Playing safely with personal information inside a regulatory sandbox
Artificial intelligence (AI) is driving innovation, with data being a critical component to enable AI. Data often includes personal information, which may raise issues from a data protection law perspective. Sandboxes may, however, create safe spaces for technology innovators.
Given that almost all of the remaining provisions of the Protection of Personal Information Act, 2013 (POPIA) came into effect on 1 July 2020, and that organisations have until 30 June 2021 to comply with POPIA, technology innovators may be deterred from implementing their innovative ideas that rely on data, as they do not want to risk facing penalties for non-compliance with POPIA. Non-compliance with POPIA can result in significant penalties – up to 10 years' imprisonment and/or ZAR10 million in administrative fines, not to mention serious reputational harm.
A regulatory sandbox is described as a mechanism that safely allows businesses to test innovative ideas in the form of products, services, business models and delivery mechanisms without incurring the regulatory consequences of engaging with such tests. In many instances, the relevant regulator provides guidance to the participants to assist them in solving difficult problems that arise during the testing process. Many of these problems would have arisen in a live environment, and would have required real-time resolution.
South Africa's Intergovernmental Fintech Working Group (IFWG) (formed in 2016 to understand the growing role of Fintech and innovation in SA), has stated that it intends to launch an online portal, which will include a regulatory sandbox to offer regulatory relief within the existing legislative framework. The IFWG's intended use of such regulatory sandbox is, however, limited to progress innovation in relation to financial services products and services. As such, the scope of the IFWG's proposed regulatory sandbox is too narrow to cater for all AI innovations that process personal information outside of the financial services sector. Also, although the IFWG is made up of various regulators, the Information Regulator, established under POPIA, is not one of them, meaning that even those that use this sandbox may still face sanctions from the South African Information Regulator.
The UK's Information Commissioner's Office (ICO) (a non-departmental public body which ensures that the information rights of the public interest, openness by public bodies and data privacy for individuals are upheld) has developed a regulatory sandbox. It provides support to organisations that create products/services that utilise personal data in innovative ways. In the ICO's regulatory sandbox, organisations can access expertise and support and an increased understanding of the data protection frameworks. The ICO's central focus area for the regulatory sandbox 2020-2021 is innovators developing products/services that are applicable to the rights and freedoms of children and young people online and supporting complex data sharing in the interests of the public.
One example of a participant of the ICO's regulatory sandbox is Heathrow Airport. The Heathrow Sandbox Plan aims to create a trouble-free journey for passengers by increasing the speed, efficiency and security of the airport's terminals and reducing congestion. The plan to achieve this is to provide passengers with self-service bag drop units and self-boarding gates and the capability to verify their identity using biometrics. Engaging with the sandbox includes confirming and reaffirming the General Data Protection Regulations (GDPR) provisions regarding biometric data to uniquely identify an individual. The regulatory sandbox also allows trial and error and lets innovators work through issues that might arise when participating in the sandbox. In this instance, these issues included data protection issues – like controllership issues (ie, who is in control of the personal information) and the manner in which Heathrow would obtain permission from passengers to use their identity.
Using the model of the ICO, the South African Information Regulator could create a regulatory sandbox to support organisations that are creating products/services which utilise personal information in innovative ways. POPIA requires the Information Regulator to conduct research into information processing and computer technology to ensure that any adverse effects of such developments on the protection of the personal information of data subjects are minimised and to provide education on the protection of personal information. The Information Regulator is also required to investigate and act against responsible parties for non-compliance with POPIA. Data subjects can lodge complaints with the regulator to ensure that their rights are protected. The Information Regulator would, however, in order to ensure that the technology innovators enjoy the real benefits of a sandbox – need to consider how much leniency sandbox participants will be granted from regulatory enforcement when testing their products/services in a POPIA sandbox.
As a practical example of how the sandbox could work, in our article Artificial Intelligence has POPIA implications, we noted that businesses implementing an AI system could be required to obtain prior authorisation from the Information Regulator if they process a data subject's unique identifiers (eg, an identity number). In a sandbox environment, when testing an innovative product/service that processes unique identifiers, the Information Regulator would be deemed to have given its authorisation to such businesses. This would allow these innovators to focus on developing their AI products/services knowing their data privacy concerns are being addressed.
The Information Regulator could also consider proposing regulatory sandboxes to attract innovative AI solutions that combat problems in dire need of solutions in South Africa, such as corruption, unemployment and economic inequality. With South Africa's economy in need of a lifeline, the regulatory sandbox may help to foster much needed innovation and stimulate the ICT sector without compromising POPIA.