ve had the discussions with people developing AI applications or foundational models, who are talking about how this will be used for medical applications. And it was striking to understand that they didn’t necessarily know the entire regulatory framework that applies to any medical device, using expert systems and so on already. They were just thinking that it was starting almost from a blank page. So bridging this gap between the public actors and the private sector technologies is one of the objectives of putting in place an appropriate sandbox. Adam, any feedback? And I actually would like, as you asked the question, to have you chime in on the incentives and disincentives as well. Adam, your term?

Adam Zable: Yeah, so I think I think that there are a number of, you can call them disincentives or challenges, for any company to participate in any kind of collaboration with a regulating entity. And I think that there’s kind of, there may be a somewhat standard set of issues that always get repeated. And I think the solution to some of these problems, and it’s not just with the entities participating in the sandbox, but also with the broader society, there’s a lot of fragmentation in the field, as I mentioned, a huge amount of diversity among different sandboxes, which has caused the practices and the ability of regulators to evaluate what’s happening in the sandbox and to build trust. All of those things are difficult to build and standardize when the question of some kind of a standard guideline that the question came up, that is made very difficult by this fragmentation that we see around the world. And these challenges or disincentives that are likely very similar in all the cases of sandboxes around the world. Perhaps there could be some kind of a framework that very quite, quite simply and straightforwardly addresses some of these challenges that could be introduced by the regulator at an early stage of interaction with the participating companies. But such a framework does not exist right now. I think what regulators can do to build trust and try to alleviate some of these disincentives, is transparency and trying to build engagement with not just the participating entities in the sandbox, but also spread the word about the sandbox, the existence of the sandbox, what a sandbox is, what it is trying to do, get the word out to people. Because right now, knowledge about sandboxes is very low. And even though a lot of governments have sandboxes and are even more working to build more sandboxes, most people have no idea what a sandbox for data, even just fintech sandboxes, most people don’t know what they are. So if I could take one example that’s been brought up before by Thiago, I think, is Norway. Norway’s data protection officer runs a data and AI sandbox, and they do all sorts of things to engage the public and stakeholders and build transparency. My favorite thing that they do is they have a podcast about the sandbox. I think, I don’t know what they talk about, but they not only post updates on the website and they have a newsletter, but they also have a sandbox podcast. And I think that’s quite novel and interesting. They also, they organize workshops, they participate in international conferences. They really make an effort more than any other government that I’ve seen to really get the word out about the existence of these sandboxes. In most cases, most sandboxes around the world, the way that they advertise the sandbox’s existence is by posting an invitation to apply to the sandbox on their webpage. They don’t even make a real effort to get the word out to companies that the sandbox exists and is taking applications. So I think you’ve… As a regulator, you’ve got to try to build trust through transparency and getting the word out in proactive ways. Another thing, just briefly, that the Norwegian DPA did was they hired a consulting firm to conduct an external evaluation of the sandbox’s effectiveness. I think that was really another very indicative of the approach that the Norwegian DPA is taking because they produced something like a 50-page report on how the sandbox is going, providing recommendations for how to improve it. That kind of thing is very, very important at this early stage of sandbox development around the world. And then just finally, I will mention this just because Katarina brought up IP protections as a disincentive, or rather the lack of IP protections as a disincentive. One thing that, again, in Norway, the sandbox does is they tell the companies upfront that participants retain ownership of intellectual property brought into sandbox collaborations. I think that kind of thing could be done by more regulators, is just to be upfront about the potential disincentives and how the regulator is addressing those disincentives within the design of the sandbox.

Bertrand de La Chapelle: Thank you. Thank you, Adam. There are, without belaboring, there are other comments that were made in previous discussions regarding the history of interactions with a particular regulator and a particular type of companies, whether there is bad blood that existed beforehand, the fact that some of the smaller companies may sometimes be more inclined to engage, but at the same time not having the bandwidth to do it, while the large companies are probably relying tendentially more on the traditional lobbying mechanism. mechanism than other. So this is a landscape, and I just wanted to make sure that as we are advocating and supporting the notion that sandbox approach is a really important tool, we don’t belittle the challenges in making it just like we don’t belittle the challenges of making it a multi-stakeholder element. So we have the last five minutes here. I will go in this direction. A very quick contribution on the discussions we had and then you can close. I’m sorry, you need the… Yeah, it’s good, it’s good.

Audience: Thank you for the opportunity. You see, different jurisdictions will have different priorities. I think that’s very important to take. Now, having said that, the regulators are seen as tax collectors by most people. So in places like Africa, where people tends to have little income in terms of their ability to pay for big charges, one key disadvantage would be for, I mean, exposing a small company to the fact that they have to pay and they have actually committed themselves, there is no exit route. I think that’s one. And so what we did was try to get that objective was to ensure no payments, right? So you don’t have to pay anything. You are allowed to come in, use the same services, which you would have put there is when a lot of money and processes. So I think as one of the key disincentives for sandboxes, get audience, stakeholders getting engaged is the fact that they have to be made to take responsibilities that in some cases are difficult for them to handle. So I think one of the key issues is for us to make sure we break the barriers of entry, especially for areas where we’re dealing with low income category of entrants that holds the ability to maybe develop concept ideas, but they don’t have resources to make sure these things are done too. So I think that’s the point.

Bertrand de La Chapelle: Thank you. Thank you. It’s very interesting because we haven’t discussed that much the situation where the regulator is actually distributing a shared common resource and is therefore collecting revenues from the availability of this. And just, we were talking about lifting a regulatory obligation. One of the regulatory obligation may be paying for having access to this. That’s an interesting use case. Tiago, you have the, basically the final word. Go ahead.

Moraes Thiago: Okay, so, well, can you? Is it working? Yeah, it’s working. So, yeah, well, I, we’ve basically, I call it. It’s not working very well. Yeah, I think it’s. No, the battery is, battery is off. Do you have another one? Because the battery is off. Can you give me this one? Okay. So, well, just to conclude then, I think I should also highlight that beyond everything that has been said, there are also other external positivity factors that we should be aware of. So, for example, just of being part of a collaborative approach that involves the regulator, because if a company use that in a good way, it can actually share with the potential consumers, the affected subjects, how actually this is bringing more trust to whatever they are innovating there. So I think this is connected to the idea of trust. And for that, well, since we don’t have more time, I think I’ll finish for here, but I’d like to thank the Dr. Sphere for this amazing discussion with so many other experts, and I hope to continue to be in this environment for further maturity for Sandboxes.

Bertrand de La Chapelle: This will definitely be the case. I want just to finish by highlighting, first of all, thanking you all as panelists and the people who attended the session for this discussion. I want to highlight that Sophia has shared in the chat, a certain number of links to resources. Please go to the website, thedatasphere.org to basically have the more information. And the final element is that this is a new avenue. This is a way for the different actors to basically explore what the multi-stakeholder approach can be at the national and even sub-regional levels. And I really encourage you to think about how this can be developed and integrated in your respective processes. And the Data Sphere Initiative team is there to give you information in the context of the Global Sandboxes Forum, and also to assist you and support whatever effort you want to engage in on a topic of interest. Thank you very much. Enjoy the rest of the IGF. Thank you.

Agreement Points

Importance of thorough preparation before launching a sandbox

speakers

MODERATOR

Moraes Thiago

Katerina Yordanova

arguments

Thorough preparation and stakeholder engagement is crucial before launching a sandbox

Brazil’s DPA is using a sandbox to test AI’s applicability to data protection regulations

Lack of resources and expertise can be a barrier for regulators implementing sandboxes

summary

Speakers agreed that careful planning and preparation are essential for successful sandbox implementation, including stakeholder engagement and resource allocation.

Diversity in sandbox approaches across regions

speakers

MODERATOR

Adam Zable

Moraes Thiago

Morine Amutorine

arguments

There is no standard methodology, but common elements are emerging like defined stages

The EU approach focuses on regulatory compliance and risk mitigation

East Asian countries like South Korea emphasize economic growth and regulatory flexibility

Africa has seen mostly fintech sandboxes so far, with growing interest in other sectors

summary

Speakers highlighted the variety of sandbox approaches across different regions, each tailored to specific regulatory and economic contexts.

Similar Viewpoints

Both speakers emphasized the importance of trust and clarity in encouraging participation in sandboxes, noting that companies may be hesitant to engage without assurances of regulatory certainty and protection.

speakers

Katerina Yordanova

Morine Amutorine

arguments

Companies may be hesitant to share information with regulators due to distrust

Regulatory clarity is a key incentive for innovators to join sandboxes

Unexpected Consensus

Importance of incentives for sandbox participation

speakers

Katerina Yordanova

Audience

arguments

Access to data sets can be an incentive for companies to participate

Removing fees can lower barriers to entry, especially in low-income areas

explanation

Despite coming from different perspectives, both speakers highlighted the importance of providing tangible incentives to encourage participation in sandboxes, particularly for smaller or resource-constrained entities.

Overall Assessment

Summary

The main areas of agreement included the importance of thorough preparation, the diversity of sandbox approaches across regions, the need for trust-building and regulatory clarity, and the significance of providing incentives for participation.

Consensus level

There was a moderate level of consensus among speakers on the fundamental principles and challenges of sandboxes. This consensus suggests a growing understanding of sandbox best practices, while also highlighting the need for flexibility in implementation across different contexts and regions.

Different Viewpoints

Approach to regulatory flexibility in sandboxes

speakers

Adam Zable

Moraes Thiago

arguments

The EU approach focuses on regulatory compliance and risk mitigation

East Asian countries like South Korea emphasize economic growth and regulatory flexibility

Brazil is taking a collaborative approach involving multiple regulators

summary

Adam Zable highlighted the contrast between the EU’s focus on compliance and risk mitigation versus East Asian countries’ emphasis on economic growth and flexibility. Moraes Thiago presented Brazil’s approach as a middle ground, involving collaboration between multiple regulators.

Incentives for sandbox participation

speakers

Katerina Yordanova

Morine Amutorine

Audience

arguments

Access to data sets can be an incentive for companies to participate

Regulatory clarity is a key incentive for innovators to join sandboxes

Removing fees can lower barriers to entry, especially in low-income areas

summary

Speakers presented different views on what incentivizes participation in sandboxes. Katerina Yordanova emphasized access to data sets, Morine Amutorine highlighted regulatory clarity, while an audience member suggested removing fees as a key incentive.

Unexpected Differences

Regional differences in trust towards regulators

speakers

Katerina Yordanova

Morine Amutorine

arguments

Eastern European companies tend to be more distrustful of engaging with regulators

Regulatory clarity is a key incentive for innovators to join sandboxes

explanation

While Katerina Yordanova pointed out a high level of distrust towards regulators in Eastern Europe, Morine Amutorine suggested that regulatory clarity is a key incentive for participation in Africa. This unexpected difference highlights how regional contexts can significantly impact the effectiveness of sandbox initiatives.

Overall Assessment

summary

The main areas of disagreement revolved around regulatory approaches, incentives for participation, and regional differences in trust and implementation of sandboxes.

difference_level

The level of disagreement among speakers was moderate. While there were clear differences in approaches and perspectives, there was a general consensus on the value of sandboxes as a tool for innovation and regulation. These differences highlight the need for flexible, context-specific approaches to implementing sandboxes across different regions and sectors.

Partial Agreements

Both speakers agreed on the importance of building trust for sandbox participation, but emphasized different aspects. Adam Zable focused on public engagement and transparency, while Katerina Yordanova highlighted the need to address IP protection concerns.

speakers

Adam Zable

Katerina Yordanova

arguments

Transparency and public engagement are important for building trust in sandboxes

Addressing IP protection concerns upfront can incentivize participation

Similar Viewpoints

Both speakers emphasized the importance of trust and clarity in encouraging participation in sandboxes, noting that companies may be hesitant to engage without assurances of regulatory certainty and protection.

speakers

Katerina Yordanova

Morine Amutorine

arguments

Companies may be hesitant to share information with regulators due to distrust

Regulatory clarity is a key incentive for innovators to join sandboxes

Key Takeaways

Sandboxes provide controlled environments for experimenting with new technologies and regulations, with regulatory sandboxes focusing on compliance and operational sandboxes testing new applications.

There is no standard methodology for sandboxes, but common elements are emerging like defined stages and thorough preparation.

Transparency, public engagement, and addressing concerns like IP protection are important for building trust and incentivizing participation in sandboxes.

Regional approaches to sandboxes vary, with the EU focusing more on compliance while East Asian countries emphasize economic growth and flexibility.

Challenges for sandbox implementation include lack of resources/expertise for regulators and distrust from companies in sharing information.

Access to data sets and regulatory clarity are key incentives for companies to participate in sandboxes.

Resolutions and Action Items

The Datasphere Initiative will release a series of use cases and experiences from past sandboxes at a meeting in Paris in February.

The Datasphere Initiative team is available to provide information and support efforts to develop sandboxes through the Global Sandboxes Forum.

Unresolved Issues

How to effectively bridge the knowledge gap between public authorities and tech developers in sandbox environments

Best practices for incentivizing both large companies and smaller startups to participate in sandboxes

How to standardize sandbox practices globally while accommodating regional differences and priorities

Suggested Compromises

Using ‘closed room’ type arrangements to protect companies’ IP and sensitive information while still allowing necessary sharing in sandboxes

Removing fees for sandbox participation to lower barriers to entry, especially in low-income areas

You can have a sandbox that is mostly about what are or should be the rules. And another that is about literally experimenting, particularly with certain types of data, especially when it is sensitive data, you want to have a space that is enclosed.

speaker

Bertrand de La Chapelle

reason

This comment introduces the key distinction between regulatory and operational sandboxes, providing a framework for understanding different sandbox approaches.

impact

It set the stage for the rest of the discussion by establishing a fundamental categorization of sandboxes. Subsequent speakers often referred back to this distinction when describing specific sandbox implementations.

The South Korean example specifically, they specifically shift the paradigm from restrictive regulation and compliance to permitting activities in the sandbox unless they are explicitly prohibited.

speaker

Adam Zable

reason

This insight highlights a fundamentally different approach to sandboxes, contrasting with the European model focused on compliance.

impact

It sparked a discussion about regional differences in sandbox approaches and objectives, leading to a more nuanced understanding of how cultural and regulatory contexts shape sandbox implementation.

Even inside EU, where we have so many laws that are basically the same for all of us, I see many differences in terms of the needs of member states that want to have regulatory sandboxes, not only when we’re talking about AI sandboxes, but in other sectors as well.

speaker

Katerina Yordanova

reason

This comment challenges the assumption of uniformity even within a seemingly homogeneous regulatory environment like the EU.

impact

It deepened the conversation by highlighting the complexity of implementing sandboxes across different contexts, even within a shared regulatory framework. This led to further discussion about the need for flexible approaches.

One of the things we identified for the Kenya Communications Authority, for example, they were interested in learning what innovations cannot be covered by their former frameworks of regulation.

speaker

Morine Amutorine

reason

This insight reveals how sandboxes can be used proactively to identify regulatory gaps, rather than just testing compliance.

impact

It shifted the discussion towards considering sandboxes as tools for regulatory learning and development, not just for testing or compliance purposes.

Companies in general are very, very unwilling to talk with the regulator and explain how their system works, precisely because they think that at some point in the future, what they shared could be used against them.

speaker

Katerina Yordanova

reason

This comment brings attention to a significant barrier to sandbox participation – distrust between companies and regulators.

impact

It led to a discussion about the importance of trust-building measures and transparency in sandbox design, highlighting a critical challenge in sandbox implementation.

Overall Assessment

These key comments shaped the discussion by moving it from a general overview of sandboxes to a nuanced exploration of regional differences, implementation challenges, and the diverse objectives of sandbox initiatives. The conversation evolved from defining sandboxes to examining their practical applications, cultural contexts, and potential barriers to success. This progression deepened the analysis, highlighting the complexity of sandbox implementation and the need for flexible, context-specific approaches.

How to develop a standard methodology or framework for running sandboxes?

speaker

Farouk Yusuf Yabo

explanation

A standard methodology could help guide implementation of sandboxes across different contexts and countries.

What are concrete examples of successful sandbox implementations?

speaker

Luis Fernando Castro

explanation

Examining successful cases could provide valuable insights and best practices for others implementing sandboxes.

How to address intellectual property concerns in sandboxes?

speaker

Katerina Yordanova

explanation

IP protection is a key concern for companies participating in sandboxes and needs to be addressed to encourage participation.

How to improve public awareness and understanding of sandboxes?

speaker

Adam Zable

explanation

Increased public awareness could lead to greater participation and trust in sandbox initiatives.

How to evaluate the effectiveness of sandboxes?

speaker

Adam Zable

explanation

External evaluations, like the one conducted in Norway, could help improve sandbox design and implementation.

How to address the resource constraints of smaller companies in participating in sandboxes?

speaker

Bertrand de La Chapelle

explanation

Ensuring smaller companies can participate is important for inclusive innovation and regulation.

How to design sandboxes that are accessible to low-income participants?

speaker

Audience member

explanation

Addressing financial barriers to entry is crucial for encouraging participation from diverse innovators, especially in developing regions.