Privacy Talk with Thiago Guimarães Moraes, PhD candidate in a joint-degree program between Universidade de Brasilia (UnB) and Vrije Universiteit Brussels (VUB): What is the future role of the regulatory sandbox in Brazil?
“This interview has been recorded on 16th July 2024 and discusses AI and data protection legislation.”
- What is the future role of the regulatory sandbox in Brazil?
- Why does the risk based approach is important?
- Message to listeners
- What is the future role of the regulatory sandbox in Brazil?
Thiago: Yeah, of course, I see a lot of progress coming in terms of sandboxes. Of course, as any new approach, there’s always some hype to that. Sometimes we see some institutions claiming they’re developing sandboxes and actually they’re developing other tools, other regulatory experimentation tools, which are also important and useful, but not necessarily sandboxes.
Sometimes we see people developing innovation hubs, test beds, but in the end of the day, there’s a lot of initiatives that are connected with the idea of a sandbox. And just to share the view that I have on what a sandbox would be, because,of course, it’s still a concept, it’s all development. It’s still maturing. What exactly a sandbox would be.
(Movie: Webinar — Regulatory Sandbox on Artificial Intelligence and Data Protection)
You know, I think we have to also consider that, but also for the audience that may not know so much about Regulatory Sandboxes. So basically, sandbox is a concept that we have had in the IT sector for many years, and it’s just this kind of secure environment where you can develop your system, I mean, your computer system.
And then can make some tests and they wll, and you can make some visibility of the progress and the development of that system until it’s matured enough for it to be deployed. That’s the idea of a sandbox, right?
And it reminds us a lot like children playing in a place that they can drop and they fall and they will not hurt that much because it’s a comfortable space. So this concept has started migrating to a regulatory landscape.
And what we mean by that is that nowadays, every sector has so many regulations that sometimes becomes very complex for companies, especially startups, to start developing something that sector, because they might feel feel constrained by these rules, and maybe that’s one of the main reasons that the financial sector was the one that most started this right.
And this happened much everywhere in the world, and Brazil is also one of the case. So one of the leading regulatory sandbox cases in Brazil. We’re done in our financial sector. We actually have not only one, but three different regulators, financial regulators in Brazil that are working with sandboxes.
So we have a central bank. We also have private security and we also have the exchange equities regulators. So all of those have developed their sandbox, and at some level, they interact with each other.
At the same time and this is important, because when, of course, when sandbox starts to become a thing, several other regulators have started to develop, at least here in Brazil, we’ve seen already, initiatives have been developed in the transportation sector so that the transportation regulator.
We have some designs also being made by the telecom authority and also the health authority. So they all are also starting the pilots. But we have to remember that each sector has its own characteristics.
It’s all features, and that happens a lot in the private sector, because private sector, like the private field, is not regulated the same way that many of the other regulators does, like in many other cases, first need a license to start developing something like for you to operate a telco company, you need some kind of authorization on the telco authority.
Right for you to start the infrastructure project in transportation, you need first this kind of authorization. So many times when we’re talking about sandboxes in these sectors, we are looking for space for testing something.
When you get like this kind of pre-authorization, this temporary authorization, to test that initiative.
- Why does the risk based approach is important?
For example, the transportation sector has been trying the free flow, right with the way that you can go in, oh, I just forgot the name in English, when you have to pay the I just forgot how to say that in English.
I don’t know if you know what I mean, but when you’re traveling the road, and then you have to pass to some spots, and then you have to pay for the infrastructure of that pavement, right.
So the thing is, the free flow allows you to just have this machine, small machine, in your car, and you just pass directly, and it will just be scouted from your bank account, right?
So this has been tested, and it has been very successful here in Brazil, it’s still, sorry I remember the word this toll, so you don’t, you don’t need to stop to pay the toll anymore.
It just can go. But this, of course, is still being tested because it’s still in a sandbox, but it has been so successful that’s probably will become the rule instead of the exception. But now, after giving some examples like that, let’s go back to the private sector.
Privacy regulations, data protection regulations, they don’t have a pre-authorization like imagine if every company that wants to process personal data needed first an authorization from the DPA to start processing.
First, the DPA would be overloaded with millions of requests, and at the same time that we would not be able to develop an assistant to innovate, because they would all have to wait for this overloaded DPA for the dentist staff person.
That’s why the risk based approach of data protection is the environment where you’re grounded. You as a data processor, as a data controller, but when you will decide that you’re going to process personal data for some interest to be profitable or not, you just do it, but at the same time, you look for some governance rules, some governance mechanisms, so you guarantee that you can be accountable for what you’re doing, right?
So since there is this shift at sandbox in the private sector, it cannot be about waivers. It’s way more about this collaboration, of getting the participants, the innovators, closer to the authority so they can understand better. What are these governance mechanisms? What are best practices?
What could be done and at the same time for the regulator, it allows the regulator to have use cases, very close use cases, to understand how these innovators are trying to develop more developed systems that are more compatible.
And in conformity with the data protection regulation. And so in this sense, you find this point of balance of responsible innovation in whichever kind of technology we might be talking about.
And this is also what we see in the AI sector, right? The AI regulation is way closer to data protection in that sense, because we don’t expect that people will need pre-authorizations to develop AI systems.
This, once again, would break the whole economy chain, right? So what we are doing is, okay, you develop an AI system, but you try to look at the risk level. How risky is your system?
Depending how risky it is, you present more governance mechanisms than no high risk system. So I believe sandbox and mouse in the AI field will look like this, a place for sharing best practice to make the regulator understand better what’s being developed, and at the same time, since we need to find also a balance, to not create an anticompetitive initiative.
We have to guarantee that everything that’s not a trade secret we shared with others. Why am I saying that? Because, I mean, there’s not only 10 companies developing five right now, and the regulator, a very mature regulator, does not deal with more than 10 or 12 initiatives at the same time, like the central bank is dealing with 10 use cases, the ICO in the UK is dealing with 10 or 12.
So you cannot do that many. Of course, there are 1000s of companies. So how you find this balance when you select in this case, these cases need to be as representative as possible, because when you finish the testing, you’re going to translate all the best practice of that of that initiative, and share with others.
So you guarantee that other companies that are developing similar systems will also have the chance of understanding better what the regulator is looking for.
So indeed, at the end of the day, I could resume sandboxes, at least from the privacy perspective, as collaboration, right, as sharing best practice and sharing knowledge about the systems and the regulatory landscape.
And I think this is how I see that things might develop, and I am hopeful that this might start, because with the future AI regulation will see a lot of these new regulatory sandbox approach popping out, and I think in within a few years, almost every authority in Brazil will have some kind of regulatory sandbox.
Kohei: Thank you for sharing your thoughts. The sandbox system has been discussed among the many of the countries at this moment and its key drivers to examine the practical use case and privacy technology, we hope for a more practical response from the regulators and the other involvement and the stakeholders.
So that’s been very important in Brazil as well. Thank you for sharing the insights. And so finally, I’d like to ask you about the message for listeners, because the you mentioned, the cooperation is so important, right this moment. So could you share about the few message to that?
- Message to listeners
Thiago: Yeah, sure. Well, I think what I could say to listeners is that we need to keep doing these exchanges just like what we’re doing right now. So especially if you are in the tech field and you want to develop new ideas, and especially those with that, look for a responsible way of developing these new ideas.
We have to keep exchanging, because sometimes someone has a red find piece of the puzzle, and we just need to connect with that person, you know.
And I think, some sense, several of the experience that I’ve shared today show a lot about that, how the experience of religion can influence the other, how sometimes a specific approach may not work that well for a specific case, but then another case it may work, and we can only do that when we keep sharing our ideas, seeing what work, what doesn’t work.
I think, also, and this is another message we shouldn’t be afraid of failing. What I mean by that is that, like our society, sometimes a very negative approach to failure, in the sense that if you fail an exam, you are out if, if you fail a rule, who might be sanctioned.
So we are always afraid of failing, but what we need sometimes is to remember that failing is a way of learning. That’s another lesson that I get from sandboxes, because sandbox has a lot to do with experimentation.
So the failure is also important evidence to know, okay, this approach will not work, so let’s try another one, and maybe tweak the failure approach a little bit. We might find one that work. So we should also be a bit more open to failing, as long as this becomes a lesson learned.
And I think also this is something that we might learn more with initiatives such as regulatory sandboxes.
Kohei: Yeah, that’s a great message. Regardless of your domains that you work on the challenges is much of my respectful actions. So that’s a great, great message that inspires the audience from your experience.
So again, Thiago, thank you for joining the conversation today. It’s a very important discussion with you, and I’m happy to spread this kind of information, exchange ideas with a global colleague together.
So thank you for joining again, Thiago this moment.
Thiago: And I want to thank you for inviting me. And for sure, it was a very nice conversation I hope to share also with my peers. I think these kinds of initiatives are always welcome to me, and if at any point you also want to connect with other colleagues from Brazil, I would be more than happy to facilitate that.
Kohei: Thank you.
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
