Teresa Scassa - Blog

In November 2025, Canada’s federal government published a new Policy on Regulatory Sandboxes in anticipation of amendments to the Red Tape Reduction Act which had been announced in the 2024 budget. This development deserves some attention, particularly as the federal government embraces a pro-innovation agenda and shifts its approach to regulation of innovative technologies such as artificial intelligence (AI).

Regulatory sandboxes have received considerable attention since the first use of one by the Financial Conduct Authority the UK in 2017. Although they first took hold in the financial services sector, they have since attracted interest in other sectors. For example, several European data protection authorities have created privacy regulatory sandboxes (see, e.g., the UK Information Commissioner and France’s CNIL). In Canada, the Ontario Energy Board and the Law Society of Ontario – to give just two examples – both have regulatory sandboxes. Alberta also created a fintech regulatory sandbox by legislation in 2022. Regulatory sandboxes are expected to be an important component in AI regulation in the European Union. Article 57 of the EU Artificial Intelligence Act requires all member states to establish an AI regulatory sandbox – or at the very least to partner with one or more members states to jointly create such a sandbox.

Regulatory sandboxes are seen as a regulatory tool that can be effectively deployed in rapidly evolving technological contexts where existing regulations may create barriers to innovation. In some cases, innovators may hesitate to develop novel products or services where they see no clear pathway to regulatory approval. In many instances, regulators struggle to understand rapidly evolving technologies and the novel business methods they may bring with them. A regulatory sandbox is a space created by a regulator that allows selected innovators to work with regulators to explore how these innovations can be brought to market in a safe and compliant way, and to learn whether and how existing regulations might need to be adapted to a changing technological environment. It is a form of experimental regulation with benefits both for the regulator and for regulated parties.

This is the context in which the federal Policy has been introduced. It defines a regulatory sandbox in these terms:

[A] regulatory sandbox, in the context of this policy, is the practice by which a temporary authorization is provided for innovation (for example, a new product, service, process, application, regulatory and non-regulatory approaches) and is for the purpose of evaluating the real-life impacts of innovation, in order to provide information to the regulator to support the development, management and/or review and assessment of the results of regulations. This can also include for the purposes of equipping the regulatory framework to support innovation, competitiveness or economic growth.

It is important to remember that the policy is anchored in the Red Tape Reduction Act and has a particular slant that sets it apart from other sandbox initiatives. An example of the type of sandbox likely contemplated by this policy can be found in a new regulatory sandbox proposed by Transport Canada to address a very specific regulatory issue arising with respect to the design of aircraft. This sandbox is described as being for “minor change approvals used in support of a major modification.” It is narrow in scope, using modifications to existing regulations to try out a new regulatory process for the certification of major modifications to aircraft design. The end goal is to reduce regulatory burden and to relieve uncertainties caused by existing regulations. Data will be collected from the sandbox experiment to assess the impact of regulatory changes before they might be made permanent.

This approach frames sandboxing as a means to enable innovation by improving existing regulations and streamlining processes. While this is a worthy objective, there is a risk that the policy may be cast too narrowly by focusing on a regulatory sandbox as a means to improve regulation, rather than more broadly as a means of understanding how novel technologies or processes can be brought safely to market – sometimes under existing regulatory frameworks. This is reflected in the policy document, which states that sandboxes proposed under this policy “must demonstrate how regulatory regimes could be modernized”.

The definition of a regulatory sandbox in the Policy, reproduced above, essentially describes a data gathering process by the regulator “to support the development, management and/or review and assessment of the results of regulations.” This can be contrasted with the more open-ended definition adopted in the relatively recent standard for regulatory sandboxes developed by the Digital Governance Standardization Initiative (DGSI):

A regulatory sandbox is a facility created and controlled by a regulator, designed to allow the conduct of testing or experiments with novel products or processes prior to their entry into a regulated marketplace.

Rather than focus on the regulator conducting an assessment of its regulations, the DGSI definition is focused on innovative products and processes, and frames sandboxes in terms of their recognized mutual benefits for both regulators and innovators. The focus of the DGSI’s sandbox definition is on the bringing to market of novel products or processes. Although improving regulations and regulatory processes is a perfectly acceptable outcome of a regulatory sandbox, it is not the only possible outcome – nor is it even a necessary one. In this context, the new federal policy is rather narrow. It is focused on regulations themselves at the core of the sandbox experiments – rather than how innovative technologies challenge regulatory frameworks.

An example of this latter approach is found in the Ontario Bar Association’s regulatory sandbox for AI-enabled access to justice innovations (A2I). In some cases, innovations of this kind might be characterized as constituting the illegal practice of law, creating a barrier to market entry. In the A2I sandbox the novel products or services are developed and live-tested under supervision to assess whether they can be deployed in a way that is sufficiently protective of the public. The issue is partly a regulatory one – but it is not that any particular regulations necessarily require changing – rather, it is that innovators need a level of comfort that their innovation will not be blocked by existing regulations. At the same time, the regulator needs to understand the emerging technology and how they can fulfil their public protection mandate while supporting useful innovation. One out come of a sandbox process might be to learn that a particular innovation cannot safely be brought to market.

A similar paradigm exists with privacy regulatory sandboxes, which might either explore ways in which a novel technology can be designed to comply with the legislation, or examine how existing rules should be understood and applied in novel circumstances.

In all cases, the regulator may learn something about how existing regulations might need to adapt to an evolving technological context, and this too is a useful outcome. However, it does not have to be the principal goal of the regulatory sandbox. While the federal Policy is interesting, it seems narrowly focused. It appears to primarily be a tool conceived of to help streamline and improve regulatory processes (still a worthy goal) rather than a more ambitious sandboxing initiative. The policy is interesting and signals an openness to the concept of regulatory sandboxes. Unfortunately, it is still a rather narrow framing of the nature and potential of this regulatory tool.

Regulatory sandboxes are a relatively recent innovation in regulation (with the first one being launched by the UK Financial Authority in 2015). Since that time, they have spread rapidly in the fintech sector. The EU’s new Artificial Intelligence Act has embraced this new tool, making AI regulatory sandboxes mandatory for member states. In its most recent budget, Canada’s federal government also revealed a growing interest in advancing the use of regulatory sandboxes, although sandboxes are not mentioned in the ill-fated Artificial Intelligence and Data Act in Bill C-27.

Regulatory sandboxes are seen as a tool that can support innovation in areas where complex technology evolves rapidly, creating significant regulatory hurdles for innovators to overcome. The goal is not to evade or dilute regulation; rather, it is to create a space where regulators and innovators can explore how regulations designed to protect the public should be applied to technologies that were unforeseen at the time the regulations were drafted. The sandbox is meant to be a learning experience for both regulators and innovators. Outcomes can include new guidance that can be shared with all innovators; recommendations for legislative or regulatory reform; or even decisions that a particular innovation is not yet capable of safe deployment.

Of course, sandboxes can raise issues about regulatory capture and the independence of regulators. They are also resource intensive, requiring regulators to make choices about how to meet their goals. They require careful design to minimize risks and maximize return. They also require the interest and engagement of regulated parties.

In the autumn of 2023, Elif Nur Kumru and I began a SSHRC-funded project to explore the potential for a privacy regulatory sandbox for Ontario. Working in partnership with the Office of Ontario’s Information and Privacy Commissioner, we examined the history and evolution of regulatory sandboxes. We met with representatives of data protection authorities in the United Kingdom, Norway and France to learn about the regulatory sandboxes they had developed to address privacy issues raised by emerging technologies, including artificial intelligence. We identified some of the challenges and issues, as well as key features of regulatory sandboxes. Our report is now publicly available in both English and French.

On March 30, 2022 Alberta introduced Bill 13, the Financial Innovation Act. The Bill aims to create a regulatory sandbox for innovators in the growing financial technology (fintech) sector. This is a sector in which there is already considerable innovation and development – with more to come as Canada moves towards open banking. (Canada just appointed a new open banking lead on March 22, 2022). In addition to open banking, we are seeing a proliferation of cryptocurrencies, growing interest in central bank digital currencies, and platform-based digital currencies.

The concept of a regulatory sandbox is gaining traction in different sectors. Some forms of innovation in the new digital and data-driven economy run up against regulatory frameworks designed for more conventional forms of technological development. The existing regulatory system becomes a barrier to innovation – not because the innovation is necessarily harmful or undesirable, but simply because it does not fit easily within the conventional framework. A regulatory sandbox is meant to give innovators some regulatory flexibility to develop their products or services, while at the same time allowing regulators to experiment with tailoring regulation to the emerging technological environment.

Some examples of regulatory sandboxes in Canada include one developed by the Canadian Securities Administration largely for the emerging fintech sector (the CSA Regulatory Sandbox), a Health Canada regulatory sandbox for advanced therapeutic products, and the Law Society of Ontario’s legal tech regulatory sandbox. These are sandboxes developed by regulatory bodies which provide flexibility within their existing regulatory frameworks. What is different about Alberta’s Bill 13 is that it legislates a broader regulatory sandbox. The Bill provides for qualified participants to receive exemptions from rules within multiple existing regulatory frameworks, including rules under the Loan & Trust Corporation Act and the Credit Union Act (among others – see s. 8 of the Bill)– as well as provincial privacy legislation.

Access to and use of personal data will be necessary for fintech apps, and existing privacy legislation can create challenges in this context. Certainly, for open banking to work in Canada, the federal government’s Personal Information Protection and Electronic Documents Act will need to be amended. Bill C-11, which died on the order paper in late 2021 contained an amendment that would have allowed for the creation of sector-specific data mobility frameworks via regulation. An amendment of this kind, for example, would have facilitated open banking. With such an approach, privacy protection is not abandoned; rather, it is customized.

Alberta’s Bill 13 appears to be designed to provide some form of customization in order to protect privacy while facilitating innovation. Section 5 of the Bill provides that when a company seeks an exemption from provisions of the Personal Information Protection Act (PIPA), this application for exemption must be reviewed by Alberta’s Information and Privacy Commissioner. The Commissioner is empowered to require the company to provide it with all necessary information to assess the request. The Commissioner may then approve or deny the exemption outright, or approve it subject to terms and conditions. The Commissioner may also withdraw any previously granted approval. The role of the IPC is thus firmly embedded in the legislation. Section 8, which empowers the Minister to grant a certificate of acceptance to a sandbox participant, provides that the Minister may grant an exemption to any provision of PIPA only with the prior written approval of the Commissioner and only on terms and conditions jointly agreed to by the Minister and the Commissioner. Similarly, the Minister’s power to add, amend or revoke an exemption to PIPA in s. 10(4) of the Act can only be exercised in conjunction with the Information and Privacy Commissioner. The Commissioner retains the power to withdraw a written approval (s. 10(5)) and doing so will require the Minister to promptly revoke the exemption.

Bill 13 also provides for transparency with respect to regulatory sandbox exemptions via requirements to publish information about sandbox participants, exemptions, terms and conditions imposed on them, expiry dates, and any amendments, revocations or cancellations of certificates of acceptance.

Given the federal-provincial division of powers, the scope of Bill 13 is somewhat limited, as it cannot provide exemptions to federal regulatory requirements. While Credit Unions are under provincial jurisdiction, banks are federally regulated, and the federal private sector data protection law – PIPEDA – also applies to interprovincial flows of data. Nevertheless, s. 19 of the Bill provides for reciprocal agreements between Alberta and “other governments that have a regulatory sandbox framework, or agencies of those other governments”. There is room here for collaboration and co-operation.

Bill 13 is clearly designed to attract fintech startups to Alberta by providing a more supple regulatory environment in which to operate. This is an interesting bill, and one to watch as it moves through the legislature in Alberta. Not only is it a model for a legislated regulatory sandbox its approach to addressing privacy issues is worth some examination.