Privacy & Information Security Law Blog

The concept of regulatory sandboxes has gained traction in the data protection community. Since the UK Information Commissioner’s Office (the “ICO”) completed its pilot program of regulatory sandboxes in September 2020, two European Data Protection Authorities (“DPAs”) have created their own sandbox initiatives following the ICO’s framework.

The Datatilsynet Sandbox Initiative for Responsible Artificial Intelligence

The Norwegian DPA (the “Datatilsynet”) launched its sandbox initiative in 2020. The goal of the initiative is to promote the development of innovative AI solutions that are ethical and responsible. It also will help organizations implement privacy-by-design solutions and enable compliance with the EU General Data Protection Regulation (“GDPR”). The Datatilsynet intends to leverage the learnings and insights arising from the sandbox projects to further develop its own competence in this area and to develop guidelines relevant to organizations implementing AI.

The Datatilsynet received 25 applications from diverse public and private organizations before the January 15, 2021 deadline. The Datatilsynet is now reviewing applications to select four projects (taking into account varying types and sizes, across different sectors) that will enter the sandbox by mid-March 2021.

The CNIL Sandbox Initiative for Health Data and Privacy-by-Design

On February 15, 2021, the French DPA (the “CNIL”) launched its own sandbox initiative (in French) that covers innovative projects in the healthcare sector that make use of personal data. The objective is to help organizations implement privacy-by-design from the outset. The call for application (in French) is currently open until April 2, 2021.

Submissions will be reviewed by a special committee composed of CNIL members and external stakeholders. Three projects will be selected based on the following criteria: (1) addressing a public health issue; (2) tackling novel data protection issues; and (3) committing resources to implement the CNIL recommendations developed during the sandbox. Projects on telehealth, access to research data, sharing of data between health professionals or involving AI are particularly welcome.

Once the projects are selected, the sandbox process will last until the end of 2021.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth has published extensive work on the ICO’s sandbox pilot project and expects the concept of regulatory sandboxes to grow for DPAs and organizations alike.

Read CIPL’s white paper on Regulatory Sandboxes in Data Protection.