The positive effect of the “supervisory sandbox” in the field of privacy supervision is gradually emerging.
Editor’s note: This article from the micro-channel public number “Tencent Research Institute” (ID: cyberlawrc), of: Daijun Zhe Wang Rong.
As a regulatory innovation model that originated in the financial field, the “supervisory sandbox” mechanism is gradually showing its positive effects in the field of digital governance. This article introduces its latest progress in the field of privacy governance. The “Privacy Supervision Sandbox” project that has been carried out currently involves the most cutting-edge or the most complex privacy protection issues in practice, such as artificial intelligence, face recognition, government data sharing, and protection of minors.
Similar to the pilot experiment, the starting point of the “regulatory sandbox” is to encourage innovation and tolerate trial and error, but the difference is that the “regulatory sandbox” emphasizes the mutual cooperation and positive feedback between regulators and market players, and relies on the law Regulations and sandbox agreements adopt refined management at each stage of the sandbox, so as to more effectively stimulate market innovation, prevent risks and protect consumer interests.
The origin and development of the regulatory sandbox
Sandbox is a computer term, which means a security mechanism that can provide an isolation environment for running programs. It is generally used when testing programs that are difficult to predict or determine risks. It can ensure the authenticity of the test environment , While the test method is accurate, it does not affect the “out of the box” data and procedures, thus ensuring safety.
The concept of “regulatory sandbox” first appeared in the report “The Future of Fintech” issued by the Office of Science of the Government of the United Kingdom in March 2015. Since then, the Financial Conduct Authority (FCA) has adopted it as a governance tool Introduced into the context of financial market supervision.
The regulatory sandbox introduced by FCA means that regulators establish a certain framework to allow financial technology innovation companies to test their innovative products and services in the real market environment under the premise of adopting appropriate security measures. Or business model, and will not incur the usual regulatory consequences due to the activities engaged in. In the regulatory sandbox, the regulator is no longer a “regulator” in the traditional sense, but a “cooperator” attitude to assist participants in putting safer and more effective technologies into practice. With the rapid development of financial technology today, the “regulatory sandbox” model actively responds to the important issue of how to more effectively prevent financial risks, protect consumer interests, and at the same time encourage innovation. Since the British FCA pioneered this model, Australia, Singapore, the United States, South Korea, Japan, etc. have adapted to local conditions to explore their own “regulatory sandbox” solutions in the financial sector. So far, about 50 countries have explored the “regulatory sandbox.” In December 2019, the People’s Bank of China announced the launch of a pilot program for the supervision of financial technology innovation, aiming to create a Chinese version of the “supervisory sandbox” and explore prudent and inclusive financial technology innovation supervision tools.h2>
(1) Process: Operating mechanism of privacy supervision sandbox
The privacy supervision sandbox initiated by the British ICO aims to explore the positive interaction between “privacy protection and stimulating technological innovation”. The sandbox only applies to products and services provided in the UK. From the process point of view, it is divided into 7 main stages: registration, screening, selection, determination of the regulatory sandbox plan, specific implementation, out of the box and publication of the report.
In a specific cooperation, participants will receive a statement of regulatory comfort issued by the ICO, which will state that when there is a problem with the operation of the “regulatory sandbox” (such as a participant’s violation), Corresponding measures to be taken by the data protection agency. The ICO also assures participants that they will not incur penalties from data protection regulators after they have taken the necessary measures to solve the problem. However, the compliance requirements of participants under the data protection law and other fields of laws and regulations still need to be complied with.
In addition to this regulatory assurance statement, participants will receive some informal guidance and supportive advisory mechanisms provided by the ICO. For example, ICO experts will give participants opinions on how to “achieve data protection through design” through discussion workshops with relevant organizations, written opinions, and field visits, and explore how to reduce risks in the process of achieving technological innovation , Ensure proper data security. The experience of ICO in the privacy supervision sandbox will also be reflected in the subsequent privacy protection guidelines and other documents formulated for specific areas.
(2) Progress in Practice: Overview of the two phases of privacy supervision sandboxes that have been conducted
Currently, the ICO privacy supervision sandbox has launched two phases. The participants include technology companies of different sizes and industries and different government departments in the UK. From the perspective of the content of the project, it covers a wide range of fields, including It addresses privacy protection issues in scenarios such as transportation, safety, housing, medical care, finance, and youth protection.
The first phase of the ICO privacy protection supervision sandbox involves ten projects. The participants include FutureFlow, Jisc, Novartis, Onfido, Tonic Analytics, TrustElevate, Heathrow Airport Ltd and other companies, as well as the Greater London Authority (Greater London Authority), The Ministry of Housing Communities and Local Government, NHS Digital and other departments and organizations.
As of now, ICO has released 6 privacy supervision sandbox results reports, namely JISC (Developing Health Practice Guidelines for Students), Heathrow Airport Co., Ltd. (Simplifying Airport Passenger Process Through Biometrics), FutureFlow (Data Flow Analysis platform assists financial crime investigation), Onfido (reducing deviations in customer identification based on biometrics), NHS Digital (realizing patient data sharing under the premise of “data protection by design” and promoting the development of new crown vaccine) and Novartis (medical Information Sharing). The current second phase of the sandbox project focuses on: children’s age identification and identity verification, child consent management systems, and AI clinical consultation and evaluation services based on online content.
From the above projects, it almost covers the most cutting-edge issues in the current digital privacy protection field or the most complex issues in practice.
(3) Case: Heathrow Airport uses biometrics to simplify the passenger boarding process
The following will be based on Heathrow Airport’s “Using Biometrics to Simplify the Passenger Boarding Process” regulatory sandbox project to introduce the technical details of the project and how the ICO will cooperate with Heathrow Airport to promote the project’s development Provide convenience for passengers under the premise of protecting privacy and safety.
1 /Project technical principles
In order to increase the speed and convenience of passengers’ check-in procedures at the airport, and reduce airport congestion, Heathrow Airport is promoting a new technical means to enable passengers to also Able to prove that “you are yourself”, the project is called “Automated Passenger Journey” (APJ).
The APJ project uses face recognition technology in conjunction with specific identity data sources (ID Source, such as passports or other identity documents or services, etc.) to confirm the identity of passengers. Specifically, when passengers enter the airport, they will first take a photo of the day at a certain touchpoint (Touchpoint). This photo will be compared with the photo in the passport and confirmed to be consistent. In the subsequent airport procedures, face recognition technology will always be applied and confirm that the passenger is the “passenger himself” without the passenger showing any identification documents.
2 /Key points and conclusions of the regulatory sandbox
(1) Role positioning of airports and airlines in data processing
Automated passenger journey APJ projects include airports, airlines, biometric technology service providers, customs and border controlThe concept of “protecting privacy through design” can be understood in a more specific manner, thereby adding more flexibility and applicability to the corresponding legislation.
Through the privacy supervision sandbox, privacy protection regulators will realize dialogue with market entities in emerging fields and obtain first-hand, fresh information and information. Regulators can understand the needs of the current industry, and focus on the urgent need to make improvements in laws and regulations, so as to alleviate the current large lag between privacy protection legislation and high-speed technological updates.
3/Consumers, market competition: carefully considered data protection and demonstration effects of similar technologies
For consumers, because innovative products and services have been tailored and improved in a small-scale privacy supervision sandbox, the products and services can be more easily promoted when they are widely promoted in the market. Good protection of personal data rights will bring real and comprehensive value to consumers, and the corresponding data processing will happen more confidently and responsibly. Under the lower uncertainty of data protection compliance, not only the company itself, but the overall public welfare including consumers will be improved.
For all market competitors, the corresponding information of the privacy supervision sandbox, especially the relevant “out-of-the-box reports”, can provide effective reference opinions and guidelines for companies in the same industry, of the same type or using similar technologies. , To form a certain demonstration effect, promote data use and information flow. In addition, from a broader perspective, if the technology involved in a certain project of the regulatory sandbox is recognized in the privacy protection law, it will also encourage the accelerated application of this type of technology, and will also encourage other companies to develop technological innovations. force.
Of course, it should also be noted that the exploration and practice of the regulatory sandbox is still in its infancy, and compliance issues in the field of privacy protection need to be further coordinated. In addition, concerns about trade secrets, intellectual property rights, unfair treatment, etc. are also one of the many challenges facing the privacy supervision sandbox mechanism at the moment. However, it is undeniable that as a regulatory innovation method, the regulatory sandbox provides a relatively inclusive space and flexible regulatory methods, forming a benign interaction between market innovators, regulators and consumers, and exploring the future of digital governance. The road provides an important methodology.
References:
[1] See KPMG China: “Accumulate a small book, ready to go-China’s “regulatory sandbox” innovation and practice report”, published in KPMG’s official website:
https://assets.kpmg/content/dam/kpmg/cn/pdf/zh/2020/10/china-regulatory-sandbox-innovation-and-practice-report.pdf, accessed February 7, 2021 .
[2] See Government OffiBank for International Settlement, Inside the regulatory sandbox: effects on fintech funding, available at
https://www.bis.org/publ/work901.pdf (last visited on February 8, 2021).
[7] “The People’s Bank of China Launches the Pilot Work of Financial Technology Innovation Supervision”, published on the Chinese Government Website: http://www.gov.cn/xinwen/2019-12/06/content_5458990.htm, February 2021 Visited on the 7th.
[8] See Speech by Dr Yaacob Ibrahim, Minister for Communications and Information, at the Personal Data Protection Seminar 2017, available at
https://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2017/7/personal-data-protection-seminar-2017 (last visited on March 4, 2021).
[9] See Data Collaboratives Programme (DCP), available at
https://www.imda.gov.sg/programme-listing/data-collaborative-programme (last visited on February 6, 2021).
[10] See the Finnish Ministry of Economic Affairs and Employment, Finland’s Age of Artificial Intelligence, available at
https://julkaisut.valtioneuvosto.fi/bitstream/handle/10024/160391/TEMrap_47_2017_verkkojulkaisu.pdf?sequence=1&isAllowed=y (last visited on March 4, 2021).
[11] See Chris Taylor, blogs about how organisations can help us shape our regulatory sandbox, available at https://ico.org.uk/about-the-ico/news-and-events/blog-ico- regulatory-sandbox#sep18 (last visited on March 4, 2021).
[12] See Sandbox for responsible artificial intelligence, available at
https://www.datatilsynet.no/en/regulations-and-tools/sandbox-for-artificial-intelligence/ (last visited on February 6, 2021).
[13] See CNIL, Un «bac à sable» RGPD pour accompagner des projets innovants dans le domaine de la santé numérique, available at https://www.cnil.fr/fr/un-bac-sable-rgpd -pour-accompagner-des-projets-innovants-dans-le-domaine-de-la-sante-numerique (last visited on March 4, 2021).
[14] See Annex to the Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee olast visited on March 3, 2021).
[19] See Centre for Information Policy Leadership(Hunton Andrews Kurth), Regulatory Sandboxes in Data Protection: Constructive Engagement and Innovative Regulation in Practice, available at
https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_white_paper_on_regulatory_sandboxes_in_data_protection_-_constructive_engagement_and_innovative_regulation_in_practice__8_march_2019_.pdf (plast visited on March 3)