WITH THE EXPANSION of artificial intelligence (AI) worldwide, countries have started to consider the use of regulatory sandboxes to examine AI applications in various contexts. An interesting question is what insights AI sandboxes might obtain from the experience of regulatory sandboxes in the financial sector, particularly in the context of financial technology or fintech (for a discussion about fintech, see China Business Law Journal, volume 7, issue 8: Fintech and smart contracts).
This column discusses the concept of a regulatory sandbox, the AI sandbox framework as provided in the EU Artificial Intelligence Act (EU AI Act) and the challenges that are likely to arise in the context of AI sandboxes.
Regulatory sandboxes
In recent years, regulators across the globe have instituted “regulatory sandboxes”. These sandboxes provide businesses (including entrepreneurs and startup firms) with a controlled experimental environment in which to trial novel products, services and technologies. Under most sandbox models, a business operating within the regulatory sandbox is exempt from the requirement to comply with various licensing and other regulations.
There are now about 100 sandbox programmes operating across some 60 countries, including both developed and developing nations. At present, the landscape includes not only national sandbox initiatives but also collaborative cross-border programmes.
Some countries operate multiple sandboxes, requiring regulatory co-operation between the regulators which have responsibility for administering the various sandboxes. For example, each of the three financial services regulators in Hong Kong – the Hong Kong Monetary Authority, the Insurance Authority and the Securities and Futures Commission – has established a regulatory sandbox and introduced a single point of entry “for cross-sector fintech solutions” in respect of the separate sandboxes administered by each regulator.
As noted by the HKMA on its website: “If a firm intends to conduct a pilot trial of a cross-sector fintech product, it may apply to seek access to the sandbox it considers most relevant. The regulator will act as the primary point of contact and assist in liaising with the other regulators for the firm to access the sandboxes concurrently.”
Sandboxes typically involve four phases: (1) an application phase, where companies apply for acceptance to the programme; (2) a preparation phase, where companies accepted into the programme prepare for the pilot; (3) a testing phase, which includes close work with the regulator; and (4) an exit and evaluation phase. Following the announcement of a regulatory sandbox programme by the regulator, businesses are invited to apply to participate in the programme. A typical sandbox programme will detail the procedures for applying and the criteria for acceptance. These usually include the innovativeness of the product or technology, and also proof of the potential for success.
For businesses, the sandboxes provide an environment where they can test their new developments without having to meet all of the applicable regulatory requirements. Moreover, working within a sandbox facilitates collaboration with the regulators. This collaboration allows businesses to gain a deep understanding of regulatory expectations and requirements as they develop their products and integrate them into their product development process.
The EU AI sandbox
In 2019, the Organisation for Economic Co-operation and Development recommended that governments “consider using experimentation to provide a controlled environment in which AI systems can be tested and scaled up”. The EU has gone even further, with its AI Act requiring member states to establish AI sandboxes and detailing the objectives of the regulatory sandbox as follows:
(1) Improving legal certainty to achieve regulatory compliance with this regulation or, where relevant, other applicable EU and national law;
(2) Supporting the sharing of best practices through co-operation with the authorities involved in the AI regulatory sandbox;
(3) Fostering innovation and competitiveness, and facilitating the development of an AI ecosystem;
(4) Contributing to evidence-based regulatory learning; and
(5) Facilitating and accelerating access to the EU market for AI systems, particularly when provided by SMEs (small and medium-sized enterprises), including startups.
In relation to regulatory co-operation, article 57(4) of the EU AI Act provides as follows:
“Where appropriate, national competent authorities shall co-operate with other relevant authorities, and may allow for the involvement of other actors within the AI ecosystem. This article shall not affect other regulatory sandboxes established under Union or national law. Member states shall ensure an appropriate level of co-operation between the authorities supervising those other sandboxes and the national competent authorities.”
Challenges with AI sandboxes
The emergence of AI presents a number of challenges for the design of AI sandboxes. First, AI technology creates significant risks that require the attention of regulators. As a result of the complexity and potential consequences of AI systems, regulators must carefully consider the ethical and legal implications of their deployment and ensure that the systems operate within a framework that protects public interests and mitigates potential harms.
For example, the EU AI Act allows for personal data collected for other purposes to be processed within AI regulatory sandboxes, but under strict conditions. In addition, personal data can only be shared in compliance with EU data protection laws, must not affect data subjects’ rights and must be deleted once the sandbox participation ends. Within the framework of the regulatory sandbox, relaxations from these requirements may be granted if the regulator deems it appropriate.
Second, AI development involves regulators across a range of areas, including privacy, data protection and cybersecurity. This requires regulatory co-operation between regulators. Regulatory co-operation is important to achieve a co-ordinated approach to assessing and testing AI projects. This includes dealing with a range of issues relating to testing, such as the eligibility requirements for entering the sandbox, the length of testing, and how firms should transition out of the sandbox.
Regulatory co-operation is also important for the purpose of reducing the risk of regulatory overlap and inconsistency, which can have an adverse impact in terms of stifling innovation.
An important issue to address is how to achieve regulatory co-operation. Should it be through the use of “hard law”, as embodied within prescriptive legislation, or through soft law in the form of regulatory memoranda of understanding?
In terms of regulatory co-operation in the context of AI sandboxes, it is possible that soft law, involving the use of regulatory memoranda of understanding and co-ordinating bodies, will prove more useful than hard law in the form of prescriptive legislation. This is because of the benefits of soft law, including its flexibility and ability to respond to fast-moving developments.
Although mainland China does not have a national AI sandbox framework, the possibility of utilising sandboxes in the context of AI has been recognised at the regional level. For example, article 56 of the Shanghai Regulations on Promoting the Development of the AI Industry, issued in 2022, provides as follows:
“The municipal people’s government and relevant departments should formulate, amend or abolish relevant regulatory rules and standards in response to new technologies, new industries, new business forms and new models of artificial intelligence, in line with the characteristics of the rapid iteration of artificial intelligence, and explore multi-level governance and sandbox supervision, stimulate innovation by various entities, and expand the development space for artificial intelligence.”
At the same time, the regulations recognise the importance of standards in areas such as data security and privacy protection.
It will be interesting to follow regional developments concerning the use of AI sandboxes in other places in mainland China, and whether these local developments lead to the establishment of a national regulatory sandbox framework.
This column is based on an academic paper, co-written by the columnist and Professor Ruth Plato-Shinar of the Netanya Academic College in Israel, which examines models for regulatory co-operation in AI sandboxes.
Andrew Godwin previously practised as a foreign lawyer in Shanghai (1996 – 2006) before returning to his alma mater, Melbourne Law School in Australia, to teach and research law. Andrew is currently Joint Associate Director of the Corporate Law and Financial Regulation Research Programme at the Melbourne Centre for Commercial Law and Honorary Associate Director (Commercial law) of the Asian Law Centre. Andrew has acted as a consultant to a broad range of organisations, regulators and governments in Australia and abroad. He served as Special Counsel and Acting General Counsel of the Australian Law Reform Commission between 2020 and 2024.
