IGF 2023 - Day 2 - WS #279 Sandboxes for Data Governance: Global Responsible Innovation - RAW

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> MODERATOR: Data for sure is one of the most strategic assets for both economic growth and Sustainable Development.  It can provide key insights to make better decisions around food security, climate change mitigation, or health policies.

Hence, data can help policy makers and private organisations to better allocate resources, solve problems and prepare for risks.  And as the back bone of AI application, its potential for the achievement of the SCGs cannot be underestimated, but for the use of data to benefit all, data sovereignty needs to be strengthened.  We need frameworks that help reap the benefits of data while protecting citizens, and I think that is the key assumption of this and the starting point of this session.

This panel gathers experts from around the world to discuss how sandboxes can unlock the value of data for all and promote responsible innovation in AI.

I'm very delighted to welcome on this panel today deputy Minister of-transport and communication Agne Vaiciukeviciute, so I knew it would be very challenging and I was trying to pronounce it a bit correctly.  Very welcome, very happy to have you here.

Deputy minister from Lithuania.  She focuses, among other things, on innovation and open data and she will share her perspectives in a few time.

We also welcome Denise Wong as the deputy commissioner at the personal data protection commission of Singapore, she manages the formulation and implementation of policies relating to the protection of personal data.  We also welcome -- I think she's joining virtually, Kari Laumann, the project manager for regulatory sandboxes.  She collaborated with stakeholders in the AI industry in Norway and is one of the team members ahead of AI regulation in her country.

And then we also welcome Lorrayne Porciuncula.  She's here on the panel, the cofounder and executive director of the DataSphere Initiative, an international nonprofit foundation with a mission to responsibly unlock the value of data for all.  She's an affiliate at Berkman Klein Center.  And last but not least, we have Ololade Shyllon.  She's also here on the panel.  She's the head of privacy policy across Africa, the Middle East and Turkiye.  She's a Human Rights lawyer who has focused on privacy access to information and freedom of expression.

Our panel this afternoon will be moderated by our friend, Armando Guio, who is an affiliate at Berkman Klein Center for the Internet and Society, and doctoral candidate at the technical university of Munich, focusing on social sciences and technology.

And finally, we also welcome our online moderator, Pascal Koenig, a planning officer at the GRZ headquarters.  He has served as the John Kennedy memorial fellow and she's also postdoctoral researcher at technical university.

Together, they will discuss now the roles of regulatory sandboxes in the promotion of responsible data governance and AI innovation.  Secondly, a regional perspective on the enablers and challengers of implementing those sandboxes, and thirdly, the issue of international collaboration on those regulatory sandboxes.

We are very, very happy to payment this discussion and to support this session, regulatory sandboxes can be really a great tool to promote regulation for a fair, free and open data economy.

In this way, the potential of data and AI can be used to achieve the.  They can improve food security.

Thank you very much.  And please enjoy this wonderful session.  And now, over to you.

>> Thank you very much.  Thank you for your kind introductions and it's a real pleasure to be here in such distinguished panel with these experts on the area of regulatory sandboxes, which are gaining a lot of attention, a lot of traction now.  There is a lot of fuss about regulatory sandboxes becoming more important nowadays to deal with many of the regulatory questions there are regarding AI, data, many other technologies innovations and, of course, that will have an impact on technology here.

Perhaps briefly just as an introductory remark, I would like to provide this context on regulatory sandboxes.  It's not a comprehensive one in the way in which basically we have, and that's one of the biggest challenges we have right now.  A lot of definitions, what a regulatory sandbox is, how they work, how they're being implemented and these kind of questions that we're going to be answering today, perhaps opening the floor for these kinds of discussions to take place.

So we want to start, that's one of the basic elements that we have to have very much in mind is that regulatory sandboxes are having a lot of definitions and there are many different ways on defining what a regulatory sandbox can be.

You can see regulatory sandboxes that look like elaborate innovation labs or that look like many other projects, which are not necessarily even related with regulation.  Some others are related with regulatory questions, but are dealing with them in a very different way.  So here just to take an approach of what the UN Secretary-general's special advocate for inclusive finance development defines a sandbox as a regulatory approach, not even a space, but an approach, typically summarized in writing and published that allows live testing of innovations under a regulator's oversight.  That's the definition.

And that's perhaps a definition that some share.  Some would say not necessarily.  I don't see that it has to be a regulatory approach.  Perhaps it's a regulatory experimentation space or an ecosystem of experimentation.  That's one of the challenges that we are facing right now, and that authorities around the world are facing with their approach to this kind of tool to deal with innovative regulatory measures.

From there, we have this big question of how to design the regulatory sandboxes around the world and that's a very interesting thing to analyse, and I have been able to look into this in some of my previous work.

So I have seen sandboxes that have been developed mainly by two people within an authority working on learning more about a technology, and this is called a sandbox.  In some other countries, a whole sandbox unit is prepared for developing these kinds of projects and developing and deploying an adequate sandbox and we will hear the experiences from all around the world.  We have the sandboxes also and this is something interesting, of course.  We want to talk more on the data sandboxes, but we have seen sandboxes, of course, developing on the fin tech sector, the generative AI, there's all the more attention on why sandboxes can be beneficial to understand many of the challenges posed by generative AI systems.

And, of course, on the gov tech and public sectors.  So we have seen these areas and these areas of work as areas that can be of interest for many stakeholders that have been working on this.

The fin tech sector, of course, have been one of the leading sectors on developing regulatory sandboxes around the world and that has been perhaps one of the biggest promotors of having sandboxes, other authorities are trying to follow this same path.

Now many questions about IP, data protection, antitrust and many other topics.

We have seen, for example, in Latin America, sandboxes being developed, for example, in Brazil now, we have this public announcement and we will hear from the colleagues from the Brazilian Data Protection Authority.  They're going to tell us a little bit more about this new generative AI sandbox and data protection that is going to be developed.

At the same time, Colombia has this fin tech regulatory sandbox which has been quite big and privacy by design and by default sandbox being developed there.

We have also sandboxes around the globe.  In Ethiopia, we have seen a sandbox unit being developed that is big within the central bank of Ethiopia that is going to create some kind of regulatory experimentation environment.

Germany, of course, also promoting many of the sandboxes, almost all of them at a regional level and, of course, with this sandbox handbook that was developed some years ago, which has been quite influential, not only in Germany, but in many other countries.

At the same time, we have seen sandboxes in Kenya.  So the capital markets authority, they're working on a very interesting fin tech sandbox which has also been quite important to develop, the fin tech ecosystem in the country.

And Lithuania, of course, with the gov tech regulatory sandbox and the sandbox for the public sector that we will hear more from the vice minister.

That's perhaps the whole representation that we want to have here and many of the experts that are here have been very much involved in these kinds of projects, have been working on them.

So we have also, for example, the experience of Norway and Singapore working on data protection sandboxes, Singapore developing one of the first frameworks on how to have a regulatory sandbox on data protection and on AI governance which was also very interesting.

And Norway, trying to open the black box and trying to develop this idea of more transparency with regulatory sandboxes in Norway for this specific purpose.

So with this brief introduction, and this brief context and definition of what a sandbox can be, we are facing now this big question on the relationship between regulatory sandboxes and Internet Governance.  Why are we talking about regulatory sandboxes in this specific forum, and when we are talking about technology, such as AI and when we're talking about the future of data and data protection.

Basically, because we are having a lot of questions -- so, for example, three big topics, such as privacy protection (?) which we have to analyse.  How are we going to analyse that and the authorities are going to analyse that, that's the biggest question.  What are the decisions and regulatory decisions to be made, that's where sandboxes perhaps can be helpful to understand the real impact of these technologies and what can be achieved with the current regulatory frameworks that we have.

That's the question.  Are regulatory sandboxes enough in order for authorities to develop capacities to deal with many of these big regulatory questions?  What has been the experience of fellow countries that we have here and many other experts that have been working on different contexts that can help us to understand a little bit more about that?

And that's perhaps one of the other big, big questions that we have.  Are sandboxes for all authorities around the world, are sandboxes effective in any country or there have been to be some initial capacities within some countries and some initial elements for these kinds of projects to be developed?

With the general cooperation, we have also been working on this, and with my colleague Pascal Koenig, also trying to answer some of these questions because we believe that sandboxes can be expensive, you can spend a lot of time working on them.  Are they effective?  Are they going to be effective to answer many of these Internet Governance and many other questions about regulation technologies, such as AI and the use of data, and cross-border data flows and many big questions on the future of these technologies?  That's what we would like to answer and discuss today.

So with that, I would like to start briefly with a video of the data protection authority from Brazil that they were very generous to send to us this video.  They were very much involved in the preparation of this event.  Unfortunately, they were not able to join us, but I think it's also good to hear from them and then we will start with the questions with the experts here and the experts on the Zoom room.

So thank you.

>> THIAGO MORAES: Ladies and gentlemen, esteemed colleagues and distinguished guests, I stand before you today on behalf of the ANPD, the Brazilian Data Protection Authority, filled with immense gratitude and excitement as we coorganise this workshop in collaboration with our esteemed colleagues from the Berkman Klein Center and the DataSphere Initiative.

It's a privilege to have the active engagement of representatives from various government bodies and Meta.  Together we are embarking on a journey that's not only significant but crucial for the future of data governance and AI innovation.  Our primary goal in this session is to foster a dynamic discussion among all relevant stakeholders.

We aim to deliberate on strategies that can pave the way for the development of sandbox initiatives, initiatives that not only stimulate innovation, but do so while upholding the fundamental values of humanity.

In the session, we'll delve into three key areas.  First, we will explore the roles that regulatory sandboxes play in promoting responsible data governance and fostering innovation in the realm of AI.

Second, we will examine a regional perspective, shedding light on the challenges in implementing sandbox initiatives.

Lastly, we'll discuss the importance of international cooperation in shaping the future landscape of sandboxes.

I am thrilled to announce a significant milestone in our journey towards responsible innovation, the launch of the contributions for the ANPD regulatory sandbox on AI and data protection.  This initiative crafted in collaboration with esteemed partners like Armando Guio who's today's moderator in the session, seeks to create a space where innovative ideas can flourish while ensuring the safeguarding of individual privacy and data protection.

I invite our esteemed panelists and the audience to contribute actively to this endeavour.  Your valuable insights can shape the very foundation of how we approach AI and data protection.

You can submit your contributions via our web page, which you can access via the QR code presented on this screen.

I am delighted to inform you that submissions can be made in English, allowing for broader and more inclusive dialogue.

As we embark on this collective journey of exploration and innovation, let us remember the profound impact our discussions can have on the future.  Let us collaborate, ideate and inspire one another.  Together, we can create the future where innovation and data exists harmoniously, fostering progress that benefits all humanity.

With that, I wish you all a very productive session.  May our discussions today be illuminating and may they pave the way for a future that we can all be proud of.

Thank you.

>> ARMANDO GUIO: With that, we have this innovation from the data protection authority from Brazil, this very exciting sandbox, we can move to our first question and perhaps here, I would like to start perhaps with your approach to sandboxes and your experience on sandboxes, what are the benefits you have seen in the work you're developing right now?  It would be very interesting to hear how the sandboxes have been evolving in your experience and what you have learned from that.

>> AGNE VAICIUKEVICIUTE: Thank you very much for having me here.  I think sandboxes is one of my passions, and while it's very important to speak about the future of the Internet, it's sometimes very important to speak on the practical matters, how all these innovations will bring closer to us.

In Lithuania, you mentioned one of the good practices is gov tech sandboxes.  These are a little bit more on my colleagues' side, but this is already a way of looking into problem solving.  It started in Lithuania in 2019, last year, it got an award at the European level of sandboxes that help for public governance to solve issues within the governance, to make it more accessible to the customers, and I just figured out I will maybe just tell you some of the examples.

For example, there are some examples based on AI solutions to measure the quality of digital government in an innovative way, solutions to automate the detection of illegal gambling operations online, a solution to improve the environmental risk assessment of companies, open assessment technology solutions to perform remote examination for civil servants, and many, many solutions that are already used in Lithuania in the governance in one or another way.

I think that platform was so successful that from the government's side, that investments into these kinds of sandboxes grew, and now it became a huge part of the innovation ecosystem in Lithuania.

But what I would like to talk a little bit more about, which is more on the communication side, countries these days invest a lot into infrastructure, especially infrastructure for 5G technologies, and we are doing the same.

In Lithuania, we do have the coverage of 90 per cent of the population, almost the same as here in Japan.

But when we want to see the value cycle, the demand side, we do not see enough technologies there.  So I think that's where the need of sandboxes is coming from.

So what we did in this sense, we dedicated more than 24 million euros for applications and solutions based on 5G.  And it's concerning not only innovations in the transport sector, but in any sector.  So we are very happy of this possibility to do it a bit in a niche way so it's not coming from the whole innovation policy within Lithuania, but the initiative comes from the Ministry of Transport and common communication.  So we really want to see what the 5G technology is capable of.

And there's a lot of interest from the business side.  We just called a tender, so just imagine maybe 53 projects are in the pipeline.  More than 124 million euros' worth of projects, of testing within the sandbox regime and in Lithuania those new technologies and applications.

I think why it's so interesting for the companies is because we created the sandbox in a manner that technology and the result of the innovation will belong to the owners.  The only wish from the government's side is that the application, the testing side would be in Lithuania.

And the idea is that we want as a policy maker, to be able to be very flexible and dynamic and respond to all the innovations and changes needed in the regulation framework.

And I think this is not only to create more applications on 5G technology-based solutions and to solve some of the problems in Lithuania, as it is more of the exercise for the government as well to adapt on the regulation measure, as well.

So we are very, very excited on this sandbox regime, because we do believe that now, we kind of fill the whole value chain, so we are not only creating the infrastructure, but we're encouraging the private sector, as well as, you know, public companies to participate and create applications in autonomous driving, in healthcare, in all other industries and we'll see what's going to happen.  I'm very happy and hope that at the middle of next year, we will see some very great results, and we will be able to share about it.

So maybe it is for first intervention that's it and later on, we can continue. 

>> ARMANDO GUIO: Thank you, vice minister.  Very interesting to hear some of those points, especially on the flexibility, attracting the private sector, presenting the results of the sandbox, which seems to be sometimes an easy task, but it is not as easy as we can imagine and from that, I would like to go to one of the sandboxes I have been studying the most, that basically I have been working with governments, especially in Latin America and they always say look at the sandbox in Singapore.  What are they doing in Singapore?  And how the Singapore sandbox is working?  How were they able to achieve these results?

And from that, Denise, we would like to hear from you because your experience in sandboxes has been pivotal for sandboxes to become a reference around the world.

We would like to hear perhaps some elements on that experience and how do you think, especially if a data protection sandbox has been helpful to achieve this balance between being responsible, being also flexible, but at the same time, feel like locking the value of data, which is also very important for many of these future conversations that we're having.

So the floor is yours.

>> DENISE WONG: Thank you very much.  And thanks for having me.  As you said, Singapore has experimented in sandboxes for quite some time.  It's been a very useful tool for us in policy experimentation and also in the experimentation of frontier technologies generally.

We tend to use it as a policy mechanism where there are uncertainties in application, as well as use cases.  And it's very much a tool that we use in partnership with industry where we need clarity on certain technologies or solutions surrounding different types of use cases.

We also look at it where organisations need support for compliance, and also to understand the integrity of their business use cases, and their intended business commercial pathways forward.

I wear two hats, both as the data protection deputy commissioner, but also as the assistant chief executive, and in that role I also look at data promotion and growth, and those are to us two sides of the same coin.

And so we view sandboxes as a crucial tool to support industry, but to also help them to find appropriate safeguards, guardrails and protections for the end user.

We've had a few sandboxes for a while now.  We specifically had a data regulatory sandbox that eventually grew to become the privacy enhancing technologies sandbox.  And that's been something that's been running for about a year now.  We've just closed the first stage of it.

And I would just like to highlight pockets of benefits that we saw.  Those are benefits to individuals because it gives them assurance and confidence that data is not being misused.  It helps with transparency and to flesh out questions of ethical use.

We find that sandboxing, experimenting in a safe environment cuts down on time for technologies to be deployed.

We also see benefits to the organisations that participate in our sandboxes because they can safely experiment with cutting-edge technologies that give them a competitive advantage, and, of course, I mean realistically that's what companies are trying to do.

We find that organisations very often come to us to provide regulatory support and guidance.  They want to understand the potential of technology solutions, but they also want to comply with what the regulator wants.

And I think interestingly, we also find -- and this is talked about a little bit less -- it creates opportunities for data collaborations.  Very often companies come with their own use case, they may not necessarily understand the ecosystem the way we see it from a more central point of view and a lot of what we do in sandboxes is putting together different parties in the ecosystem, matching them to technology providers or to end users or to intermediaries that allows that sort of ecosystem to be created in a specific sort of sector or specific use case.

That's not to say we don't benefit at all.  We benefit a lot because it helps us as regulators understand about technology, understand what the industry needs, and allows us to focus on areas that could potentially require regulatory guidance.

I just want to clarify that we don't necessarily think that sandboxing must lead to regulatory guidance.  For us it's just one of a broad range of policy levers and tools that we have.

We do a modality, I don't know if I'm jumping forward a little bit, but do tend to publish use cases and reports at the end of each experiment, and that in itself, sometimes, it just ends there, but it gives the sector and people who are interested a sense of what were the regulatory issues, what were the obligations and responsibilities that arose out of us working through that use case?

I would just say as regulators that we do get our hands quite dirty.  We spend a lot of time working through the mechanics of each individual use case to understand what are the concerns, what the issues are.  We bring other regulators on board where there are issues that don't fall within our purview, so it is quite an intensive process for us.

>> ARMANDO GUIO: Thank you.  Thank you.  Very amazing experience and elements that you shared there.

And with that, I think -- so Lorrayne, we have heard about this case, I don't know if we can already call that a successful case of a sandbox being applied to data protection.  We have seen some of the elements that have been used also in Lithuania for the development of the sandbox, in Singapore.

In your experience, you had worked from the DataSphere Initiative, working with different governments, working on reports on how to build these kinds of projects.

What do you think governments should do?  What is the checklist of elements to develop sandboxes that have the capacities, that have the impact that we would like to see on such projects that have a lot of work to do, a lot of resources to be used?  We want to be effective on those.  What do you see are the Best Practices perhaps?

>> LORRAYNE PORCIUNCULA: Thank you so much for the question, and it's a pleasure to be here on this panel because sandboxes is also a passion of mine, and so seeing one workshop that we get to discuss this in the IGF, it's just a pleasure.

So on the question, I think that there isn't a particular set of skills or a skill that is needed for you to deploy a sandbox.  I think there are as many skills as there are sandboxes and there are as many sandboxes as there are use cases because no sandbox is going to be the same, depending on the national jurisdiction where it's located, what's the institutional framework, what are the core partners that need to be involved?  What is the issue they are trying to solve?  What's the time frame, and the complexity of all of this is just -- it makes it exponential the number of different skills that you need to have and the people you need to bring in the house.

And I think that's sort of an important step into demystifying what sandboxes are, and that's sort of the campaign that I'm trying to lead from my own corner in the DataSphere Initiative.

We have a report that we published last year called Sandboxes for Data, Building Agile Spaces Across Borders to address the issue.  In that report we tried to look into the good practices and I consume a lot of the reports that are coming out of experiences, such as the one from the Singaporean government.

But also in terms of what other actors are doing in different countries and trying to be systematic about understanding what has worked and what hasn't.

We're still at the early stages of understanding how they can be deployed to other use cases, right, but there is a maturity in trying to understand what are sandboxes and we can all agree that it's an umbrella term that captures a whole lot of things, right?

And I think depending on who you ask what sandboxes are, they're going to have a different kind of definition.

And that's okay, and we should be okay with it as well in terms of seeing it as an anchor for a policy prototype, for experimentation.

And the second aspect that we're looking to also is in terms of the potential of using this internationally, which I'm going to come to later in the panel.

And what I realise is that having done that study and that analysis of the experiences internationally, and then talking to a number of governments, there's still a lot of -- people are still very much afraid of what it means, in terms of resources and skills that are necessary, because they are under the impression that something that you need to be a very sophisticated regulator in order to be able to deploy.

And I think the first step is trying to say that actually it should be simpler.  It should be about looking at a different way before you design policies and regulations in terms of engaging stakeholders, rather than doing something where it's sufficient for you just to post a line, and then forget about it.  How do you actually engage stakeholders from the design stage?

And how do you build that trust, that institutional trust with the private sector and Civil Society and technical community, and government, and regulators in order to come together and get their hands dirty.  And that's not something that a lot of institutions are prepared to do, or have the framework that allows them to do it.

So for me, it's less about the skills in themselves, but them being allowed to do that, to actually engage purposefully with stakeholders.

And this is an important part of the capacity building that we are doing now and with the support of the foundation, now a starter project in Africa, and through Africa sandboxes forum, we're bringing together stakeholders to create that community of practice in terms of sharing what can be done and what are the issues that we would like to solve in an interactive fashion?

And doing that in terms of -- we have a course, which we designed that takes you through in terms of what sandboxes are and they potential so that's an important part into building that skill, in terms of words and vocabulary that we are using in the space.

But also in terms of how do we turn this into practice?  So rather than just being a talk shop where we're talking to them about sandboxes and what it should be, we are actually in the best way of a sandbox bringing them together in terms of can we identify an issue that we can address?  And can we do so in a way that helps with issues that are relevant among different countries at the same time with different stakeholders through dedicated sandboxes that we are piloting and seeing next year onward.

And I think that's a step in terms of being able to define what are the appropriate stakeholders involved, depending on the use cases?  What are the technologies that might be necessary, if you're looking to operational sandboxes and to transfer data as was mentioned?

But also in terms of what are the arrangements in terms of mitigating risks that may emerge?  What are the different kinds of ways for you to look into measuring and monitoring and evaluating the success of that sandbox as well?

And so we are in a process where we are -- and I like to say and I'm not joking, but it's sandboxing sandboxes really in terms of how they can best function, and I would like to see a space where we are able to share more of those good practices, so that we can reduce the costs of actually implementing those sandboxes in sharing resources among each other.

>> ARMANDO GUIO: Thank you, and I really like this idea of exactly, of sharing and we definitely should talk a little bit more later on, on the global forum for sandboxes and sharing these kinds of ideas and having these kinds of forums for these interactions.  We have two colleagues, actually three colleagues that are on the Zoom connection, and I think they're in Africa, Europe and we would like to say good morning to them I think.  So I will start with Kari Laumann from the data protection authority in Norway.  So nice to see you.  We have been hearing about all these experiences and we needed to have the approach from one of the first authorities that developed a data protection sandbox, dealing with the black box question about AI.  We would very much like to hear from your experience in Norway and what you can share with us and, of course, like what do you think were the benefits and have been the benefits for Norway of having this sandbox?

And at the same time, especially Kari you can make a little bit of emphasis on the entrepreneurs in the country that has been involved in these kinds of projects, that would be amazing.  The floor is yours and thank you for being here.

>> KARI LAUMANN: Thank you and good morning.  I wish I could be there with you, but I'm calling in from Oslo.

So we first made a sandbox in 2020 and to pick up on Lorrayne's suggestion to share Best Practices.

One of the good experiences we had in building a sandbox was that before we opened the sandbox for applications, we did speak to Norwegian companies and we asked them what are your needs?

Can you hear me okay, by the way?  Is the sound okay?

Not so good?

>> ARMANDO GUIO: Now it's better I think.

>> KARI LAUMANN: Okay.  Can you just give me a sign that the sound is bad and I can try to change?

>> ARMANDO GUIO: It's not the best.  I don't know, but we are able to have the --

>> KARI LAUMANN: Is it better now?  I can change the microphone.  Pascal, can you hear me?

>> ARMANDO GUIO: We have the closed captions here and perhaps that's helpful so you can continue like this and we will follow you with the closed captions.  No worries.  Okay.  So yes, please, continue.

>> KARI LAUMANN: Is it better now maybe?

>> ARMANDO GUIO: Yes, we think it's improving.

>> KARI LAUMANN: Okay.  Sorry about that.  So we started our sandbox in 2020, and the focus for our sandbox is data protection, and artificial intelligence.

And before we opened the sandbox, we asked Norwegian companies what are you wondering about when it comes to AI and data protection?  So this is three years after the general data protection regulation in Europe came into force, the GDPR.

And the Norwegian companies said we have the regulations and requirements, and we're starting to use AI, and we have some guidance, but we're wondering how will this work in practice?

So specifically they asked okay we have to show transparency, but how do we do that in practice?  Do we need to open the black box?  There's a requirement about fairness.  How does a fair algorithm look like in practice?

And also there's a requirement on data minimization.  How do we do that when AI needs a lot of data?

So for us, we got to work with the Norwegian companies, real cases, where we tried to help them solve these quite interesting cases, and also, at this point, we didn't have a lot of legal precedents in Europe about applying the GDPR to data protection authorities.

So the sandbox has been a great opportunity for us to dig into issues that we see coming in the future.

And I think it's been valuable for the participants in the sandbox, that's the feedback that they give us, and we work with public, private companies, small startups, but also big corporations in Norway.

And the feedback we get from them is that it's useful because it's very hands-on.  You need to get your hands dirty, as Denise said.  You have to really dig into the issue.

So it's quite resource-intensive for us to run this sandbox, because we really go deep in each individual case.

And for us, it's also been very important to be transparent about the process and the findings.  So for each project, we have an exit report where we share what do we do, what discussions did we have, and what were the conclusions.

So the idea for us is by helping one, we help many.  So it's important for us to choose companies and projects that have been questions that a lot of other companies are also wondering about.

>> ARMANDO GUIO: Thank you, Kari.  The sound improved perfectly and that last point on presenting the results, it's very much important I think for the future of sandboxes and many of the sandboxes we have seen.  There are a lot of sandboxes now, but how many reports and results we have?  Like two or three big examples of how results have been presented and that's why I think this experience in Norway has been also very interesting.

And we have heard of government authorities working on this.  Now it would be interesting to, and it's a pleasure to have you, Ololade Shyllon, that we can also have your approach from a private company, private sector.

How do you see the sandbox experiences?  What's interesting for you?  What calls your attention?  When you hear about a new sandbox in X or Y country, what's that point at which you say this is interesting to hear more about?  This is a sandbox which I would like to participate in?

So it's a pleasure to have you here and we would like to hear your perspective on that point.  Thank you.

>> OLOLADE SHYLLON: Thank you so much.  It's a pleasure to join you in this very, very interesting conversation so far.

So, of course, for the private sector, you know, the benefit will depend really on the type of sandbox we're looking at, some of the unique contexts and specifics of each sandbox.

But generally, we believe, you know, that sandboxes are very, very important and they help in so many ways.  To, for example, reduce regulatory uncertainty, to offer, of course, a safe space for innovation, which is very important.  And sometimes, it also helps companies to be able to adapt quickly and be more competitive.  I think the other part is also being able to build trust.  Someone alluded to that earlier.

To build trust between regulators and the private sector is also an important benefit.

So at Meta, we have mainly engaged with sandboxes from the position of facilitator.  So a couple of years ago we developed a programme called Open Loop, which essentially is an experimental globalist programme.

We try to bridge the gap between tech.  We foster collaboration between those developing technologies, different startups and companies and those regulating them.  Basically, regulators in the field.  It's a very multistakeholder process with governments, tech companies, academics around different issues.

And we do two things.  So the one bit is regulatory sandboxes.  But we also do policy prototyping as well to ensure that we are looking at -- we're trying to support better regulation in the ecosystem.

And so we've done a lot of this globally.  I will say, except in Africa and the Middle East and if we have time I can come to why that has been an issue.  I think some of the challenges have been alluded to earlier.

But we've done a lot.  For example, we did sandboxes in Uruguay and Mexico around privacy enhancing technologies.  We've gone in India on human-centric AI.  We did a couple based on the EUAI act which threw up a lot of things that I would like to share about what we think are the most important shall I say conditions or factors to take into account in having a successful sandbox experience.

So I'll run through them very quickly.

So one, of course, is having very clear focus and goals because there's so much -- actually now with the conversation around AI, there's so much -- I think there's also a possibility of people wanted too much and really that's not necessarily possible, so having a clear and focused goal is very, very important.

Another key thing that came out of the EUAI act experimentation here was having generalized results, to make sure that whatever is come up with can be applied not only for those in that particular sandbox, but beneficial for those in the ecosystem, generally speaking.

Other things having clear timelines.  There have been conversations around sandboxes taking a lot of time, which sometimes is why a lot of folks are hesitant to engage, especially regulators.  So having very clear and defined timelines.

Having clear responsibilities and rules for participants.  You know, also technical expertise.  This doesn't mean it has to be 100% level of expertise as mentioned, but being able to articulate what the key issues are and being able to work through them.

Also selecting the participants, we use objective criteria so they're able to have a good representation across the board.  Otherwise, it becomes, you know, problematic in terms of sort of sharing the outcomes because then it becomes an issue of we didn't have a good spread of participants in the sandbox.

And, of course, I think collaboration is very important.  Fostering collaboration between not just the companies and the regulators, but also amongst companies, and, of course, if possible, it is across borders amongst regulators, as well.

What I want to flag lastly is the benefits to participants.  There has to be an obvious benefit to those who are participating in any kind of sandbox.  Otherwise, one might struggle to get high-quality members interested and participate.

And, of course, there's a whole range of ways to make this happen.  And ensuring that they actually have access to the regulators.  Also sometimes having access to facilities to experiment could be what pulls them in.

In some cases also certifications.  Sometimes when you go through a sandbox, you get some kind of certification that shows you have been able to engage and acquire some kind of skills.  That's something that also supports participation.  So that in a nutshell are some of the things that we think help, in terms of having good outcomes in terms of sandboxes across the board.

And just to flag, like I said, earlier that there's been challenges with getting this going in the region, but only data related -- we have one or two fin tech related sandboxes in Africa, as well as in the Middle East, but the only data-related one so far started a couple of months ago in Saudi Arabia.  Still in the very early stages so there's not much to share about the lessons that were learned in that regard.

I think I'll stop here.  Thank you very much.

>> ARMANDO GUIO: Thank you.  We want to also finish this first round with your remarks, which I think are very interesting because that idea of building trust among different stakeholders, it's always a big challenge, and I think it has a lot to do with the design of many of the sandboxes and participation spaces that there are.

And talking about also participation, we would like to open the floor for this first round of questions that you have.  And I think you can stand up here or here for the microphones, and please, if you could present briefly yourselves, give your name and your questions.  We're more than happy to hear you.

>> Good morning.  Mostly my question is for the expert from Singapore and from Finland.  The national authority needs to run a sandbox.  On average, for a use case, how many days per person is necessary to start it and to create a test base?  Because it seems that it's connected to handling a lot of cases.

>> DENISE WONG: We don't handle a lot of cases.  For us, a sandbox is not a tool for volume.  It's not like a framework policy where you set the general principle level or even the obligation level and it applies to thousands or hundreds of thousands of cases.  In a year, maybe we work on six to ten cases where we really just are working on what the use case is.

I think one of the things we find helps a lot is to set very clear use case objectives.  So if it's very tight in scope, the parties already know what they want to do, it's really about just working through the accountabilities.  Then it is more straightforward, easier to do.  If it's about helping companies to find players, technology players, they know they have a data problem.  They want to use a privacy-enhancing technology.  They don't know which one.  That becomes a longer process, a more involved process and it can take many months to sort through.

So I would say, the way we do it, it's fairly customised to the use case and it can take an average of three to six months to work through a use case.  Sometimes, even longer than that.

But, of course, we have other policies and innovation tools, such as policy clinics which we're just giving quick advice on accountability, that one can be much faster.

>> AUDIENCE: Good afternoon.  I'm from Bangladesh.  Thank you, panel, thank you moderator and honorable minister.  We learned so many things regarding the sandbox from this session.

I learned from you, for instance, Mr. Moderator, CNET has developed one sandbox regarding the misinformation.  So how can we utilize this sandbox regarding the misinformation from the Civil Society side, apart from the government?  Thank you.

>> ARMANDO GUIO: Thank you.  Well, that's a big question.  I think that we're having sandboxes on misinformation not only that we would like to analyse, but to gather some good evidence on how these technologies are actually spreading misinformation and what kind of measures can be used?

I think that's one of the biggest questions that we have right now, like what measures can be used, and how to implement some of those and that's where sandboxes become attractive because we have this flexible space in which basically we can interact with some companies and basically try to make them get involved into these kinds of questions, concerns, let's work together, let's involve Civil Society that has been doing some great work in this area and let's trying to show you basically what could be the measures there to put into place.

I don't know if the sandbox in misinformation is actually a sandbox on providing flexibility.  I think it's more on providing trust building efforts.  Perhaps a multistakeholder approach, but that's how I see it.

I think there's interest in many countries to start with this kind of work, even before regulating because there's a lot of ruth pressure, also.  Why don't we regulate these kinds of practices?  Sandboxes are seen as a first step before going into that.  That's how I think we will see some sandboxes on misinformation more and more I think in the near future.

>> AUDIENCE: Good afternoon.  I'm with the DataSphere Initiative.  I just want to make a quick comment.  The word umbrella term has been used, and I think it's an illustration of the fact that the sandbox is also -- the sandbox approach is a spirit of experimentation, and there's a growing toolkit or tool set for governments to experiment with various approaches, depending on the topics.  You mentioned the clinics and so on.

And the consequence is that it is particularly adapted to the early stages of any policy development or policy interrogation, which is the agenda setting and the issue framing, which is a stage that is usually skipped because the moment people have identified a problem, they run to say my solution is A, my solution is B, instead of taking enough time, early on, to frame the problem as a problem that people have in common rather than a problem that they have with each other.

And so thinking about sandboxing as sometimes, an early tool to identify how to shape the problem before you get into drafting whatever guidelines, regulation or code of conduct is probably an important element in the sandbox approach.

>> ARMANDO GUIO: Thank you.  I don't know if there are any reactions to that?  Okay.  Thank you.

>> My name is Christian Rumsfeld and I have a question related to one of the potential risks of sandboxes.  Given the very nature, the number of terms that can participate in the sandbox are, obviously, limited, so the question is how can we make sure that there are no distortion of competition going on that is favouring those companies participating?  And also how can we avoid regulatory capture, given there's that close interaction between the regulator and the companies?

And so in general terms, how can we make the sandbox more fair and nondiscriminatory?  Thank you.

>> ARMANDO GUIO: Anyone?

>> LORRAYNE PORCIUNCULA: Thank you very much for the great question and having worked on sandboxes, and all the risks that we actually need to balance, and that's one of them, right?  In terms of competition and regulatory capture.  And I think that's part of the process of trying to ensure that you're building trust with a broad Spectrum of stakeholders and what's interesting about sandboxes is that it does allow the regulator usually the flexibility to go beyond the traditionally regulated entities.

That's been the case around fin tech and so perhaps you know the experience around fin tech, it's a very regulated sector, right?  Central banks have banks that they regulate and that's a very tightly knit group.

Here the experience with fin tech sandboxes, what happened is they did open calls for different startups and companies to come in and provide different services to insert to a demand, to a problem.

And here, there were telecom companies that came in, startups and a whole bunch of innovators.  And the solutions that came through the fin tech regulatory sandboxes have been really impressive in terms of providing in the case of Brazil, for example, instantaneous payment systems that right now, 4 out of 5 adults use, it's the fastest-growing payment system in the world, it's called Picks, the fastest-growing ones are in India and China.

And it was a concerted effort that went beyond the traditional companies, the traditionally regulated companies.

So in terms of spirit, it is something that it's meant to be more encompassing than what a traditionally regulated sector looks like.  Of course there are always risks that that's not going to be the case.  We're going to choose the champions and just invite the ones we know best.  But I think being cognizant of that risk is a first step in terms of trying to mitigate it, particularly so that there is no regulatory capture, which is always a concern when looking to healthy regulatory frameworks.

How do you build governance around these spaces?

So having good conversations around practices and also on the frameworks that need to set up, at least the minimum conditions for regulatory sandboxes, I think is the first step to go, to mitigate those risks and anticipate them.

>> AGNE VAICIUKEVICIUTE: And if I may very shortly add from the Lithuanian perspective, what we have done so far.

So as an obligation to participate in sandboxes and get the financing for any testing purposes, there should be a group of stakeholders involved.  It's obligatory to involve higher education institutions, someone from Civil Society.  So there is a range of compositions that is an obligation to be a part of.

So I clearly understand the threat there.  We don't want to see one side of sandboxes and solutions.  Therefore, the broader stakeholders group has to be involved, and I think that we clearly put it into the rules of participation, just to avoid this obstacle.

>> ARMANDO GUIO: Thank you.  And we have to perhaps provide space for one more question, and, of course, at the end, I will -- we will have the space.  We have also the online moderator and everything.  So thank you.

>> AUDIENCE: Sandboxes in my experience actually break away the concentration that takes place usually in smaller financial sectors.

I was on a committee as a tech lawyer for the Middle East of Pakistan's central bank.  We did exactly right an innovation challenge fund, so there was money as well as the ability to have your idea sandboxed and approved and what we noticed was basically by going through that process, we got startups etc.  Nobody was interested in the money as much as they were interested in the approvals.

And the most amazing thing was that it had a multiplier effect.  And I'll speak about that in a second but the more important thing was that it started having conversations between regulators, saying you're not the only ones, you need to actually get approved from another regulator.

So the conversations broadened.  That was helpful for the ecosystem.

And as a result of these things that happened, the central bank was confused about things like should we allow cloud in the financial sector?  Should we do core treasury systems on cloud?  And electronic money issuers and digital banks were enabled because of this exercise.

So that was very, very helpful.  But I have a question.  My question was what I just mentioned regarding the learnings between regulators.  Have you found that has been something that you all have experienced?  That one regulator is doing financial services and there's other regulatory approvals that are required?  And how do you interact and coordinate that effort when you do a sandbox?  I would love to know.  Thank you.

>> DENISE WONG: It's a great question.  We do work more domestically.  As the IMDA, we hold the horizontals for data protection, but in a use case, for example, where we have a finance use case and a finance regulatory question comes up, we will bring in the monetary authority, for example, to work out joint guidance.

If it's a healthcare one, we'll bring in the relevant regulator, because very often from the business's or industry's point of view, they're regulatory questions.  They don't care which regulator is going to answer the question or they realise it crosses different silos.  That's also been a fairly interesting way to solve problems, and it's been confided a helpful exercise, not always the easiest, but I think quite important to move things forward.

>> AGNE VAICIUKEVICIUTE: If I may just very shortly add, it's a very interesting topic.  We could talk about it hours and hours.

Once again, in the Lithuanian case where we were focusing mostly was the technologies or ideas, which would be at the very high level.  We are not talking about sandboxes where the ideas are tested or tried on the very -- not mature sense.  We are talking, because the money is quite huge, we're talking about the last (?) that would be scaled on.

It's really important to speak on what side of the sandboxes and the idea's maturity we're talking at.

>> ARMANDO GUIO: Thank you and thank you for all the questions and hopefully, we have some final minutes for those questions that are left and many others.

I will give the floor then to the online moderator, to Pascal Koenig.  Please.  The floor is yours.  And you have some interesting questions and the challenge of making this 30 minutes or less.  The floor is yours and thank you for joining, even though it's early morning thank you.

>> PASCAL KOENIG: Thank you.  It's my pleasure to join you online and to guide you through the next set of questions.

And I would like to shift the attention a bit and pick up on something that especially Lorrayne has already commented on.  I want to adopt a bit more of a regional perspective and look at the aspect of international cooperation.

So my first question is, I'm interested in how important is it to learn from other experiences when implementing and operating a sandbox?  And perhaps more specifically, you can also say something about how transferable are sandboxes from one context to another?  How much work has to go into adapting them when you transfer them?

And since I'm online I would like to direct the first question to Kari.

>> KARI LAUMANN: Yes.  So I think we were one of the first data protection sandboxes in Europe, but there was one before us, and that was the RCO, the British data protection authority.

So when we were starting our sandbox, we did reach out to them, and they were very generous in sharing their experiences and even documents.

So we learned so much from them.  Of course, we had to adapt.  We didn't just implement, because there are cultural differences; there are so many differences.  So we did adapt it.

But that was super useful.  And I think also the spirit of sharing, we have kind of carried with us.  And we've had so many different countries in Europe and beyond reaching out to us because we're one of the first sandboxes.

So we've also tried to share all that we can from what we have learned and what we have built, and I think it's been really useful since the sandbox concept is kind of new and a little bit of fussy for a lot of people.

So I think sharing the experiences that are there is very important.

And I also agree with what has been said earlier in this panel, that there's not like one definition of sandbox.  You can make it your own and make it fit your own purpose.  So I think sharing is important, but also listening to the needs of the target group that you're trying to reach is very important and tailor it to your own purposes.

>> PASCAL KOENIG: Thanks, very much for these insights.

And for the panelists in presence, I also direct the question to you perhaps Denise, since your sandbox has been an inspiration to others as we've heard before, what's your perspective on the importance of sharing learning from experiences and the transferability of sandboxes?

>> DENISE WONG: It's a great question.  I think so far I could say honestly a lot of it has been domestic focused.  There isn't an APEC framework in the areas that we work in.  A lot of it was about helping industry and we do work with industry players who operate all over the world so there is an international element.

But I think more and more, as we have tech conversations like these, as we meet more and more interested regulators, as the interest in sandboxes grows as a regulatory tool, I think there's a lot we can learn from each other and a lot that we can learn from the use cases that we all sort of get our hands dirty on and do.

So very supportive of this broader conversation and principles that we can all buy into, and I think absolutely a lot of these questions about data protection or misinformation or AI are transferable, just by the very nature of the theme, and so we have a lot that we can learn from each other.

>> PASCAL KOENIG: Thank you very much.

I would go one step further and also ask in what ways can international collaboration and exchange on the regulatory sandboxes be most helpful for regulator authorities?  What do you think are important areas for collaborating?  Which areas are especially important currently to advance?

And since Lorrayne has already said a little bit about the importance of exchange and collaboration, I want to direct the question to you.

>> LORRAYNE PORCIUNCULA: Thank you so much for the question.  And I think it's important to consider that while sandboxes had been deployed nationally, there's so much potential not only for sharing those experiences internationally, but also on co-constructing and building those internationally, from a cross-border perspective.

In the report that I mentioned that was published last year, we listed a number of different areas where they could be tested.  So, for example, in testing privacy-enhancing technologies, which was already mentioned here, but from a cross-border perspective, by looking at as well through issues like new data intermediaries that we will that are emerging.  So think about the role of data fiduciaries, or, for example, data commons, data collaboratives that may exist in one country and may want to be certified or recognized in another jurisdiction.

So how do we do that?  How do we create that space that actually allows for this exchange of what are the minimal requirements?  How do you actually get that transferred cross-border as well?  So we can think through technologies and issues that are more transversal that are emerging within the digital space.

But also, I think more vertical sectors, in terms of how cross-border sandboxes could be used, for example, to address issues that are already included in trade agreements.  DIPA, which is one of the new trade agreements that Singapore is a signatory to, together with New Zealand and Chile, with Canada also acceding to it, includes already a provision on the potential of having a data sandbox within DIPA.

Now no one knows how to do that right now, but it's already included as a provision.  And I see that this new generation of trade agreements may as well include beyond the lengthy process that it takes to negotiate and balance multiple interests into a static text, that it actually creates the fora for us to test what are the issues that businesses and society and regulators within those different countries care about?  Care about enough to work together to solve the solution?

So it's very much around how do we operationalize a lot of those issues that we spend a lot of time negotiating behind closed doors?

So trade agreements for me as an issue, and it's one that we include in the report.

The other one is around health.  So think about the issues around transferring sensitive data cross-border, but also on the opportunities of using that for research and innovation?  Particularly in the moment of pandemics.

But also on the complexity of balancing those objectives of innovation and research and public health with issues around data protection and also regulatory systems that somehow interact with health objectives.

About the issue of climate change, which is the most transversal issue that we have on our planet.  How are we actually going to get through working on solutions if you don't have the space to collaborate together, right?

And what for me is very encouraging is that we can use this as a blueprint to think about international cooperation in a different way.  So I have a career having worked in different international organisations at the ICU, before I cofounded the DataSphere Initiative, and for me, we need to think about not ways to supplant multilateral processes, but at least to collaborate with them and create a space where we think about solutions and we are concrete about it.

And so for me, that's where it lives, the opportunity for cross-border sandboxes, for us to create that space where we are between just do-nothing and regulate and forget.  We have to find the sweet spot, the Goldilocks spot where we can find a solution.

>> PASCAL KOENIG: Thank you so much for these interesting comments.

Certainly important issues and for our colleagues who also are interested in the question of enabling cross-border data flows, so that's certainly something to continue the discussion on.

I would also like to invite a private sector perspective on the question of international collaboration and those areas that are especially important.  Ololode, would you also say a bit on that perhaps?

>> OLOLADE SHYLLON: Thank you so much.  I fully agree with what Lorrayne has said.  I think by their very nature, sandboxes require multistakeholder collaboration and there's a lot of things that can be learned across the board, if they're given a chance.

So definitely broadening this kind of collaborations across borders would definitely enrich the learnings and help policy makers better understand the ecosystem and be able to figure out the kind of policies and rules that would apply in different contexts, in different environments.

And this in a way would help with harmonization.  So at Meta we believe in having a harmonized approach to policy making.

In a way, whilst we know that different countries have different rules and different laws and legal systems, there's a lot to be learned in terms of working together and collaborating on these kinds of approaches because at the end of the day, we -- globally there are a lot of treaties that exist, even though each country has their own domestic legal systems.

So of the same kind, working together cross-border with the regulatory sandboxes and the like, for us it's very, very important to ensure that there is this widespread collaboration across the board and consensus.

Of course, things, there's cultural nuances, there's specific nuances, but at the end of the day, at the high level there are basic principles that apply across the board and that one can learn from experimenting and collaborating in this space.

>> PASCAL KOENIG: Okay.  Thank you, also.

And going a bit further in that direction, what are your observations regarding the need, but also how likely it is there's an increasing harmonization of sandboxes beyond the national level, either through new sandboxes that are being created on the regional level or perhaps through a stronger harmonization of existing sandboxes?

>> OLOLADE SHYLLON: So likelihood is a very tough question.  I think it's a complex issue.  There's a lot of factors that come into play.  Like I mentioned differences in legal systems, but like zeroing in on the region that I cover, which is Africa and the Middle East, there's a lot of challenges that I think exist in sandboxes that are more acute in the region.

So things around the time it takes for this to be executed.  Things around the costs that it involves and the realities -- if we're talking about data governance-related kind of initiatives for sandboxes, it's fairly nascent in the region.

So most of the regulators are trying to figure out exactly how to build infrastructure, like build their organisations, and at the same time, there's a lot of impatience from ordinary people with them being able to enforce and show that they were actually advancing the ecosystem.

So you find many of them trying to say how do we prioritise being Lidge and being able to do what we need to do, what we are expected to do?  In that case we could prioritise that, we don't have enough resources, financial or technical to be able to focus on sandboxes which take too much time for us to be able to see any benefit.

That's one of the challenges that we are seeing in the region, but we are hopeful that with organisations in this region we can see some push and momentum towards having sandboxes, because they're very important for ensuring innovation in the ecosystem in the region.

>> PASCAL KOENIG: Okay great.  Thanks and maybe to get perspective also on a different region, to get a bit of perspective from Lithuania, Agne, what is your perspective on the need for harmonization on a regional level and how likely is this to be?

>> AGNE VAICIUKEVICIUTE: Thank you very much for the question.  I think that there was already a lot of good things said.  I think that if we talk in the short-term perspective, harmonization, maybe it's not the way to go.  Maybe I would use a better word:  Collaboration across borders.  That I would expect happening in a short period.

I think that harmonization is always better for those who were not first movers for countries like Singapore or others who have a lot of experience already there, and openly shares it with other countries.

This is something that would be maybe not so interesting in the short perspective.  I think that we are talking about, you know, innovations at this point so innovation is very important, you know, not only to have a safe space to test it, but also to have a freedom to explore the potential there.

I think what our experience is in this field, we also were not unique in the sense of our sandboxes and I'm proud to say that we got the experience, of course, from the U.K.  We went there, we invited them, we had a huge conference to share about the sandboxes.

There was a lot of things they said that we should not do.  It was very valuable for us.

So I think the harmonization maybe it's too early to have this question at this point.  I think now today, we are talking a lot about what is the concept of sandboxes?  What kind of sandboxes we do have?  We have some just, you know, good initiatives already so I think what we really need, we need to catch up with the scale on sandboxes on so many different levels and just to show maybe for other policy makers how valuable it is.

I'm convinced already, but that's not enough.  I think if we want to make huge changes within the governments, we need to if I think further.

So during this panel, I got so many ideas how fast we need to go to Singapore's prime system.  I'm joking, of course, but thank you very much.

>> ARMANDO GUIO: Thank you.

>> PASCAL KOENIG: Thank you.

>> PASCAL KOENIG: I have more questions and I would love to hear more from you, but I think I'm keeping an eye on the clock.  I think we should leave some time for another round of questions from the audience and I can see questions online, but, of course, I cannot see them in the room so you can gladly go ahead.

>> ARMANDO GUIO: Great.  So I will start with a question here in person and we would like to get the questions in the Zoom room because I don't have them.  Please.

>> AUDIENCE: Thank you very much.  Thanks for the very insightful panel.  I'm the co-coordinator of the Open Loop experience in Brazil.  We are addressing privacy-enhancing technologies.

I would like to add a bit on Lorrayne's comment of having sandboxes discussed in a privileged space like this.  For years we have talked about the necessity to regulate in a more adequate, dynamic, flexible, scalable way and bringing sandboxes to this privileged space means that we're considering it one of the tools to operationalize that smart regulating.  Yes for the digital space, but not only to it.

So my question is a little bit more mundane, though.  It's a question about time frame and I would like to have these experiences between maybe Norway and Singapore.  You have a framework to operationalize the sandbox and there's a space where you wade back in as a regulator to say if and which measures are going to be taken out of the experience here.

The question is how strict you intend to be or have been on these measures?  Do you wait until the whole process is finalised as the regular framework foresaw or are you ready to intervene at a point where something stands out as very important not to be waited for?

Thank you very much.

>> ARMANDO GUIO: Thank you.  I don't know Kari, do you want to start there?

>> KARI LAUMANN: Yes.  I think this is a very good question and very relevant for us as regulators.  I think from my side it's a bit different if you're a private actor and you have a sandbox, but as a regulator, our kind of powers are very strictly regulated in the GDPR, so we are to case handle, we are to do enforcement actions and we are to give guidance and for the sandbox for us, this is a guidance tool.

So we call it dialogue-based guidance.

So for us it's very important to be clear that this is not a decision.  We only give guidance in the sandbox, and then the company who is participating can decide themselves what they will actually do.

And also, we're very clear that we don't give any exemptions from the regulation.  So even if they're in the sandbox, the regulations still apply.

So our sandbox is more about exploring those areas in the regulations where there might be questions or uncertainty of how it should be implemented in practice.

It's not about giving exemptions and a stamp of approval.  It's basically guidance.

So I think it's important to be clear about what the sandbox is, and clearly define that for anyone who participates or wants to take part in it.

>> DENISE WONG: It's a great question.  I would say that for us, it's a fairly dynamic process, because very often right from the get-go, we are trying to understand what's the regulatory issue they're trying to solve for?  At the end of the process we come up with the case study or with the published report.

So obviously, there is that process, but I think throughout, in the engagement, we are working on the ground with them to work out what are the regulatory issues, what are the interjurisdictional issues, where are the interdisciplinary issues?

And we are going back and forth on that process all the time throughout.

So it's definitely in the realm of guidance.  For us, it's a fairly agile and dynamic process and I agree completely with what you said earlier in your speech, chits really about agile policy making.  It's very much in that space for us and we don't really see this as you go figure it out and we'll give you an answer of it.

>> AGNE VAICIUKEVICIUTE: So thank you very much, very good question.  I think our perspective is from a different angle because I'm not from the regulatory authority; I'm from the policy makers side.  This was initiated from our side.  So we understand sandboxes as a part of working very closely with the ones who are testing all of these innovations.

And once again obviously, it's a very dynamic process.  Nobody wants to implement or change any rules that is absurd or whatever, but the idea was to kind of open it and be dynamic in the regulation, as well, because we have some of the regulations already in place, but there are no usage cases, so it means that it's written on the paper, but in reality, it doesn't work.  So that's what we are having.

So our perspective with sandboxes is to try to close this gap, and obviously, we understand that nothing could be taken for granted or fully within the process because we did not even touch on the fact that while doing those sandboxes, there could be some not usable cases in the future.  You are just testing.  There could be some failures, as well.

So we are looking into this more in a relaxed manner just to see what's going to happen, for everyone.  Thank you.

>> ARMANDO GUIO: Thank you.  This has been an amazing panel.  Very much on a topic that is still in the making.  I think there are many things coming on the way, global forum for sandboxes, Lorrayne, perhaps that will be coming.  Projects on different sides, Lithuania working on this, Norway still continuing their good work, Ololade, Meta is going to be a very important actor in many of these conversations and as a participant in the sandboxes.

Singapore, continue the great work.  This has been really amazing.

And also with the GIC working on this assessment on sandboxes and how to help countries be more efficient in the implementation of sandboxes, working with Pascal so this has been an amazing experience.  I hope that you continue the great work, hope that you continue with all the great questions and thank you again for joining.  This has been an amazing experience.  Thank you again.  Thank you very much.