Privacy & Cybersecurity Law Blog

On March 8, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a white paper on Regulatory Sandboxes in Data Protection: Constructive Engagement and Innovative Regulation in Practice (the “White Paper”). The release of the White Paper follows a joint roundtable held by CIPL and senior staff from the UK Information Commissioner’s Office (“ICO”) on February 19, 2019. Over 35 CIPL members attended the full-day roundtable, exchanging views on how the regulatory sandbox should work in practice, discussing the benefits of participation and key questions around appropriate safeguards upon entering and exiting the sandbox, as well as sharing examples of innovative projects where a sandbox may be useful.

The regulatory sandbox is a safe space set up by a regulatory body for piloting and testing innovation. In the context of data protection, this means using live personal data of real individuals in the testing phase under the supervision of a data protection authority. The concept was first developed by the UK’s Financial Conduct Authority to enable regulated companies to experiment and innovate in the financial services space but is starting to be utilized in the data protection sphere. As we previously reported, the UK ICO is planning to launch a pilot program or “beta phase” of the regulatory sandbox which is expected to run until September 2020.

The White Paper sets out the key features of the regulatory sandbox and outlines a series of relevant developments regarding the concept in data protection. It identifies the main benefits of sandbox participation for organizations, data protection authorities, and individuals, and the boons to economic and social well-being. The White Paper also details some of the challenges and key concerns and hesitations that are likely to arise from deploying such sandboxes for data protection.

In its White Paper, CIPL makes various practical suggestions to maximize the prospects of success, including possible criteria for acceptance into the sandbox and safeguards to address apprehension by potential participants. The White Paper also details the relationship between the regulatory sandbox and data protection impact assessments and considerations surrounding the international application of the sandbox.

CIPL has previously written about the potential of a regulatory sandbox model in data protection in its 2017 paper Regulating for Results: Strategies and Priorities for Leadership and Engagement and its 2018 response to the ICO’s Call for Views on Creating a Regulatory Sandbox.