Regulatory sandpits are gaining in significance with European information safety authorities
The concept of regulatory sandboxes has grown in importance in the privacy community. Since the UK Information Commissioner’s Office (the “ICO”) completed its pilot regulatory sandboxing program in September 2020, two European Data Protection Authorities (“DPAs”) have created their own sandbox initiatives under the ICO framework.
The Datatilsynet Sandbox Initiative for Responsible Artificial Intelligence
The Norwegian Data Protection Authority (the “Datatilsynet”) launched its sandbox initiative in 2020. The aim of the initiative is to encourage the development of innovative AI solutions that are ethical and responsible. It will also support organizations in the implementation of privacy-by-design solutions and enable compliance with the EU General Data Protection Regulation (“GDPR”). The Datatilsynet intends to use the knowledge and insights from the sandbox projects to further develop its own competence in this area and to develop guidelines that are relevant for organizations that implement AI.
Datatilsynet received 25 applications from various public and private organizations prior to January 15, 2021. Datatilsynet is currently reviewing applications to select four projects (taking into account different types and sizes in different sectors) to be sandboxed by mid-March 2021.
The CNIL Sandbox Initiative for Health Data and Privacy-by-Design
On February 15, 2021, the French Data Protection Agency (“CNIL”) launched its own sandbox initiative (in French) covering innovative projects in the health sector that use personal data. The aim is to support organizations in implementing privacy-by-design right from the start. The tender (in French) is currently open until April 2, 2021.
The contributions are examined by a special committee made up of CNIL members and external interest groups. Three projects will be selected based on the following criteria: (1) addressing a public health problem; (2) addressing novel data protection issues; and (3) providing resources to implement the CNIL recommendations developed during the sandbox. Projects on telehealth, access to research data, data exchange between health professionals or the inclusion of AI are particularly welcome.
Once the projects are selected, the sandbox process will last until the end of 2021.
The Center for Information Policy Leadership (“CIPL”) in Hunton Andrews Kurth has published extensive work on the ICO’s sandbox pilot and expects the concept of regulatory sandboxes to grow for data protection agencies and organizations alike.
Read the CIPL white paper on regulatory sandboxes in data protection.