Regulatory Sandbox

The Indian government’s approach to using imprecise language in law-making - particularly in technology regulation - can lead to unintended consequences. If we can use regulatory “sandboxes” to safely test new technologies to be tested within controlled environments it would foster innovation and create more precise and effective regulations.

This article was first published in The Mint. You can read the original at this link.


One of my personal peeves—and I have been vocal about it in this column—is our government’s sometimes casual attitude to law-making. Far too often have we found ourselves having to deal with the unintended consequences of lazy legislation built on poorly chosen words applied without thinking through the implications of their syntax. Nowhere is this more acutely evident than in the context of technology regulation where rapidly changing technology makes the consequences of lax drafting all the more potent.

To be fair, it is difficult to accurately foretell all the various nuances that the words and phrases used in regulations will be called upon to provide. Or indeed, the different contexts in which they will be made to apply. Legislators have to not only find the right words to accurately represent the intent of a given policy, they must then ensure that the language they choose remains relevant in circumstances as yet unimagined and notoriously hard to predict. It isn’t surprising that they often get it wrong.

This is probably why Indian legislators use expansive construction while drafting in an attempt to ensure that they have captured as much as possible within the text of the regulation. They hope that this way, no scenario, no matter how unforeseen, will slip between the cracks. But in doing so, they have unwittingly fostered a culture that hoovers into the regulatory net, much that should have, rightfully, been left outside. Regulation must be wielded like a scalpel, making precise incisions only where governance is needed, allowing everything else to operate without legal constraints. A failure to do so leads to uncertainty that is fatal to business and to the freedoms guaranteed to us under the Constitution.

We’ve grown used to over-broad laws, the hope of lenient enforcement and the expectation that our judiciary will write down egregious provisions whenever the legislature goes too far (as it did, most recently, with Section 66A of the Information Technology Act). I’d argue that this is not how things should be. It behooves our legislators to get it right the first time.

In a parallel, that is not immediately evident, the software industry has to work under constraints not dissimilar to those facing our law makers.

Applications that work on software platforms and operating systems could, if not carefully designed, have widespread repercussions on users and the entire ecosystem. Yet rarely do we hear of major incidents in spite of the large volume of apps uploaded onto digital stores every day. Key to this high success rate is the software sandbox.

The first time I used a sandbox was on Wikipedia. For newbies, Wikipedia has a walled-off section where you can practice your editing skills till you get the hang of the Wiki mark-up language. Nothing you do here poses a threat to the content on the public areas of the site as it is a safe zone within which your edits are ring-fenced to ensure that your experiments have no harmful side-effects. Many software companies today offer app sandboxing facilities in which third parties can test their applications before they are released. This allows them to protect their users from the risk of newly introduced code turning accidentally malicious. Some refuse to allow apps to be deployed until they have been fully tested and certified in the sandbox.

With the explosive growth of fintech, we have had to rapidly figure out ways to maximize the benefits of these new technologies while ensuring that we limit the damage that could be caused if rogue code is accidentally deployed.

In the UK and Singapore, regulators are using the opportunity to experiment with path-breaking regulatory innovations. They have introduced the concept of a regulatory sandbox within which new fintech applications can be tested. Inside this controlled environment, regulators relax applicable laws or deploy new ones specific to the applications being tested and then observe how the software functions in the new framework. Where necessary, both regulators and developers, can tweak the regulations and the code to optimise outcomes, without fear of real world repercussions.

There is no reason why this approach cannot be used more widely across the innovation ecosystem. Regulatory sandboxes offer developers the incentive to innovate where otherwise they would have been forced to pivot in the face of insurmountable legal hurdles.

If, rather than writing over-broad restrictions after the fact, regulators offer innovators a safe space within which they can test their inventions and where the law makers can simultaneously test new rules that will govern these new technologies, it will foster an environment of cooperative innovation and entrepreneurship. And in the process, will allow our regulations to evolve into the purpose-driven, risk-limiting form that we have been looking for.