Can a new sandbox initiative make traffic safer whilst preserving privacy?

View as Markdown
4 mins read • Simon • GDPR • 2 October 2025
  1. What is a Trusted Execution Environment?
  2. Innovation and GDPR – the Data Protection Officer’s role

The Data Protection Agency has launched a new regulatory sandbox project in partnership with Volvo, Ericsson and CanaryBit. The aim is to explore how traffic data can be shared between stakeholders such as transport authorities and other public actors in a way that both enhances road safety and safeguards personal privacy.

Many vehicles already generate vast volumes of data through on-board cameras and positioning systems. These data can help anticipate risks, prevent accidents and create smoother traffic flows. At the same time, they are sensitive because they often include personal data, for example information about drivers, number plates or images of individuals in traffic.

To address this tension, the participants are testing whether a Trusted Execution Environment (TEE) can enable secure processing of data in a protected environment, reducing the risk of unauthorised access. TEE is a form of Privacy-Enhancing Technologies (PETs).

This is the second sandbox project run by the Data Protection Agency this autumn, made possible by an increased budget allocation. The ambition is to compile the conclusions from the projects in public reports that others can benefit from – across the automotive industry, the public sector and the tech sector.

What is a Trusted Execution Environment?

TEE is a technical solution that enables data to be processed in a specially protected part of a device – isolated from other applications and the operating system. This means that even if a computer, mobile phone or in-vehicle system is compromised by malicious code, information within the TEE remains inaccessible to unauthorised parties. The technology is already used today in, for example, banking services, payment solutions and digital identity solutions to protect sensitive information. The same principle can be applied in the traffic domain to ensure that personal data are processed in a privacy-preserving manner without loss of functionality.

From a data protection perspective, TEE is particularly compelling because processing occurs in a “sealed” environment. Both the data and the algorithms used to process them are kept separate from the rest of the system. This isolation significantly reduces the risk of data leakage, unauthorised access or manipulation. At the same time, TEE could enable sensitive data – for example positioning data, number plates or vehicle video streams – to be analysed, aggregated and anonymised without identifying individuals.

For companies and public authorities, PETs offer concrete opportunities to develop data-driven services without compromising privacy protections. That is the balance the sandbox trials now seek to establish in practice.

The participants in the project are Volvo, Ericsson and CanaryBit.

The project sits within the Data Protection Agency’s regulatory sandbox, where companies can develop and test innovations under the authority’s guidance. New techniques can be examined in a controlled environment before broader market deployment.

With the help of TEE, the project aims to find solutions that deliver both commercial and societal value. If traffic data can be shared responsibly, the door opens to, among other things:

  • Greater road safety – by detecting risks and alerting both drivers and authorities.
  • Reduced accident risk – by sharing real-time data with, for example, transport administrations.
  • More efficient urban traffic – through smarter traffic planning in complex environments.
  • Automotive innovation – via new digital services for both drivers and society.

The path is not straightforward. Privacy risks are numerous and require both technical and legal solutions. The outcomes of such projects are often of interest to actors beyond the participants’ own sectors, as they provide insight into how the Data Protection Agency assesses (in this case) TEE technology.

Innovation and GDPR – the Data Protection Officer’s role

A key issue in similar initiatives is how to reconcile innovation with the GDPR and strong privacy protections. Expertise from a consultant acting as Data Protection Officer (DPO) can make a material difference. By engaging already in the development phase, a DPO can:

  • Ensure GDPR requirements are met from the outset.
  • Contribute to risk assessments and data protection impact assessments (DPIAs).
  • Identify legal grey areas where practice is not yet established.
  • Give organisations confidence ahead of wider rollout.

The project shows that the future of road safety is not only about technical progress, but also about building systems where privacy and innovation go hand in hand. By combining new technical solutions with clear guidance from the Data Protection Agency, both society and business can realise the benefits without jeopardising individual rights.

The next opportunity for companies to apply for a place in the regulatory sandbox will be in spring 2026. Expressions of interest open in November 2025 at the authority’s website.

AML compliance officer reviewing customer due diligence, risk assessment and monitoring alerts, with compliance checklist and legal shield icon.

22 January 2026

Role and responsibilities of the AML specialist – a compliance perspective
Read more
Illustration of a legal professional at a desk with a digital interface showing structured regulatory compliance, internal controls, and AML processes for financial institutions.

21 January 2026

Exemptions for financial activities, prior notification and internal controls under the AMLR
Read more
Lawyer consulting a client at a desk, discussing legal advice and compliance documents, with contract approval icons on screen.

20 January 2026

When to ask a lawyer for faster answers at lower cost
Read more