The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> BERTRAND DE LA CHAPELLE: For people in the room and online, hello, everyone.
We're going to start literally in one minute.
Just trying to get the people on the screen.
But can you display them so that when they come back we have them?
Okay. So, as we wait for people to be displayed because they are supposed to be online, it's my pleasure to welcome all of you here, physically, and online.
Actually, if you can grab the bottle of water that is there, I think it would be great if I have one.
Yes.
There they are.
So, as I said, it's my pleasure to welcome you both online and offline.
My name is Bertrand de La Chapelle. I'm the Chief Vision Officer of the Datasphere Initiative.
Today we're going to talk about sandboxes. Sandboxes is a term that is emerging very strongly around ‑‑ and it's a little bit mysterious for a lot of people.
Before we get into the discussion, I want to paint a very quick picture about what we're talking about.
And why do we think it is important to have a discussion about sandboxes?
You know the term refers to what we are all familiar with when we have kids, is this place where you can play. And it's also a place where you can experiment.
You can build something, see if it works.
If it doesn't work, you restructure, you organize something different.
It's something that is limiting the consequences of the experiment to the sandbox itself.
It's being used in research.
You can have a sandbox to experiment some techniques. You can have a sandbox in various environments. And what we're going to talk about today is this tool for experimentation in an environment that is connected to technology and the public authorities and the rules that apply to technology.
When I say rule, it's not only regulation.
It can also be the Guiding Principles, the self‑organizing principles that, or self‑regulatory principles, that a particular sector is adopting.
So this notion of sandbox and we're increasingly the work in the Datasphere Initiative using this also as a verb, like "to sandbox" meaning using a sandbox to experiment.
This is something that is increasingly considered around the world as a tool for agile frameworks other developing agile frameworks and providing experimentation space for things that are innovative.
It is easier to foster innovation or easier to deal with an application and see what is, for instance, the impact of regulation.
Which means in particular we can make a rough distinction.
It's a little bit not a caricature but a strong distinction but you can see sandboxes that are regulatory sandboxes. Or, operational sandboxes. Without delving too much into detail, you can have a sandbox that is mostly about what are or should be the rules, and another that is about literally experimenting particularly with certain types of data, especially when it is sensitive data.
You want to have a space that is enclosed.
And actually, there's an analogy that comes to mind as I speak which is we're all familiar with the notion of an air‑gapped computer. An air‑gapped computer is something that is not connected to the Internet so if something is wrong on the system, if you're testing malware or something like that, you don't want this to go on the network. So you create an environment that is under certain rules and protected.
That's what we're talking about when we're talking about sandboxes.
And the studies that we've conducted as part of the Datasphere Initiative have recorded at that stage more than 70 countries who have in one way, shape, or form used sandboxes in their preparation of a law, in the implementation of the law, or in thinking about whether a particular law applies, or whether a particular law should be changed.
You can have also hybrid mechanisms, but what is important is that it can come at different stages of a process.
And we will discuss that a little bit further in the meeting.
It can come, as I said, very early on to anticipate the problems that may be caused by particular technology, and in the text of AI it's particularly relevant given the speed at which the technology changes.
But it can be also regarding existing regulations whether they hinder innovation or whether they're applicable to a new technique
It can also be in the course of a development of a legislation to organize the consultation and the participation of different actors.
I was mentioning the regulatory sandboxes and the operational sandboxes.
What we're going to talk about today is mostly about regulatory sandboxes, i.e. when there is a public authority or someone with the responsibility to set up a process to engage a group of private and Civil Society actors in the experimentation or the exploration of their challenges around a particular issue.
And what is important is whatever the shape or form, whether it is early in the process, whether it's purely regulatory or operational, most sandboxes actually go through predetermined stages.
So you have a very early phase that is basically dependent upon the readiness of the public authority to launch a sandbox because it's a new type of interaction.
It's different from the traditional, I would say, command and control adoption by purely the processes of the parliament and traditional consultations.
So there is a question of do the public authorities have the preparation to organize and manage a sandbox?
the second thing is the early stage of setting up the sandbox exercise is extremely important.
How do you identify the relevant stakeholders? The different actors that should be participating?
What is the exact purpose of the sandbox?
and if you miss the early stage, if you do not spend enough time, you actually are launching into an exercise that will not produce what you're actually wanting to produce.
So the concept of sandbox has generated a lot of interest.
It's a practice that is growing. On many different issues. And this is something that we've done with the Datasphere Initiative.
But it is something that's relatively new but still intimidating for a lot of actors because let's be honest it's wonderful when it works well but there are challenging in setting it up.
If the methodology is not set up correctly it can incur risks for the public authorities but also with the private actors who engage in the process so the methodology is important.
Overall, to summarize, sandboxing is a form of ‑‑ is an approach. It's a spirit.
And it is very close to the multistakeholder approach. I think it's very topical to have this session here at the IGF because it's a way to insert a multistakeholder spirit or approach at the national level. Not necessarily at the global level but the national level.
And sometimes as a subnational level because it can also be used by municipalities, for instance.
But a way to introduce multistakeholder consultation and participatory processes in the traditional rule setting procedures.
So, as the Datasphere Initiative, we have launched in Rio, we have done a report that you can find online at the website thedatasphere.org, a report that we produced for the UK government in the context of their Presidency of the G7 in 2021, and we also launched in Rio, Brazil, on the occasion in July this year, on the occasion of the G20 Presidency of Brazil, a Global Sandboxes Forum, that I'd be happy to discuss with you afterwards, which has the purpose of bringing together the actors who are doing sandboxing or are intending to do sandboxes to exchange experiences and connect.
And Sophie here is putting in the chat more connections to the work online.
So our goal is to socialize the concept.
It's the reason we have this session here.
I have a few people around the table physically and virtually with the purpose of actually exploring two things, with a big emphasis on the first one, and a little bit on the second one.
The first thing is to delve more in detail in the concept itself around people who have, actually have, the experience of doing sandboxes or studying how they work, and basically addressing the why to sandbox, when to sandbox, and how to sandbox.
And the second thing, afterwards, is that sandboxing is a trust‑building exercise between actors who don't necessarily have a lot of confidence in each other.
So one of the prerequisites for an effective sandboxing is that we work on having buy‑in and increasing the trust between the different actors so that they can engage.
So, without further ado ‑‑ and sorry I forgot to mention that apart from the Global Sandboxes Forum we also have underway a dedicated programme for Africa, which is an Africa Sandboxes Forum, and Morine can say more in particular about this.
Without further ado, getting into the first thing, and don't hesitate to use the chat to make comments, ask questions, and Sophie will be following this.
I now turn to the person on my right who is Thiago Moraes who is, among other things, with the Data Protection Authority of Brazil. And they are embarking into a sandbox effort on a very interesting topic which is the applicability of the articles of the data protection regulation in Brazil to AI.
And what is interesting, and I'd like you to elaborate a little bit on this, is that you did also a very intense preparatory work beforehand illustrating what I was saying earlier, that preparation before launching a sandbox is an important thing.
And there's also the question of the connection between parties.
If you want to go first?
>> THIAGO MORAES: Thank you, Bertrand, for the invitation from the Datasphere Initiative. I think it's a very relevant opportunity for us to have this discussion. Because as you said, the collaborative approach that sandboxes should have embedded in it, the IGF is all about this in its principles.
And it's also very curious. Maybe I'll start from here, saying that we started looking in sandboxes because they were like two years ago, actually, when we were delving more and more in the AI governance, AI regulation topic, and how it connects with data protection, we start to hear this new buzzword which was the sandbox, the regulatory sandbox.
I have to acknowledge that that is very important, that the work of the Datasphere at the moment, that you had one of the main reports on the topic, I mean there was also, of course, a nice work from the Working Group, the German government also had some nice publication, but yours were the first report focused on our data‑oriented sandbox, which has a lot to do with what we do, since there's a big chunk of data which is personal data that's the role of DPAs to be concerned with.
Yeah, first of all, I'd like to thank for the nice report that you published some years ago.
But from that, we saw, actually, here is something that can be really truly hands‑on, which is important.
I work in this unit in the DPA that's related with how to cope with innovation and how we make actually regulation for and with innovation and, of course, not any kind of innovation but the responsible ones, innovation that's, like, adequate to regulations such as the data protection legislation.
And because of that, we decided to, okay, let's do a throughput study.
We started with a benchmark research. I think that's the first step of what we should look about so we could understand more of the methodology of the sandbox, and of course your work was part of it, but many of these others that I mentioned.
Also, we did some interviews not only with other regulators in Brazil, other economic actors and agencies, but also with our peers. So we talked with Data Protection Authorities from other countries, like Norway who has a very interesting AI‑focused privacy sandbox.
We talked with the ICO in the UK, Singapore, and also Colombia.
This was very interesting because we saw that the way that privacy regulators have been dealing with sandbox is a bit different from what we see in, for example, in financial sector where one of the main outputs of the sandbox is to really give this bigger leeway, giving more flexibility and to lower barriers to the innovative process development.
In the meanwhile, what privacy regulators are usually concerned about is how often the innovators are being able to cope with this complex legal framework, which can be the data protection ones.
So there was a lot of guidance and supporting.
From there, partnerships were important.
We did a first co‑operation with the Development Bank of Latin America in the Caribbean, CAF, where a consultant worked with us.
So we did data design of what we were aiming with our sandbox. We saw that we needed to understand better some provisions of our data protection law that was connected with the topic.
More specifically, we had Article 20 which was about good decision‑making, so very similar to what we have in Digital.BR.
We saw among several things the topic of transparency was there, another buzzword. Okay. Maybe we can look at what that means. And with that, we shared with society, we did a consultation to collect input.
This was done...(microphone going in and out)
And from there, we now have made advancement to actually start launching it.
Now we have a better idea of where we want to go.
The results of the consultation has not been shared yet but we are going to share.
It's just because we want to make sure that everything that our technical teams have analysed is in consensus with the high board, so we're in this phase right now.
In the meanwhile, we're gathering expert support. Because we saw that was a differential in several cases, like for example in Norway. Because countries that didn't do that, they had a lot of trouble thinking the sandbox could be an interesting tool but couldn't see the complexity of it. So when we have a more mature institution, like let's take the ICO in the UK which has been running on for 20 years as a DPA and they have more than 300 staff, so they could have a dedicated unit for that.
That's not our reality. We are a three years' old DPA. Our Innovators Unit has four people that cannot deal only with sandbox and not only with AI. We have blockchain and PPATS and several other technologies to follow up, and not only sandbox work. So we said, okay, we need experts with us.
We did this partnership now with the UNDP who is helping us to bring partners in university to work with us so we have a more multistakeholder group working on that with us.
We also see that a last part that we're still missing before starting the launch is our awareness‑raising campaign.
After all this trouble, if we cannot connect with potential participants like going to incubators and talking with startups or just data‑driven companies that would be interested in learning more, we can have a risk here of, like, making the call for projects and no participants being really interested.
Because as you said, to us, as an important part of that, I will keep that for the next part, but this is definitely key if we want to make a successful sandbox.
Thanks for the opportunity.
I pass the floor off to you.
>> BERTRAND DE LA CHAPELLE: Thank you so much, Thiago. I think many people understand the notion of sandbox in one angle in particular, which is the temporary lifting of some of the regulatory constraints to enable the testing of new applications.
This is particularly what has been done in the fin tech environment which has been one of the first testing grounds for sandboxes.
What I think is important to understand is that it may be one feature sometimes on a sandbox, but it's not a necessity.
And in the case of the Brazil DPA, it is not about lifting a regulation. It's about looking at how a particular article applies to a particular type of sector.
The second thing is, you highlight very clearly, and I was asking a little bit the why, the when, and so on, I think the effort that you've made to talk to other actors and the comment that you made regarding the maturity of an operator is a very important one.
You used an expression which is basically have a dedicated unit.
I think it makes sense to consider, in the future, as sandboxing becomes a more widespread practice, every government and regulator and so on will have to have a pool of components to help people with the sandbox.
In that regard, given the levels of maturity that are different, the sharing of practices and experiences among all of those who have done sandboxes is a very important element.
That's one of the reasons why we generated the Global Forum on Sandboxes.
Which leads me, actually, to another dimension, and I will pass the floor to Adam Zable, who is a Research Fellow at The Gov Lab, who has been following these issues for quite some time, to offer a perspective for sandboxes for certain regions of the world.
Because we're talking a lot about sandboxing particularly in the European Union at the moment, because of the explicit mention of the use of sandboxes on the AI Act, because you may know that the AI Act requires all governments in Europe to put in place a sandbox by 2026.
But what I would like to hear from you is how do you see, for instance, the differences in approaches between different regions, particularly in Asia versus Europe or the U.S, in your view, given your experience in that regard? Adam, the floor is yours.
>> ADAM ZABLE: First, thanks so much for inviting me to speak.
As Bertrand said, I can provide something of an international comparative perspective because over the past year I have been working as a Datasphere Initiative fellow on sandboxes. So I've been doing research on sandboxes for data and AI around the world. So that's pretty much the question I can answer about the differences between regions in terms of sandboxes. I mean I think my comments here are going to really put a finer point, a pin in the point that both of the previous speakers Bertrand and Thiago have already mentioned, which is right now there's really an incredible diversity of sandboxes around the world. They differ so much in terms of their objectives, their scope, intended impact, and the regulatory flexibility allowed for the participants.
You have local sandboxes, you have international sandboxes, and you have national sandboxes which are by far the majority in terms of data and AI sandboxes.
My research has shown that there are around 19 data and AI sandboxes at the national level, 15 of which are regulatory sandboxes, which are I think the main focus of this session.
But, and the other two are operational or data sandboxes, and the other two are you could say hybrid of some kind.
I think the main difference that I have seen in the approaches to sandboxes in different regions is this question of regulatory flexibility and really just the underlying objectives of the sandbox.
What the government, the implementing entity, what their goal is in creating the sandbox, and I have seen two main camps here.
The first can be considered kind of the European approach. It is built off of, I think, a number of EU member states' governments data sandboxes and some now for AI.
And as Bertrand as said, in the AI Act, every member state is required to establish an AI sandbox within the next few years.
These sandboxes, as well as others from other countries that have taken the model, they really focus on regulatory certainty, risk mitigation, and compliance.
The idea I think of many of these sandboxes is to ‑‑ as sandboxes do, they provide a controlled testing environment with collaboration between the innovators and the regulators. But here the focus is really mostly on identifying risks, ensuring compliance with existing regulations, and promoting the sharing of best practices.
There is ‑‑ fostering competitiveness is an element here but they are primarily aimed at ensuring regulatory compliance, making sure that the regulatory environment, which is taken as a given, they take that as a given and ask, how can we better enable companies to compete while complying with this regulation? That is perhaps I would say the main or perhaps the most in terms of number of countries implementing sandboxes, this is a very prominent approach.
But there's another camp that is very different.
Right? The sandboxes are just an incredible variety of implementation, but the other main camp that I see can be considered in a reductive sense to be the East Asian approach, Singapore and South Korea specifically, also Japan.
But you can see it very prominently in the South Korean approach.
South Korea has for a number of years implemented a regime of sandboxes in different fields and different sectors, but the focus of the South Korean sandboxes is much more on economic growth, technological innovation, and regulatory flexibility.
That encourages experimentation rather than compliance.
The South Korean example specifically they specifically shift the paradigm from restrictive regulation and compliance to permitting activities in the sandbox unless they are explicitly prohibited.
So they can take ‑‑ they can temporarily ‑‑ in these kinds of sandboxes they can temporarily restrict the application of certain regulations.
Whereas, in the EU the regulatory environment is taken as a given.
In South Korean, the sandbox includes other elements of agile governance as well, such as rapid regulatory confirmation and temporary permitting and other measures that allow businesses to begin their operations after safety checks but before legislative updates.
And in the same vein as legislative updates, in these sandboxes, when the regulator and companies come together, it's not only to make sure that the company is complying with the law but also to make sure that ‑‑ also to bring the company and the regulator in to help understand where the law might be changed to better accommodate the new technology that is being experimented with in the sandbox.
>> BERTRAND DE LA CHAPELLE: If I may interject here, my understanding is that it can even go as far, in the case of Singapore, of doing something on a completely explanatory manner like a very early phase, just to get the actors to have a better mutual understanding of what the challenges may be, even without the objective of developing a legislation or changing the legislation.
Is that indeed the case?
>> ADAM ZABLE: Yes, so Singapore has a few different sandboxes, but the one that I think is most relevant here is they have a generative AI sandbox where it's very different from other kinds of sandboxes you see elsewhere, and it can't really be classified as a regulatory or operational sandbox necessarily.
But that one brings together some of the biggest companies in the world.
I believe the goal there is, the Singapore or the IMDA, they developed some guidelines and they bring all these companies together to work on these guidelines and to implement them and to develop them further. And they're guidelines for trusted use of generative AI, if I'm not completely mistaken.
>> BERTRAND DE LA CHAPELLE: Yeah. Thank you, Adam.
So all distinctions are always a little bit caricatural. Of course, there are applications in the EU that will be more flexible and some in Asia that will be different.
But it's interesting to look at the huge diversity. And I would make an analogy here. You know, if you look at countries as different as European and U.S. ‑‑ I mean the U.S., the UK, France, and Germany, they're all representative democracy countries, with a parliament, with a different institutional structure.
But the arrangement within those countries in terms of institutions is extremely different.
I think we can consider the same thing for sandboxes. The spirit of sandboxing is an experimental, proactive, participatory, and discussion‑building and trust‑building exercise.
There are many different ways to implement in terms of purpose, and how it's structured, or when, or the reason why it's set up.
There are common elements, but just like you can have a parliament, a prime minister, and a supreme court, you can have very different organisations of the relationship between those two entities, pre‑entities.
In sandboxing, it's the same. You can have different stages, different roles, of the private and public actors. Sometimes you can have a sandbox that is triggered or initiated by a private actor saying, "I really would like the landscape to be explored together because there's a new technology and I don't know how the regulatory framework is going to apply."
So thank you for the distinction between the different regions and I would like to continue the exploration of the globe in a certain way by going to, first, Morine Amutorine, who is a Research Associate at the Datasphere Initiative and who is in charge in particular of what I mentioned earlier, which is the Forum on Sandboxes in Africa.
Morine, can you give us a little bit of a perspective on how the notion of sandboxes is being used in Africa?
>> MORINE AMUTORINE: So under the Africa Forum on Sandboxes for Data one of the recent activities that we've been involved in to feed into our report on Africa's ‑‑ on an outlook on Africa when it comes to sandboxes is mapping sandboxes across the continent, where are they, what are they focussing on, who is running them, and, you know, to really get insights about what's happening on the continent.
So we have come across a number of case studies of sandboxes and, surprisingly, most of them are in the fin tech sector. Over 90% of the sandboxes in the continent are in the fin tech sector. So the goal there is, of course, for competitiveness advantage really for most of them.
But maybe for my insights really about Africa today I'll share about a case of one sandbox that is run by a government organisation, which is the Kenya Communications Authority, and their sandbox is focussing on anything ICT.
And so, one thing that we have identified is their ‑‑ well, from engaging with the people in that sandbox is the need for the experimentation of regulations and guidelines for innovators is high.
That's one of the things we have learned across all case studies. I mean when a sandbox is set up, the applications are usually overwhelming.
Which means that the appetite of the people to understand, to have regulatory clarity, is there.
Both in Private Sector but also in the public sector.
So one of the things we identified for the Kenya Communications Authority, for example, they were interested in learning what innovations cannot be covered by their form of frameworks of regulation.
Because they realized there's lots of innovation happening but they're not sure their old frameworks would be able to regulate these emerging solutions.
So that was their motivation for setting up the sandbox.
And when they did, one of the other things they learned along the way, what was the need for multiregulators in the same sandbox because they realized one solution can cut across different sectors.
This is a sandbox that is actually new.
It started having many participants because one of the lessons that we have been picking up is most participants sometimes are not ready for their sandbox.
The application will come in and you realize that whatever is coming and people are not yet ready for the sandbox, to participate in the sandbox, maybe based on their level or their innovation of where they are or their understanding of the sector for which they're trying to innovate.
So there are also those cases of accepting people into a sandbox takes long because the regulator has to take on the responsibility of making sure that people that are getting into the sandbox are ready to participate in the sandbox.
But, why this case is interesting is because, again, it's the government entity, the Kenya Communications Authority is a government entity.
It's one of a kind because of the rest of the sandboxes are in fin tech.
There's not much documentation online that we have found about sandboxes so we have had to look for people to interview, have one‑on‑one which of course sometimes takes a bit of time.
But for the few that we have engaged, the idea of regulatory experimentation is very welcome.
And it's picking up ground on the continent because even with the few stakeholders we have engaged they're so much interested in setting up sandboxes, but the lessons we're learning from people who are already running these sandboxes is this idea of preparation before setting up a sandbox.
For the goal of the sandbox to be very clear because we've had people with this issue of the cohort is supposed to test the particular type of technology but then you're getting people applying with all sorts of other things because there was not good communication with the public for them to understand exactly what happens, what is expected in a sandbox.
So I think in a nutshell I can say that almost, let me see, about 34 countries on the continent have sandboxes, of which of course most of them are in the fin tech sector, the financial sector for fin tech, but other sectors are piquing interest because of dialogue that is happening.
But also, like, the community that we as the Datasphere Initiative have been trying to put together through the Africa Forum on Sandboxes for Data project.
Yes, I'll stop here for now.
>> BERTRAND DE LA CHAPELLE: Thank you, Morine.
I think this is something becoming recurrent.
The degree of interest that is being triggered and in the regard, the uncertainty about how to do it, and whether actors are actually ready. This is why it is so important to, one, have the preparatory process to bring people up to speed.
I wanted to give another example in that regard.
In Lithuania, someone was participating in an online workshop we were doing and was mentioning that for an upcoming sandbox that they were planning to do they will have actually a few weeks bringing together the actors who are going to participate in the sandbox, both from private and public authorities, to actually do a preparatory work before the sandboxing exercise itself.
So this is why the methodology is so, so important.
The methodology may vary a little bit depending on the purpose, as was mentioned already.
But in all cases, the preparatory work is absolutely a key criteria for success.
This is why it is so important to share the lessons from the different experiments. If there is a domination of fin tech sandboxes, not all lessons can be transposed identically.
But still, you can learn and have information from other regions or people who have developed sandboxes in other topics than the ones that a regulator is contemplating.
Thank you, Morine.
Let me move to Katerina now, who is a senior legal expert at the University of Leuven.
You've heard that different perspectives on how to do it in Brazil and the other regions, and different types and reasons people want to do sandboxing, and when they should do it and how they should do it.
What comes to mind when you listen to those elements? And can you share what are the lessons from what you've been working on?
>> KATERINA YORDANOVA: Yes.
Thank you, first of all, for organizing this workshop.
I was really listening to what was happening that the other speakers shared from their respective regions. And you started the workshop by emphasizing that when we're talking about sandboxes we're really having a problem or more like a challenge to identify what exactly is this that we're talking about, because there are so many approaches to them and there's so many ways to do them.
And I personally don't think that's a bad thing because I do not really subscribe to a one‑size‑fit‑all approach.
Not only worldwide when we're talking about sandboxes but also inside European Union because, I mean, I worked ins the EU framework and legal framework and also if you talk about the sandbox framework.
Even inside EU when we have so many laws that are basically the same for all of us, I see many differences in terms of the needs of Member States that want to have regulatory sandboxes, not only when talking about AI sandboxes, but in other sectors, as well, but also the way that they need to approach them so those sandboxes can actually be useful for them, and their economies.
And in the recent years, I would say that maybe I have the fortune to work mostly with Member States that had zero experience with regulatory sandboxes inside EU, which is kind of an exciting setting because you actually need to start from scratch and be creative but also be wise. Because a lot of those countries, including my country of origin which is Bulgaria, we don't have these kinds of resources that UK will have. And Thiago already mentioned some of those differences that are quite obvious.
At the same time, we do have these lessons we learned from GDPR. Because GDPR was huge, monumental threshold that changed a lot of things in the regulatory landscape in EU.
Of course one was the creation of the network of competent authorities which had to monitor GDPR, which was a challenge, which this challenge became more apparent the more time passed.
If you look at this report, I think it was last June, they had some not surprising but concerning remarks that different Member States, like Bulgaria and Slovenia, that do not have that many resources do not really succeed in implementing GDPR in a meaningful way compared to counting like France, for example.
It will be the same when we talk about the AI Act because those resources are not magically going to appear, and that's when we're talking about sandboxes, which of course the AI Act establishes an application for the Member States to have at least one working by 2026, there we have a problem.
Because the regulatory sandboxes, the way that they're described in the AI Act, it's a very expensive exercise.
And that's why when we are looking at this obligation from the perspective of a Member State that has zero experience with sandboxes in general, then this price becomes even greater because you need to learn how to do it. First, realize why you have to do it. Okay. You have the application, but then you need to realize how you can do this to actually attract some people to apply in the sandbox.
And then you have the methodology part where you have to find out what's the best methodology that works for you, your structure, the fact that if you're a federal state or not, because there's of course a lot of differences there.
And when you figure all this preparatory work, which can take more than a year or two depending how many people work on it, it's just then when you can start informing the society and informing the other stakeholders and try to prep them to get excited for the opportunity to work in the sandbox.
So I would say that these differences, realizing those differences and working within the limitations inside the Member States, and inside countries in general, but it's very vital. Because, yes, the idea of experimental legislation is super exciting especially for legal scholars, but at the end of the day we need to figure out what's the maximum that we want to achieve and what's the realistic results that we can achieve.
And of course, it's better to have something than have nothing.
So I'm very pragmatic about the whole approach to sandboxes in general.
>> BERTRAND DE LA CHAPELLE: Do you feel the AI Act is sufficiently making the case of the benefit of using a sandbox, instead of basically presenting it as an obligation? Because there's sort of a feeling that it basically says, "You have to do a sandbox," but the reason why you should be doing this is not necessarily elaborated fully.
And this resonates very strongly with the problems that we in this community at the IGF have when explaining why we should have a multistakeholder approach.
Because in many cases, it's an injunction to use a multistakeholder approach with a lot of uncertainty on how you can do it.
Do you think the case for why to use this is sufficiently made?
>> KATERINA YORDANOVA: I personally do not think it's sufficiently made. Some say, yeah, it's perfect, but it's not really. It's not that we can't explain to the companies and the potential participants in the sandboxes why they want to participant, but sometimes you also have to explain to the regulators why would they want to do it.
And I would say that because we talked about those different types of sandboxes where you have wavering of certain rules of the laws that surface for these participants, in the EU, unfortunately, that's not something we can do.
Maybe we can lift certain rules here and there.
In Hungary they have a good use case.
But it's not sufficient, in any experience, to inspire someone to dedicate six months of their time to working in the sandbox, especially if that means you need resources.
One of the things I feel strongly about, personally, in Europe if we don't have the ability to offer this waiver of certain rules, also because we have these common laws on European level, maybe we can offer something else.
That's what the data, where the data comes into play.
Again, I will give this example from Bulgaria where we're currently trying a very weird bottom‑up approach to make a sandbox.
One of the things that we offer is an incentive are datasets that are privacy preserving so you can be sure that GDPR is sufficiently ‑‑ the rules of GDPR are implemented in these data sets but also offering datasets that don't necessarily have anything to do with personal data because we have a vast amount of non‑personal data that can be useful for innovators when they're developing their products.
>> BERTRAND DE LA CHAPELLE: Thanks.
What came to mind as you were speaking about lifting rules, if you look at a structure like the European Union where you have different instruments regarding directives or regulations, lifting rules is harder to do because it would require coordination between the different states.
Whereas, when it is a regulation it's probably possible to decide to lift something, but I'm not sure that the competence of the Commission is sufficient to take the unilateral decision to lift a particular provision on something that has been adopted by the whole community of 27 nations.
So I don't want to belabour on this, but thank you for the remark regarding the difference between putting something in a text and having to actually implement it and developing it when there's no vast experience.
I want to pause here before we get to the second thing because actually what you mentioned, Katerina, on the incentives is a very good segue to the second part that I wanted to raise regarding the trust question.
And the why is it beneficial? But also why different actors may want or not want to participate in the sandbox.
But before that, let me open the floor and the room to anybody who would want to ask a question, including online, if Sophie, you see anybody in the chat having a comment.
And if you want to ask a question, please introduce yourself beforehand.
Anybody? Yeah.
Looks look it's working.
>> FARUK YUSUF YABO: Thank you very much for a very interesting presentation.
My name a Faruk Yusuf Yabo. I'm the Permanent Secretary of the Federal Ministry of Communications, Innovation, and Digital Economy in Nigeria.
I have two questions.
One is to find out whether there is a standard methodology, if you like, or framework that is generally used for running a sandbox? Now, I've had two versions of the sandbox, the regulatory and operational.
I also want to check which part does the one we're running falls in? It appears to me to be somewhat in between? Our goal was to create opportunity for individuals and small startups that do not have the resources to navigate around the regulatory space or even around payment for certain government‑owned rates, for example, access to frequency.
So we wanted to create a pre‑frequency that will allow for technologists to come in and then run frequency‑related technology projects. And it's meant to be a national thing.
Because we notice there are so many people around who are into different things, but who may not necessarily be able to come on and follow the process ‑‑
>> BERTRAND DE LA CHAPELLE: Sorry to interrupt you. Is it mostly around access to free spectrum, for instance?
>> FARUK YUSUF YABO: Yes. Not free, but pay, but many of the people may not be able to pay or follow the process. So we just decided to create an access and run a competition of some sort.
>> BERTRAND DE LA CHAPELLE: Is it, for instance, applicable to rural access?
>> FARUK YUSUF YABO: It could be anything.
It could be rural.
>> BERTRAND DE LA CHAPELLE: The reason I ask, there are references in some sandboxes, particularly in Brazil, explored on lifting some constraints regarding local communities and municipalities making community services when the operators are not.
>> FARUK YUSUF YABO: Yes. That's part of it but we wanted to make it very wide opening. It could be community. It could be for materials. Anything that the company wants to use. It could be for metring. It could be for anything, to come in and demonstrate.
I wanted to know, where does this fall? Is it regulatory? Is it operational? The goal is to allow to people who generally cannot pay for cannot get access based on the constraint of payment and other procedures.
Thanks very much.
>> BERTRAND DE LA CHAPELLE: Thanks for the question.
Very quick answer, as always, nuance is the always name of the game.
Whenever you make a dichotomy between a regulatory or operational, I mentioned later on there's the hybrid notion, and that most often it is on the spectrum.
I mean the comment that Katerina was mentioning, even if you do something on the regulatory you may have some incentive which is that you get access to a particular dataset to work with it, which you wouldn't have access to in normal conditions.
In second thing is, again, respond with three letters on the question, is there a standard methodology of framework, actually, it's two letters, it's three letters in French, it's "no." There's no standard.
However, nuance is the key word again.
This is precisely the kind of work we're trying to do with gathering experiences.
What are the lessons that you can draw? I mentioned at the beginning, what is emerging clearly is the staging.
You have the preparatory stage which can be on the responsibility of the initiator of the sandbox or the actor who wants to do a sandbox.
Then you have the actual setting up of the procedure with a certain number of questions, or what is the exact purpose? What is the range of stakeholders that have to be engaged? What is the type of data that has to be accessed if that is the case? Or what is the problem that has to be solved?
And who is going to be in charge of this? As Thiago was mentioning, sometimes you have multiple regulators involved.
Who is taking the lead? Is it something that is one regulator organizing it or is it something where there's a third‑party facilitator in the government or outside that comes and organizes the discussions? Then you get the actual operation of the thing. But the preparatory phase is fundamental.
The operation can last for a certain period of time.
And one thing that people forget, as well as not paying attention enough to the early phase, is the exit of a sandbox is an important thing.
How do you implement the solutions that have been developed on the occasion of the sandbox on a ongoing basis afterwards? And particularly if the sandbox has involved certain actors in the Private Sector and not others.
How do you ensure that there's not a distortion of the competitive environment?
So formalizing the methodology is clearly one of the objectives of the Global Sandboxes Forum that we're having.
The first phase being that people will listen to what is happening in the different other countries.
Any other comment? Yes?
>> LUIZ FERNANDO CASTRO: Hi.
Quick question.
Thanks, Bertrand.
I'd like to ask ‑‑ sorry, I'm Luiz Fernando Castro from Brazil, former member of CGI, the Brazilian Internet Steering Committee.
I would like to ask you if you can bring any concrete experience that show successful in this matter of sandbox?
>> THIAGO MORAES: I'm from Brazil. So as I said, in the case of the DPA, we're still finishing the design phase. So of course talking the success of implementation is not yet ready.
Although, I would say the design itself has been quite mature so we have some expectations of things that will start working from the next year.
But even now in Brazil, we have some very nice experience from the financial institutions.
Like in Brazil, there was something very interesting.
The Central Bank has done a partnership together with the security ‑‑ the Stock Markets Authority and also the Securities and ‑‑ (someone speaking off microphone). Yeah, exactly. So basically, the three of them have components in the sandbox in the sense that any participant can join any of these three, and if whatever they are doing has synergy with the other markets they go together and work together in the initiative.
So it's a model for this kind of joined cooperation.
Of course, it's still all within the financial sector so that's something to look for the challenge that comes when it overlaps.
And yeah, you can find nice experience talking with other Data Protection Authorities. You can look for the ICO and in Norway. I can share if you like. We did a benchmark study that's in Portuguese that has some interesting use cases.
Also, there's the report from the World Bank group that I mentioned focused on fin techs and sandboxes. Definitely, there are a lot of interesting use cases, and there's always room for growing and more maturity, but sure, there are.
>> BERTRAND DE LA CHAPELLE: Maybe to move to the next thing, I wanted to also mention. Unless there's a question from the online, Sophie?
>> SOPHIE TOMLINSON: No.
>> BERTRAND DE LA CHAPELLE: One thing I wanted to highlight, we will have a dedicated meeting in Paris in February on the occasion of the Summit on AI that the French government is going to host at the end of February. On that occasion, one of the things that we will be releasing that we're finalizing at the moment is precisely a series of use cases and comments about what have been experiences in the past.
Because as Thiago was saying there's a lot about fin tech, but for the fields that we're talking about there's some different elements and it's good to be able to document them.
The paper will have a certain number of elements.
I want to shift and please if you have specific examples that you want to share on the occasion of the comments afterwards, don't hesitate.
What I want to finish with, and explore a little bit, is what I mentioned at the beginning. A sandbox is an exercise to bring people together and make people address policy issues in a different way.
It's basically turning the problems that different actors have with each other, like governments considerations that the Private Sector is not doing what it should be doing or the Private Sector considering that the governments are not regulating the way they should be regulating.
It's turning this into addressing a problem that people have in common by saying there's a new technology; how does the existing regulatory framework apply? Should we change it? Should we improve it? Should we develop a new one?
This is something that is important because the implementation of the new agile regulations needs to be iterative.
It needs to be able to adapt to the evolution of the technology itself.
And there's no better way than having the space for the different actors to talk to one another.
All this is wonderful.
There is a real interest for sandboxes. There's an emerging methodology that's being developed on the basis of experiments. There are benefits. But as Thiago and others were saying it can be costly.
It requires an awareness and a preparation to run it correctly.
It can take long.
The outcome is not certain.
If you embark on a legislative process, you basically know what are the steps.
And especially if there's a majority in your parliament, you know how it's going to go.
There's a bit of negotiation, but you know how the voting is going to go in the end.
When you embark in any type of multistakeholder process, as a government entity, it is less predictable.
And there's sort of an irony.
I want to be honest.
There's an irony that a tool that is intended indeed to produce legal predictability is a process that cannot guarantee that the thing will be successful.
This is why the methodology is so important.
But that is on the governmental side.
There's also, because we have to be transparent, there's also the personal challenge for the people who are the regulators. Because there's a risk. If this doesn't function properly, are you going to be blamed for not having fulfilled the objective?
So, there may be reasons for government authorities to hesitate to launch a sandbox.
and this is why I was asking Katerina, making the argument on the benefits needs to be strengthened and the methodology as well.
But now I want to go to the other side.
Are there disincentives to companies to get into a sandbox? Is there a fear that what you're going to explain to a public authority is going to be taken against you because you have revealed how your system is going to operate? So I want to throw the question in the ‑‑ on the floor.
And maybe start in the reverse order.
Starting with Katerina.
What are the disincentives. I liked you mentioned the access to data as an incentive.
>> KATERINA YORDANOVA: Yeah, the disincentives depend where you're looking at around the world.
Coming from Eastern Europe I would say companies in general are very unwilling to talk to the regulator and explain how their system works because precisely they think at some point what they shared can be used against them. So there's a lot of distrust which I guess in some way is historical but it's still there.
And another concern I've met with companies I talked about sandboxes was regarding their IP rights. So the rights of, like, patents and trade secrets, these kind of things.
Especially when their product is in an earlier stage of development.
And some sandboxes actually offer the ability of participants to communicate between each other.
If you look at the digital sandbox in UK, that's the case. So in that case instance, they are very worried that somewhere among this process they may have their rights infringed in some way and they are looking for some more guarantees on the side of the regulators.
>> BERTRAND DE LA CHAPELLE: When I listened to what you were saying, you know that for instance in the procedures for mergers and acquisitions you have the notion of closed rooms where you can access the data about the financials of a company and so on if you are the acquirer.
I see sort of an analogy, actually, when you can talk about the IP and so on, but there needs to be a framework to come to your question that establishes clearly what can be used and cannot be used. Which is not easy, I suppose, because how do you take into account an idea that emerged from seeing what somebody has shown?
This is why sometimes exploring how a legislation applies to a new technology is a little bit different from really revealing everything about the new technology and having to test it and making it.
Can you elaborate Katerina just briefly on this notion of incentivizing actors by providing access to a dataset.
I think it's an important element.
>> KATERINA YORDANOVA: We were inspired by the digital sandboxes, basically what they were doing there in very limited use cases, they were asking participants that were already selected if they need specific data that they can provide for them.
That was done either by connecting them with someone who, like, acting a bit like a data intermediary in a way, or by curating certain dataset, either by using real data or synthetic data.
So that was the idea that ICF had. So we took that and complemented it for example with what we had in terms of specific datasets in this institute that we're working together to create the sandbox. So that could be mostly like data related to open environment, because that's a bit of the specialty of the institute, but also we assigned some curators of datasets that contain some personal data that can basically make a bit of if you wish compliance exercise of the dataset.
They helped company to use datasets that had data that was already in compliance where GDPR so they were a bit more certain that they're compliant not with AI because nothing is enforceable and applicable yet but in GDPR, which is in Bulgaria they still haven't figured out how to apply it correctly so it's still a problem. So yeah that helped quite a lot as an incentive.
>> BERTRAND DE LA CHAPELLE: Thank you.
Morine, and then others, how to overcome these disincentives? Any thoughts?
>> Morine Amutorine: I can share something I learned from the Equibank ‑‑
>> BERTRAND DE LA CHAPELLE: Can you put your video on? Or is the band width not good enough?
>> Morine Amutorine: It's not good enough.
But the Equibank sandbox is them providing API's to the builders to be able to build on top of what they already have. So the incentive is their ability to access a small percentage of data about their clients because Africa has had financial inclusion as one of the biggest goals for the financial sector. So having access to the bankers' information, not in its entirety.
I mean from what they explained the process that they do for the developers to access the API, they definitely have done their systems well over time. So that alone is an incentive, to access some bit of data.
But other than fin tech which of course both the clients, the solution‑providers, and the bank, are both benefiting, I've noticed for sandboxes, regulatory sandboxes, which are not necessarily for fin tech, regulatory clarity has been just good enough for the people to want to participate in these sandboxes, at least for the few cases I've looked at.
I also know I've come across opinion papers about participants in sandboxes who have thought that probably the regulators were not well‑equipped to run the sandbox.
We know sometimes that comes from the point that regulators, their background probably doesn't put them in the best place to understand everything about technology and the new emerging technologies.
Sometimes you'll find cases where things are taking long, but that's probably because regulators are trying to do enough due diligence on the technology to be sure they understand what they're regulating.
But the idea of innovators just getting regulatory clarity has been good enough incentive, at least for the cases we have looked at for now.
Over.
>> BERTRAND DE LA CHAPELLE: I think one of the challenges is the gap of understanding between public authorities and the tech developers, where a lot of the public policy actors are confronted to a rapidly evolving technology and are having difficulties keeping up with the changes.
Also, because some of what is being developed is not made public yet.
And so you are thinking in terms of regulating what is visible, but you're not regulating for what is going to come up. And vice versa, when the private actors are developing something, they don't necessarily know what is fully the applicable legal landscape if it is a sector where they were not before.
I've had the discussions with people developing AI applications or foundational models with regard to how these would be used for medical applications.
It was striking to understand that they didn't necessarily know the entire regulatory framework that applies to any medicine device using expert systems and so on already.
They were just thinking that they were starting almost from a blank page.
So bridging this gap between the public actors and the Private Sector technologists is one of the objectives of putting in place an appropriate sandbox.
Adam, any feedback? And actually, I would like, as you asked the question, to have you chime in on the incentives and disincentives, as well.
Adam, your turn.
>> ADAM ZABLE: Yes.
I think there are a number of disincentives or challenges for any company to participate in any collaboration with a regulating entity.
I think that there's kind of ‑‑ there may be a somewhat standard set of issues that always get repeated. And I think the solution to some of these problems, it's not just with the entities participating in the sandbox, but also with the broader society. There's a lot of fragmentation in the field, as I mentioned. A huge amount of diversity among different sandboxes, which has caused practices and the ability of regulators to evaluate what's happening in the sandbox, to build trust.
All of those things are difficult to build and standardize, when the question of some kind of a standard guideline, the question came up.
That is made very difficult by this fragmentation that we see around the world.
And these challenges or disincentives that are likely very similar in all the cases of sandboxes around the world, perhaps there could be some kind of a framework that very quite simply and straightforwardly addresses some of these challenges that could be introduced by the regulator at an early stage of interaction with the participating companies.
But such a framework does not exist right now.
I think what regulators can do to build trust and try to alleviate some of these disincentives is transparency and try to building engagement with not just the participating entities in the sandbox but also spread the word about the sandbox, the existence of the sandbox, what it is, what it's trying to do, to get the word out about people.
Right now, knowledge about sandboxes is very low and even though a lot of governments have sandboxes and even more are working to build more sandboxes, most people have no idea what a sandbox for data even just fin tech, sandboxes ‑‑ most people don't know what they are.
If I could take one for example that's been brought up before by Thiago is Norway. Norway's Data Protection Officer runs a data and AI sandbox, and they do all sorts of things to engage the public and stakeholders and build transparency. My favourite thing that they do is they have a podcast about the sandbox. I think ‑‑ I don't know what they talk about, but they not only post updates on their website and they have a newsletter, but they also have a sandbox podcast.
I think that's quite novel and interesting.
They also organize workshops. They participate in international conferences. They really make an effort, more than any other government that I've seen, to really get the word out, you know, about the existence of these sandboxes. In most cases, most sandboxes around the world, the way that they advertise the sandbox's existence is by posting an invitation to apply to the sandbox on their web page.
They don't even make a real effort to get the word out to companies that the sandbox exists and is taking applications.
So I think as a regulator you have to try to build trust through transparency and getting the word out in proactive ways.
Another thing just briefly the Norwegian DPA did was hire a consulting firm to conduct an external evaluation of the sandbox's effectiveness.
I think that was really another very indicative of the approach the Norwegian DPA is taking, because they produced something like a 50‑page report on how the sandbox is going, provided recommendations on how to improve it, that kind of thing.
It's very important at this early stage of sandbox development around the world.
And finally, I will mention this just because Katerina brought up IP as a ‑‑ or the lack of IP protections as a disincentive.
One thing in Norway what the sandbox does, they tell the companies up front that participants retain ownership of intellectual property brought into sandbox collaboration.
So I think that kind of thing could be done by more regulators, is just to be up front about the potential disincentives and how the regulator is addressing those within the design of the sandbox.
>> BERTRAND DE LA CHAPELLE: Thank you, Adam.
There are ‑‑ without belabouring, there are comments that were made in previous discussions regarding the history of interactions with a particular regulator and a particular type of company, where there is bad blood that existed beforehand, the fact that some of the smaller companies may sometimes be more inclined to engage, but at the same time not having the bandwidth to do it; whereas, the large companies are probably relying tangentially more on the traditional lobbying mechanism than others.
So this is the landscape.
I just wanted to make sure that as we're advocating and supporting the notion that the sandbox approach is a really important tool, we don't belittle the challenges in making it, just like we don't belittle the challenges of making it a multistakeholder element.
So we have the last five minutes here.
I will go in this direction, a very quick contribution on the discussions we had.
And then you can close.
I'm sorry.
You need the microphone.
It's good.
>> FARUK YUSUF YABO: Thank you for the opportunity.
Different jurisdictions will have different priorities. I think that's very important to take into consideration.
Now, having said that, the regulators are seen as collectors by most people.
In Africa, where people tend to have little income in terms of ability to pay for charges, one disadvantage would be for exposing a small company to the fact that they have to pay and they've actually committed themselves and then there's no exit route.
I think that's one.
What we did was try to meet that objective by trying to make sure no payments.
Right? You don't have to pay anything.
You're allowed to come in, use the same services, which you would normally spend a lot of money on processes. So I think as one of the key disincentives for sandboxes, to get the audience, stakeholders, to get them engaged, is the fact that they have to be made to take responsibilities that in some cases are difficult for them to undo. So I think one of the key issues is for us to make sure we break the barriers of entry, especially for areas where we are dealing with low income category of entrants that cause the ability to maybe develop concepts, ideas, but they don't have resources to make sure these things come true.
Thank you.
>> BERTRAND DE LA CHAPELLE: Thank you.
I think that's very interesting because we haven't discussed that much the situation where the regulator is actually distributing a shared common resource and is therefore collecting the revenues from this.
We were talking about lifting the regulatory obligations.
One may be the obligation of paying for this use case.
That's interesting.
Thiago, you have basically the final word.
>> THIAGO MORAES: Okay. Is it working? (Microphone going in and out.)
>> BERTRAND DE LA CHAPELLE: It's not working very well.
Oh, the battery is ‑‑ do you have another one? The battery is off.
Can you remove this one?
>> THIAGO MORAES: Just to conclude then, I think I should also highlight that beyond everything that's been said there are also other external possibilities.
Just being part of a collaborative approach that involves a regulator, because if a company hears that, in a good way, it can actually share with the potential consumers, certain subjects, how this is gaining more truth with whatever they're innovating in, I think this connects the idea of trust.
For that, well, since we don't have more time, I think I'll finish for here, but I'd like to thank the Datasphere Initiative for this amazing session with so many experts and I hope to continue to be in this environment for further maturity for sandboxes.
>> BERTRAND DE LA CHAPELLE: This will definitely be the case.
I want just to finish by highlighting first of all thanking you all as panellists and the people who worked on the session for this discussion.
I want to highlight that Sophie has shared in the chat a certain number of links to resources.
Please go to the website thedatasphere.org to basically have more information.
And the final element is that this is a new avenue.
This is a way for the different actors to basically explore what the multistakeholder approach can be at the national and even subregional levels and I really encourage you to think about how this can be developed and integrated in your respective processes.
And the Datasphere Initiative team is there to give you information in the context of the Global Sandboxes Forum and also to assist you and support whatever efforts you want to engage in on a topic of interest.
Thank you very much.
Enjoy the rest of the IGF.