Privacy Sandbox

Author Hyena
Reproduced with kind permission of the author
Source Wikipedia

Jane Lambert

The Information Commissioner's Office has just carried out a consultation on creating a regulatory sandbox "to develop innovative products and services using personal data in innovative ways" (see ICO call for views on creating a regulatory sandbox on the ICO website).  The idea of a sandbox was pioneered by the Financial Conduct Authority which described it as  "a ‘safe space’ in which businesses can test innovative products, services, business models and delivery mechanisms without immediately incurring all the normal regulatory consequences of engaging in the activity in question" (see FCA Regulatory Sandbox Nov 2015). 

The FCA's idea of a sandbox for new products, services and business models proved not only feasible but popular and has been imitated by other financial services regulators around the world.  The Information Commissioner announced her intention of extending the idea to data protection in her Information Rights Strategic Plan 2017 - 2021:

"Technology goal #8: To engage with organisations in a safe and controlled environment to understand and explore innovative technology. 

• We will establish a ‘regulatory sandbox’, drawing on the successful sandbox process that the Financial Conduct Authority has developed. The ICO sandbox will enable organisations to develop innovative digital products and services, whilst engaging with the regulator, ensuring that appropriate protections and safeguards are in place. As part of the sandbox process the ICO would provide advice on mitigating risks and data protection by design. 

• In 2018 we will consult and engage with organisations about implementation of a sandbox."

The consultation closed on Friday but the Call for Evidence makes clear that that was only the first stage of the consultation process. There will be a more detailed proposal for consultation later in the year.

In his blog post Your views will help us build our regulatory sandbox, Chris Taylor, Head of Assurance at the ICO, set out the topics upon which he wants to hear from the public:

• "what you think the scope of any such sandbox should be - should we focus on particular innovations, sectors or types of organisations?
• what you think the benefits might be to working in a sandbox, whether that’s our expert input or increased reassurance for your customers or clients.
• what mechanisms you might find most helpful in a sandbox – from adaptations to our approach, to informal steers or the provision of technical guidance – what are the tools that a sandbox might contain?
• at what stage in the design and development process a sandbox would be most useful to you?"

Mr Taylor also made a point that applies to innovation generally and not just to data protection law.  It is often said in the USA and in some quarters in this country that red tape (which is a derogatory term for regulation) hobbles innovation and enterprise.   If that were so the USA would be the most innovative nation on earth but a glance of the Global Innovation Index  shows that it lies behind four European nations including the UK. 

The author explains that 

"privacy and innovation go hand in hand. It’s not privacy or innovation, it’s privacy and innovation – because organisations that use our sandbox won’t be exempt from data protection law."

A regulatory sandbox enables regulators to anticipate and make provision for difficulties before they arise thus rescuing sparing new technologies and businesses from the legal quagmires that dogged earlier technologies.  In those days the law reacted to new technologies often imperfectly. 

The proposed sandbox should mitigate the privacy uncertainties affecting new products, services and business models but they won't remove all. There will remain other issues such as patenting or other IP protection, licensing, competition and so firth.  I am well placed and should be glad to help fintech and other entrepreneurs or the patent and trade mark attorneys, solicitors, accountants and other professional advisers who may assist them.  Should any of them wish to discuss this article or data protection generally, they are welcome to call me on +44 (0)20 7404 5252 during office houses or send me a message through my contact form.