What is anticipatory regulation?
This type of legislation aims to resolve the conflict between lumbering legislative process and rapidly evolving tech
Technology moves fast these days – and it’s going to move even faster in the future. The process of drawing up regulation to address these new technologies, by contrast, is slow and bureaucratic, and often runs far behind the development curve. This disparity can be a major problem, as regulations are needed to protect our freedoms and rights, particularly in respect of our data and how it’s used. But regulation that’s not fit for purpose can hamper development of beneficial new products and services, or inadvertently create issues that affect competition and service operation.
Anticipatory regulation, a new model for developing regulatory frameworks, is designed to overcome these problems. It is forward looking and aims to allow technological development while also ensuring the creation and implementation of effective regulation.
Keeping a few paces ahead
The concept behind anticipatory regulation is it allows lawmakers and regulators to see the direction of travel of technology development, which helps them develop forward looking regulation. “It gives policymakers and regulators an insight into emerging technologies,” explains Tiernan Kenny, public policy manager at tech public policy firm Access Partnership. “This means that they are less likely to be forced into reactive rushed regulatory responses when a new technology emerges on to the market and upsets the status quo or causes harm.”
It can also provide useful guidance to developers, helping to ensure they don’t take a route which might lead to difficulties complying with regulation when trying to bring products to market. One way of doing this is through sandboxing. Samantha Walsh, a regulation and transformation expert at PA Consulting, says: “A number of progressive regulators use sandboxes to support tech firms to experiment in a safe environment. For example, after the ICO found that the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act in sharing patient data with Google DeepMind, they set up a regulatory sandbox to help firms innovate using data within DPA boundaries and build public trust in innovation.”
One of the areas where anticipatory regulation has been particularly well used is in financial services. Explaining the reason for this, Tim Mackey, principal security strategist for the Synopsys Cybersecurity Research Centre, says: “Anticipatory regulation is most successful when there are a strong set of goals with existing regulatory frameworks. This is why it has seen success within financial services. Everyone can agree on what negative outcomes are to be avoided and thus can invest in understanding how a technology benefits society.”
The healthcare sector is another prime candidate, and there is a particularly pertinent aspect to this at the moment. “With COVID-19 lockdowns creating demand for tele-medicine solutions and health management apps, concerns around the protection of patient data, both at rest within a provider and as it is processed by those within both the provider network and the digital supply chain of applications, present opportunities for healthcare regulators to better define what the public should expect from large scale tele-medicine and tele-health solutions,” says Mackey.
It’s also possible to identify not only individual sectors that could be particularly attuned to anticipatory regulation, but also certain technologies. The thorny issue of artificial intelligence (AI) stands out in particular. James Moar, lead analyst at Juniper Research, says it could, “clarify several questions around responsibility for data processing, blame, and ownership of the products of AI, before it becomes burdened with a body of case law and precedent from laws that were not created with AI in mind”.
Mind the gap
In setting up an anticipatory legislation framework it’s important for regulators to be mindful of potential issues. Moar points out that the regulation doesn’t have to be specific to the tech sector to create issues within it. One example, he says, is “the way that digital platforms like Facebook have been able to avoid responsibility for content on their platforms by citing Section 230 of the Communications Decency Act, which is widely credited with creating the free and open internet today”.
Importantly, once in place it’s hard to roll legislation back, which can create difficulties in bringing about meaningful legislative change in some industries; so it’s important to get the regulation right first time around. Mackey adds another note of caution, saying: “Regulators aren’t innovators and shouldn’t attempt to define implementation details for any new technology. Instead they should focus their attention on areas of concern and collaborate with innovators in defining methods to measure compliance.”
The IT Pro Podcast: Happy birthday GDPR
As GDPR turns two, we look back on its impact and how it’s changed data protection - if at allListen now
While enabling frameworks like sandboxes can be very helpful, Kenny notes there is always a risk they are too restrictive, meaning companies aren’t sufficiently incentivised to use them and regulators don’t gather enough data or insights into how business models perform under different regulatory frameworks.
All in all, anticipatory regulation has benefits for both regulators and developers, providing it’s implemented carefully and sensitively, with a hand that is firm but not too firm, supportive of innovation but not too lax, and, above all, with its eye firmly on the future.