Will public buyers be covered by new EU cybersecurity requirements? (Spoiler alert: some will, all should)

EU legislators have reached provisional agreement on a significant revamp of cybersecurity rules, likely to enter into force at some point in late 2024 or 2025. The future Directive (EU) 2022/... of the European Parliament and of the Council of .... on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (NIS 2 Directive) will significantly expand the obligations imposed on Member States and on ‘essential’ and ‘important’ entities.

Given the importance of managing cybersecurity as public buyers complete their (late) transition to e-procurement, or further progress down the procurement digitalisation road, the question arises whether the NIS 2 Directive will apply to public buyers. I address that issue in this blog post.

Conflicting definitions?

Different from other recent legislative instruments that adopt the definitions under the EU procurement rules to establish the scope of the ‘public sector bodies’ to which they apply (such as the Open Data Directive, Art 2(1) and (2); or the Data Governance Act, Art 2(17) and (18)), the NIS 2 Directive establishes its own approach. Art 4(23)* defines ‘public administration entities’ as:

an entity recognised as such in a Member State in accordance with national law, that complies with the following criteria:

(a) it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character;

(b) it has legal personality or it is entitled by law to act on behalf of another entity with legal personality;

(c) it is financed, for the most part, by the State, regional authority, or by other bodies governed by public law; or it is subject to management supervision by those authorities or bodies; or it has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities, or by other bodies governed by public law;

(d) it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital.

Procurement lawyers will immediately raise their eyebrows. Does the definition capture all contracting authorities covered by the EU procurement rules?

Some gaps

Let’s take Directive 2014/24/EU for comparison [see A Sanchez-Graells, ‘Art 2’ in R Caranta and idem (eds), European Public Procurement. Commentary on Directive 2014/24/EU (Edward Elgar 2021) 2.06-2.18].

Under Arts 1(1) and 2(1)(2), it is clear that Directive 2014/24/EU applies to ‘contracting authorities’, defined as ‘the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities or one or more such bodies governed by public law’.

Regarding the ‘State, regional or local authorities’, it seems clear that the NIS 2 Directive in principle covers them (more below), to the extent that they are recognised as a ‘public administration entity’ under national law. This does not seem problematic, although it will of course depend on the peculiarities of each Member State (not least because Directive 2014/24/EU operates a list system and refers to Annex I to establish what are central government authorities).

‘Bodies governed by public law’ are also largely covered by the definition of the NIS 2 Directive, as the material requirements of the definition map on to those under Art 2(1)(4) of Directive 2014/24/EU. However, there are two key deviations.

The first one concerns the addition of the requirement (d) that the body must have ‘the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital’. In my view, this is unproblematic, as all decisions concerning a procurement process covered by the EU rules have the potential to affect free movement rights and, to the extent that the body governed by public law can make those decisions, it meets the requirement.

The second deviation is that, under the ‘financing and control’ criterion (c), the NIS 2 Directive does not include finance or control by local authorities. This leaves out local-level bodies governed by public law, but only those that are not financed or influenced by other (local-level) bodies governed by public law (which is odd). However, this is aligned with the fact that the NIS 2 Directive does not cover local public administration entities (Art 2(2a)* NIS 2 Directive), although it foresees that Member States can extend its regime to local authorities. In such a case, the definitions would have to be carefully reworked in the process of domestic transposition.

A final issue is then whether the definition in the NIS 2 Directive covers ‘associations formed by one or more [central or sub-central] authorities or one or more such bodies governed by public law’. Here the position is much less clear, and it seems to depend on a case-by-case assessment of whether a given association meets all requirements under the definition, which can prove problematic and raise difficult interpretive questions—despite eg having extended the legal personality criterion (b) to the possibility of being ‘entitled by law to act on behalf of another entity with legal personality’. It is thus possible that some associations will not be covered by the NIS 2 Directive, eg if their status under domestic law is unclear.

More gaps

Although the NIS 2 Directive definition in principle covers the State and regional authorities (as above), it should stressed that the scope of application of the Directive only extends to public administration entities of central governments, and those at regional level ‘which following a risk based assessment, provide services the disruption of which could have a significant impact on critical economic or societal activities’ (Art 2(2a)* NIS 2 Directive).

In relation to regional procurement authorities, then, the question arises whether Member States will consider that the disruption of their activities ‘could have a significant impact on [other] critical economic or societal activities’. I submit that this will necessarily be the case, as the procurement function enables the performance of the general activities of the public administration and the provision of public services. However, there seems to be some undesirable legal wriggle room that could create legal uncertainty.

Moreover, the NIS 2 Directive does not apply ‘to public administration entities that carry out their activities in the areas of defence, national security, public security, or law enforcement, including the investigation, detection and prosecution of criminal offences’ (Art 2(3a)* NIS 2 Directive). This is another marked deviation from the treatment of entities in the defence and security sectors under the procurement rules [see B Heuninckx, ‘Art 15’ in Caranta and Sanchez-Graells, Commentary, above].

At a minimum, the reference to entities carrying out ‘the investigation, detection and prosecution of criminal offences’ raises questions on the applicability of the NIS 2 Directive to public buyers formally inserted in eg the Ministry of Justice and/or the judiciary, at Member State level. Whether this is a relevant practical issue will depend on the relevant national context, but it would have been preferable to take an approach that directly mapped onto the scope of Directive 2009/81/EC in determining the relevant activities.

Why is this a problem?

The potential inconsistencies between the scope of application of the NIS 2 Directive and the EU procurement rules are relevant in the context of the broader digitalisation of procurement, but also in the narrow context of the entry into force of the new rules on eForms (see here) and the related obligations under the Open Data Directive, which will require public buyers to make data collected by eForms available in electronic format.

Cutting a long story short, it has been stressed by eg the OECD that opening information systems to make data accessible may ‘expose parts of an organisation to digital security threats that can lead to incidents that disrupt the availability, integrity or confidentiality of data and information systems on which economic and social activities rely’. Moreover, given that the primary purpose of making procurement data open is to enable the development of AI solutions, such risks need to be considered in that context and cybersecurity of data sources has been raised as a key issue by eg the European Union Agency for Cybersecurity (ENISA).

Given that all procurement data systems will be interconnected (via APIs), and that they can provide the data architecture for other AI solutions, cybersecurity risks are a systemic issue that would benefit from a systemic approach. Having some (or most) but not all public buyers comply with high standards of cybersecurity may not eliminate significant vulnerabilities if the remaining points of access generate relevant cybersecurity risks.

How to fix it?

In my view, Member States should extend the obligations under the NIS 2 Directive not only to their local ‘public administration entities’, as envisaged by the Directive, but to all entities covered by significant data governance rules, such as the Open Data Directive. This would ensure high levels of cybersecurity to protect the integrity of the new procurement open data systems. It would also have the added benefit of ensuring alignment with the EU procurement rules and, in that regard, it would contribute to a clear regulatory framework for the governance of digital procurement across the EU. _________________________

* Please note that Articles in the provisional text of the NIS 2 Directive will have to be renumbered.

Digital procurement governance: drawing a feasibility boundary

In the current context of generalised quick adoption of digital technologies across the public sector and strategic steers to accelerate the digitalisation of public procurement, decision-makers can be captured by techno hype and the ‘policy irresistibility’ that can ensue from it (as discussed in detail here, as well as here).

To moderate those pressures and guide experimentation towards the successful deployment of digital solutions, decision-makers must reassess the realistic potential of those technologies in the specific context of procurement governance. They must also consider which enabling factors must be put in place to harness the potential of the digital technologies—which primarily relate to an enabling big data architecture (see here). Combined, the data requirements and the contextualised potential of the technologies will help decision-makers draw a feasibility boundary for digital procurement governance, which should inform their decisions.

In a new draft chapter (num 7) for my book project, I draw such a technology-informed feasibility boundary for digital procurement governance. This post provides a summary of my main findings, on which I will welcome any comments: a.sanchez-graells@bristol.ac.uk. The full draft chapter is free to download: A Sanchez-Graells, ‘Revisiting the promise: A feasibility boundary for digital procurement governance’ to be included in A Sanchez-Graells, Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming). Available at SSRN: https://ssrn.com/abstract=4232973.

Data as the main constraint

It will hardly be surprising to stress again that high quality big data is a pre-requisite for the development and deployment of digital technologies. All digital technologies of potential adoption in procurement governance are data-dependent. Therefore, without adequate data, there is no prospect of successful adoption of the technologies. The difficulties in generating an enabling procurement data architecture are detailed here.

Moreover, new data rules only regulate the capture of data for the future. This means that it will take time for big data to accumulate. Accessing historical data would be a way of building up (big) data and speeding up the development of digital solutions. Moreover, in some contexts, such as in relation with very infrequent types of procurement, or in relation to decisions concerning previous investments and acquisitions, historical data will be particularly relevant (eg to deploy green policies seeking to extend the use life of current assets through programmes of enhanced maintenance or refurbishment; see here). However, there are significant challenges linked to the creation of backward-looking digital databases, not only relating to the cost of digitisation of the information, but also to technical difficulties in ensuring the representativity and adequate labelling of pre-existing information.

An additional issue to consider is that a number of governance-relevant insights can only be extracted from a combination of procurement and other types of data. This can include sources of data on potential conflict of interest (eg family relations, or financial circumstances of individuals involved in decision-making), information on corporate activities and offerings, including detailed information on products, services and means of production (eg in relation with licensing or testing schemes), or information on levels of utilisation of public contracts and satisfaction with the outcomes by those meant to benefit from their implementation (eg users of a public service, or ‘internal’ users within the public administration).

To the extent that the outside sources of information are not digitised, or not in a way that is (easily) compatible or linkable with procurement information, some data-based procurement governance solutions will remain undeliverable. Some developments in digital procurement governance will thus be determined by progress in other policy areas. While there are initiatives to promote the availability of data in those settings (eg the EU’s Data Governance Act, the Guidelines on private sector data sharing, or the Open Data Directive), the voluntariness of many of those mechanisms raises important questions on the likely availability of data required to develop digital solutions.

Overall, there is no guarantee that the data required for the development of some (advanced) digital solutions will be available. A careful analysis of data requirements must thus be a point of concentration for any decision-maker from the very early stages of considering digitalisation projects.

Revised potential of selected digital technologies

Once (or rather, if) that major data hurdle is cleared, the possibilities realistically brought by the functionality of digital technologies need to be embedded in the procurement governance context, which results in the following feasibility boundary for the adoption of those technologies.

Robotic Process Automation (RPA)

RPA can reduce the administrative costs of managing pre-existing digitised and highly structured information in the context of entirely standardised and repetitive phases of the procurement process. RPA can reduce the time invested in gathering and cross-checking information and can thus serve as a basic element of decision-making support. However, RPA cannot increase the volume and type of information being considered (other than in cases where some available information was not being taken into consideration due to eg administrative capacity constraints), and it can hardly be successfully deployed in relation to open-ended or potentially contradictory information points. RPA will also not change or improve the processes themselves (unless they are redesigned with a view to deploying RPA).

This generates a clear feasibility boundary for RPA deployment, which will generally have as its purpose the optimisation of the time available to the procurement workforce to engage in information analysis rather than information sourcing and basic checks. While this can clearly bring operational advantages, it will hardly transform procurement governance.

Machine Learning (ML)

Developing ML solutions will pose major challenges, not only in relation to the underlying data architecture (as above), but also in relation to specific regulatory and governance requirements specific to public procurement. Where the operational management of procurement does not diverge from the equivalent function in the (less regulated) private sector, it will be possible to see the adoption or adaptation of similar ML solutions (eg in relation to category spend management). However, where there are regulatory constraints on the conduct of procurement, the development of ML solutions will be challenging.

For example, the need to ensure the openness and technical neutrality of procurement procedures will limit the possibilities of developing recommender systems other than in pre-procured closed lists or environments based on framework agreements or dynamic purchasing systems underpinned by electronic catalogues. Similarly, the intended use of the recommender system may raise significant legal issues concerning eg the exercise of discretion, which can limit their deployment to areas of information exchange or to merely suggestion-based tasks that could hardly replace current processes and procedures. Given the limited utility (or acceptability) of collective filtering recommender solutions (which is the predominant type in consumer-facing private sector uses, such as Netflix or Amazon), there are also constraints on the generality of content-based recommender systems for procurement applications, both at tenderer and at product/service level. This raises a further feasibility issue, as the functional need to develop a multiplicity of different recommenders not only reopens the issue of data sufficiency and adequacy, but also raises questions of (economic and technical) viability. Recommender systems would mostly only be susceptible of feasible adoption in highly centralised procurement settings. This could create a push for further procurement centralisation that is not neutral from a governance perspective, and that can certainly generate significant competition issues of a similar nature, but perhaps a different order of magnitude, than procurement centralisation in a less digitally advanced setting. This should be carefully considered, as the knock-on effects of the implementation of some ML solutions may only emerge down the line.

Similarly, the development and deployment of chatbots is constrained by specific regulatory issues, such as the need to deploy closed domain chatbots (as opposed to open domain chatbots, ie chatbots connected to the Internet, such as virtual assistants built into smartphones), so that the information they draw from can be controlled and quality assured in line with duties of good administration and other legal requirements concerning the provision of information within tender procedures. Chatbots are suited to types of high-volume information-based queries only. They would have limited applicability in relation to the specific characteristics of any given procurement procedure, as preparing the specific information to be used by the chatbot would be a challenge—with the added functionality of the chatbot being marginal. Chatbots could facilitate access to pre-existing and curated simple information, but their functionality would quickly hit a ceiling as the complexity of the information progressed. Chatbots would only be able to perform at a higher level if they were plugged to a knowledge base created as an expert system. But then, again, in that case their added functionality would be marginal. Ultimately, the practical space for the development of chatbots is limited to low added value information access tasks. Again, while this can clearly bring operational advantages, it will hardly transform procurement governance.

ML could facilitate the development and deployment of ‘advanced’ automated screens, or red flags, which could identify patterns of suspicious behaviour to then be assessed against the applicable rules (eg administrative and criminal law in case of corruption, or competition law, potentially including criminal law, in case of bid rigging) or policies (eg in relation to policy requirements to comply with specific targets in relation to a broad variety of goals). The trade off in this type of implementation is between the potential (accuracy) of the algorithmic screening and legal requirements on the explainability of decision-making (as discussed in detail here). Where the screens were not used solely for policy analysis, but acting on the red flag carried legal consequences (eg fines, or even criminal sanctions), the suitability of specific types of ML solutions (eg unsupervised learning solutions tantamount to a ‘black box’) would be doubtful, challenging, or altogether excluded. In any case, the development of ML screens capable of significantly improving over RPA-based automation of current screens is particularly dependent on the existence of adequate data, which is still proving an insurmountable hurdle in many an intended implementation (as above).

Distributed ledger technology (DLT) systems and smart contracts

Other procurement governance constraints limit the prospects of wholesale adoption of DLT (or blockchain) technologies, other than for relatively limited information management purposes. The public sector can hardly be expected to adopt DLT solutions that are not heavily permissioned, and that do not include significant safeguards to protect sensitive, commercially valuable, and other types of information that cannot be simply put in the public domain. This means that the public sector is only likely to implement highly centralised DLT solutions, with the public sector granting permissions to access and amend the relevant information. While this can still generate some (degrees of) tamper-evidence and permanence of the information management system, the net advantage is likely to be modest when compared to other types of secure information management systems. This can have an important bearing on decisions whether DLT solutions meet cost effectiveness or similar criteria of value for money controlling their piloting and deployment.

The value proposition of DLT solutions could increase if they enabled significant procurement automation through smart contracts. However, there are massive challenges in translating procurement procedures to a strict ‘if/when ... then’ programmable logic, smart contracts have limited capability that is not commensurate with the volumes and complexity of procurement information, and their development would only be justified in contexts where a given smart contract (ie specific programme) could be used in a high number of procurement procedures. This limits its scope of applicability to standardised and simple procurement exercises, which creates a functional overlap with some RPA solutions. Even in those settings, smart contracts would pose structural problems in terms of their irrevocability or automaticity. Moreover, they would be unable to generate off-chain effects, and this would not be easily sorted out even with the inclusion of internet of things (IoT) solutions or software oracles. This comes to largely restrict smart contracts to an information exchange mechanism, which does not significantly increase the value added by DLT plus smart contract solutions for procurement governance.

Conclusion

To conclude, there are significant and difficult to solve hurdles in generating an enabling data architecture, especially for digital technologies that require multiple sources of information or data points regarding several phases of the procurement process. Moreover, the realistic potential of most technologies primarily concerns the automation of tasks not involving data analysis of the exercise of procurement discretion, but rather relatively simple information cross-checks or exchanges. Linking back to the discussion in the earlier broader chapter (see here), the analysis above shows that a feasibility boundary emerges whereby the adoption of digital technologies for procurement governance can make contributions in relation to its information intensity, but not easily in relation to its information complexity, at least not in the short to medium term and not in the absence of a significant improvement of the required enabling data architecture. Perhaps in more direct terms, in the absence of a significant expansion in the collection and curation of data, digital technologies can allow procurement governance to do more of the same or to do it quicker, but it cannot enable better procurement driven by data insights, except in relatively narrow settings. Such settings are characterised by centralisation. Therefore, the deployment of digital technologies can be a further source of pressure towards procurement centralisation, which is not a neutral development in governance terms.

This feasibility boundary should be taken into account in considering potential use cases, as well as serve to moderate the expectations that come with the technologies and that can fuel ‘policy irresistibility’. Further, it should be stressed that those potential advantages do not come without their own additional complexities in terms of new governance risks (eg data and data systems integrity, cybersecurity, skills gaps) and requirements for their mitigation. These will be explored in the next stage of my research project.

Urgent: 'no eForms, no fun' -- getting serious about building a procurement data architecture in the EU

EU Member States only have about one year to make crucial decisions that will affect the procurement data architecture of the EU and the likelihood of successful adoption of digital technologies for procurement governance for years or decades to come’. Put like that, the relevance of the approaching deadline for the national implementation of new procurement eForms may grab more attention than the alternative statement that ‘in just about a year, new eForms will be mandatory for publication of procurement notices in TED’.

This latter more technical (obscure, and uninspiring?) understanding of the new eForms seems to have been dominating the approach to eForms implementation, which does not seem to have generally gained a high profile in domestic policy-making at EU Member State level despite the Publications Office’s efforts.

In this post, I reflect about the strategic importance of the eForms implementation for the digitalisation of procurement, the limited incentives for an ambitious implementation that stem from the voluntary approach of the most innovative aspects of the new eForms, and the opportunity that would be lost with a minimalistic approach to compliance with the new rules. I argue that it is urgent for EU Member States to get serious about building a procurement data architecture that facilitates the uptake of digital technologies for procurement governance across the EU, which requires an ambitious implementation of eForms beyond their minimum mandatory requirements.

eForms: some background

The EU is in the process of reforming the exchange of information about procurement procedures. This information exchange is mandated by the EU procurement rules, which regulate a variety of procurement notices with the two-fold objective of (i) fostering cross-border competition for public contracts and (ii) facilitating the oversight of procurement practices by the Member States, both in relation to the specific procedure (eg to enable access to remedies) and from a broad policy perspective (eg through the Single Market Scoreboard). In other words, this information exchange underpins the EU’s approach to procurement transparency, which mainly translates into publication of notices in the Tenders Electronic Daily (TED).

A 2019 Implementing Regulation established new standard forms for the publication of notices in the field of public procurement (eForms). The Implementing Regulation is accompanied by a detailed Implementation Handbook. The transition to eForms is about to hit a crucial milestone with the authorisation for their voluntary use from 14 November 2022, in parallel with the continued use of current forms. Following that, eForms will be mandatory and the only accepted format for publication of TED notices from 25 October 2023. There will thus have been a very long implementation period (of over four years), including an also lengthy (11-month) experimentation period about to start. This contrasts with previous revisions of the TED templates, which had given under six months’ notice (eg in 2015) or even just a 20-day implementation period (eg in 2011). This extended implementation period is reflective of the fact that the transition of eForms is not merely a matter of replacing a set of forms with another.

Indeed, eForms are not solely the new templates for the collection of information to be published in TED. eForms represent the EU’s open standard for publishing public procurement data — or, in other words, the ‘EU OCDS’ (which goes much beyond the OCDS mapping of the current TED forms). The importance of the implementation of a new data standard has been highlighted at strategic level, as this is the cornerstone of the EU’s efforts to improve the availability and quality of procurement data, which remain suboptimal (to say the least) despite continued efforts to improve the quality and (re)usability of TED data.

In that regard, the 2020 European strategy for data, emphasised that ‘Public procurement data are essential to improve transparency and accountability of public spending, fighting corruption and improving spending quality. Public procurement data is spread over several systems in the Member States, made available in different formats and is not easily possible to use for policy purposes in real-time. In many cases, the data quality needs to be improved.’ The European Commission now stresses how ‘eForms are at the core of the digital transformation of public procurement in the EU. Through the use of a common standard and terminology, they can significantly improve the quality and analysis of data’ (emphasis added).

It should thus be clear that the eForms implementation is not only about low level form-filling, but also (or primarily) about building a procurement data architecture that facilitates the uptake of digital technologies for procurement governance across the EU. Therefore, the implementation of eForms and the related data standard seeks to achieve two goals: first, to ensure the data quality (eg standardisation, machine-readability) required to facilitate its automated treatment for the purposes of publication of procurement notices mandated by EU law (ie their primary use); and, second, to build a data architecture that can facilitate the accumulation of big data so that advanced data analytics can be deployed by re-users of procurement data. This second(ary) goal is particularly relevant to our discussion. This requires some unpacking.

The importance of data for the deployment of digital technologies

It is generally accepted that quality (big) data is the primary requirement for the deployment of digital technologies to extract data-driven insights, as well as to automate menial back-office tasks. In a detailed analysis of these technologies, I stress the relevance of procurement data across technological solutions that could be deployed to improve procurement governance. In short, the outcome of robotic process automation (RPA) can only be as good as its sources of information, and adequate machine learning (ML) solutions can only be trained on high-quality big data—which thus conditions the possibility of developing recommender systems, chatbots, or algorithmic screens for procurement monitoring and oversight. Distributed Ledger Technology (DLT) systems (aka blockchain) can manage data, but cannot verify its content, accuracy, or reliability. Internet of Things (IoT) applications and software oracles can automatically capture data, which can alleviate some of the difficulties in generating an adequate data infrastructure. But this is only in relation with the observation of the ‘real world’ or in relation to digitally available information, which quality raises the same issues as other sources of data. In short, all digital technologies are data-centric or, more clearly, data-dependent.

Given the crucial relevance of data across digital technologies, it is hard to emphasise how any shortcomings in the enabling data architecture curtail the likelihood of successful adoption of digital technologies for procurement governance. With inadequate data, it may simply be impossible to develop digital solutions at all. And the development and adoption of digital solutions developed on poor or inadequate data can generate further problems—eg skewing decision-making on the basis of inadequately derived ‘data insights’. Ultimately, then, ensuring that adequate data is available to develop digital governance solutions is a challenging but unavoidable requirement in the process of procurement digitalisation. Success, or lack of it, in the creation of an enabling data architecture will determine the viability of the deployment of digital technologies more generally. From this perspective, the implementation of eForms gains clear strategic importance.

eForms Implementation: a flexible model

Implementing eForms is not an easy task. The migration towards eForms requires a complete redesign of information exchange mechanisms. eForms are designed around universal business language and involve the use of a much more structured information schema, compatible with the EU’s eProcurement Ontology, than the current TED forms. eForms are also meant to collect a larger amount of information than current TED forms, especially in relation to sub-units within a tender, such as lots, or in relation to framework agreements. eForms are meant to be flexible and regularly revised, in particular to add new fields to facilitate data capture in relation to specific EU-mandated requirements in procurement, such as in relation with the clean vehicles rules (with some changes already coming up, likely in November 2022).

From an informational point of view, the main constraint that remains despite the adoption of eForms is that their mandatory content is determined by existing obligations to report and publish tender-specific information under the current EU procurement rules, as well as to meet broader reporting requirements under international and EU law (eg the WTO GPA). This mandatory content is thus rather limited. Ultimately, eForms’ main concentration is on disseminating details of contract opportunities and capturing different aspects of decision-making by the contracting authorities. Given the process-orientedness and transactional focus of the procurement rules, most of the information to be mandatorily captured by the eForms concerns the scope and design of the tender procedure, some aspects concerning the award and formal implementation of the contract, as well as some minimal data points concerning its material outcome—primarily limited to the winning tender. As the Director-General of the Publications Office put it an eForms workshop yesterday, the new eForms will provide information on ‘who buys what, from whom and for what price’. While some of that information (especially in relation to the winning tender) will be reflective of broader market conditions, and while the accumulation of information across procurement procedures can progressively generate a broader view of (some of) the relevant markets, it is worth stressing that eForms are not designed as a tool of market intelligence.

Indeed, eForms do not capture the entirety of information generated by a procurement process and, as mentioned, their mandatory content is rather limited. eForms do include several voluntary or optional fields, and they could be adapted for some voluntary uses, such as in relation to detection of collusion in procurement, or in relation to the beneficial ownership of tenderers and subcontractors. Extensive use of voluntary fields and the development of additional fields and uses could contribute to generating data that enabled the deployment of digital technologies for the purposes of eg market intelligence, integrity checks, or other sorts of (policy-related) analysis. For example, there are voluntary fields in relation to green, social or innovation procurement, which could serve as the basis for data-driven insights into how to maximise the effects of such policy interventions. There are also voluntary fields concerning procurement challenges and disputes, which could facilitate a monitoring of eg areas requiring guidance or training. However, while the eForms are flexible, include voluntary fields, and the schema facilitates the development of additional fields, is it unclear that adequate incentives exist for adoption beyond their mandatory minimum content.

Implementation in two tiers

The fact that eForms are in part mandatory and in part voluntary will most likely result in two separate tiers of eForms implementation across the EU. Tier 1 will solely concern the collection and exchange of information mandated by EU law, that is the minimum mandatory eForm content. Tier 2 will concern the optional collection and exchange of a much larger volume of information concerning eg the entirety of tenders received, as well as qualitative information on eg specific policy goals embedded in a tender process. Of course, in the absence of coordination, a (large) degree of variation within Tier 2 can be expected. Tier 2 is potentially very important for (digital) procurement governance, but there is no guarantee that Member States will decide to implement eForms covering it.

One of the major obstacles to the broad adoption of a procurement data model so far, at least in the European Union, relates to the slow uptake of e-procurement (as discussed eg here). Without an underlying highly automated e-procurement system, the generation and capture of procurement data is a main challenge, as it is a labour-intensive process prone to input error. The entry into force of the eForms rules could serve as a further push for the completion of the transition to e-procurement—at least in relation to procurement covered by EU law (as below thresholds procurement is a voluntary potential use of eForms). However, it is also possible that low e-procurement uptake and generalised unsophisticated approaches to e-procurement (eg reduced automation) will limit the future functionality of eForms, with Member States that have so far lagged behind restricting the use of eForms to tier 1. Non life-cycle (automated) e-procurement systems may require manual inputs into the new eForms (or the databases from which they can draw information) and this implies that there is a direct cost to the implementation of each additional (voluntary) data field. Contracting authorities may not perceive the (potential) advantages of incurring those costs, or may more simply be constrained by their available budget. A collective action problem arises here, as the cost of adding more data to the eForms is to be shouldered by each public buyer, while the ensuing big data would potentially benefit everyone (especially as it will be published—although there are also possibilities to capture but not publish information that should be explored, at least to prevent excessive market transparency; but let’s park that issue for now) and perhaps in particular data re-users offering for pay added-value services.

In direct relation to this, and compounding the (dis)incentives problem, the possibility (or likelihood) of minimal implementation is compounded by the fact that, in many Member States, the operational adaptation to eForms does not directly concern public sector entities, but rather their service providers. e-procurement services providers compete for the provision of large volume, entirely standardised platform services, which are markets characterised by small operational margins. This creates incentives for a minimal adaptation of current e-sending systems and disincentives for the inclusion of added-value (data) services potentially unlikely to be used by public buyers. Some (or most) optional aspects of the eForm implementation will thus remain unused due to these market structure and dynamics, which does not clearly incentivise a race to the top (unless there is clear demand pull for it).

With some more nuance, it should be stressed that it is also possible that the adoption of eForms is uneven within a given jurisdiction where the voluntary character of parts of the eForm is kept (rather than made mandatory across the board through domestic legislation), with advanced procurement entities (eg central purchasing bodies, or large buyers) adopting tier 2 eForms, and (most) other public buyers limiting themselves to tier 1.

Ensuing data fragmentation

While this variety of approaches across the EU and within a Member State would not pose legal challenges, it would have a major effect on the utility of the eForms-generated data for the purposes of eg developing ML solutions, as the data would be fragmented, hardly representative of important aspects of procurement (markets), and could hardly be generalisable. The only consistent data would be that covered by tier 1 (ie mandatory and standardised implementation) and this would limit the potential use cases for the deployment of digital technologies—with some possibly limited to the procurement remit of the specific institutions with tier 2 implementations.

Relatedly, it should be stressed that, despite the effort to harmonise the underlying data architecture and link it to the Procurement Ontology, the Implementation Handbook makes clear that ‘eForms are not an “off the shelf” product that can be implemented only by IT developers. Instead, before developers start working, procurement policy decision-makers have to make a wide range of policy decisions on how eForms should be implemented’ in the different Member States.

This poses an additional challenge from the perspective of data quality (and consistency), as there are many fields to be tailored in the eForms implementation process that can result in significant discrepancies in the underlying understanding or methodology to determine them, in addition to the risk of potential further divergence stemming from the domestic interpretation of very similar requirements. This simply extends to the digital data world the current situation, eg in relation to diverging understandings of what is ‘recyclable’ or what is ‘social value’ and how to measure them. Whenever open-ended concepts are used, the data may be a poor source for comparative and aggregate analysis. Where there are other sources of standardisation or methodology, this issue may be minimised—eg in relation to the green public procurement criteria developed in the EU, if they are properly used. However, where there are no outside or additional sources of harmonisation, it seems that there is scope for quite a few difficult issues in trying to develop digital solutions on top of eForms data, except in relation to quantitative issues or in relation to information structured in clearly defined categories—which will mainly link back to the design of the procurement.

An opportunity about to be lost?

Overall, while the implementation of eForms could in theory build a big data architecture and facilitate the development of ML solutions, there are many challenges ahead and the generalised adoption of tier 2 eForms implementations seems unlikely, unless Member States make a positive decision in the process of national adoption. The importance of an ambitious tier 2 implementation of eForms should be assessed in light of its downstream importance for the potential deployment of digital technologies to extract data-driven insights and to automate parts of the procurement process. A minimalistic implementation of eForms would significantly constrain future possibilities of procurement digitalisation. Primarily in the specific jurisdiction, but also with spillover effects across the EU.

Therefore, a minimalistic eForms implementation approach would perpetuate (most of the) data deficit that prevents effective procurement digitalisation. It would be a short-sighted saving. Moreover, the effects of a ‘middle of the road’ approach should also be considered. A minimalistic implementation with a view to a more ambitious extension down the line could have short-term gains, but would delay the possibility of deploying digital technologies because the gains resulting from the data architecture are not immediate. In most cases, it will be necessary to wait for the accumulation of sufficiently big data. In some cases of infrequent procurement, missing data points will generate further time lags in the extraction of valuable insights. It is no exaggeration that every data point not captured carries an opportunity cost.

If Member States are serious about the digitalisation of public procurement, they will make the most of the coming year to develop tier 2 eForms implementations in their jurisdiction. They should also keep an eye on cross-border coordination. And the European Commission, both DG GROW and the Publications Office, would do well to put as much pressure on Member States as possible.

Public procurement governance as an information-intensive exercise, and the allure of digital technologies

I have just started a 12-month Mid-Career Fellowship funded by the British Academy with the purpose of writing up the monograph Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming).

In the process of writing up, I will be sharing some draft chapters and other thought pieces. I would warmly welcome feedback that can help me polish the final version. As always, please feel free to reach out: a.sanchez-graells@bristol.ac.uk.

In this first draft chapter (num 6), I explore the technological promise of digital governance and use public procurement as a case study of ‘policy irresistibility’. The main ideas in the chapter are as follows:

This Chapter takes a governance perspective to reflect on the process of horizon scanning and experimentation with digital technologies. The Chapter stresses how aspirations of digital transformation can drive policy agendas and make them vulnerable to technological hype, despite technological immaturity and in the face of evidence of the difficulty of rolling out such transformation programmes—eg regarding the still ongoing wave of transition to e-procurement. Delivering on procurement’s goals of integrity, efficiency and transparency requires facing challenges derived from the information intensity and complexity of procurement governance. Digital technologies promise to bring solutions to such informational burden and thus augment decisionmakers’ ability to deal with that complexity and with related uncertainty. The allure of the potential benefits of deploying digital technologies generates ‘policy irresistibility’ that can capture decision-making by policymakers overly exposed to the promise of technological fixes to recalcitrant governance challenges. This can in turn result in excessive experimentation with digital technologies for procurement governance in the name of transformation. The Chapter largely focuses on the EU policy framework, but the insights derived from this analysis are easily exportable.

Another draft chapter (num 7) will follow soon with more detailed analysis of the feasibility boundary for the adoption of digital technologies for procurement governance purposes. The full details of this draft chapter are as follows: A Sanchez-Graells, ‘The technological promise of digital governance: procurement as a case study of “policy irresistibility”’ to be included in A Sanchez-Graells, Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming). Available at SSRN: https://ssrn.com/abstract=4216825.

Interesting legislative proposal to make procurement of AI conditional on external checks

Procurement is progressively put in the position of regulating what types of artificial intelligence (AI) are deployed by the public sector (ie taking a gatekeeping function; see here and here). This implies that the procurement function should be able to verify that the intended AI (and its use/foreseeable misuse) will not cause harms—or, where harms are unavoidable, come up with a system to weigh, and if appropriate/possible manage, that risk. I am currently trying to understand the governance implications of this emerging gatekeeping role to assess whether procurement is best placed to carry it out.

In the context of this reflection, I found a very useful recent paper: M E Kaminski, ‘Regulating the Risks of AI’ (2023) 103 Boston University Law Review forthcoming. In addition to providing a useful critique of the treatment of AI harms as risk and of the implications in terms of the regulatory baggage that (different types of) risk regulation implies, Kaminski provides an overview of a very interesting legislative proposal: Washington State’s Bill SB 5116.

Bill SB 5116 is a proposal for new legislation ‘establishing guidelines for government procurement and use of automated decision systems in order to protect consumers, improve transparency, and create more market predictability'. The governance approach underpinning the Bill is interesting in two respects.

First, the Bill includes a ban on certain uses of AI in the public sector. As Kaminski summarises: ‘Sec. 4 of SB 5116 bans public agencies from engaging in (1) the use of an automated decision system that discriminates, (2) the use of an “automated final decision system” to “make a decision impacting the constitutional or legal rights… of any Washington resident” (3) the use of an “automated final decision system…to deploy or trigger any weapon;” (4) the installation in certain public places of equipment that enables AI-enabled profiling, (5) the use of AI-enabled profiling “to make decisions that produce legal effects or similarly significant effects concerning individuals’ (at 66, fn 398).

Second, the Bill subjects the procurement of the AI to approval by the director of the office of the chief information officer. As Kaminski clarifies: ‘The bill’s assessment process is thus more like a licensing scheme than many proposed impact assessments in that it envisions a central regulator serving a gatekeeping function (albeit probably not an intensive one, and not over private companies, which aren’t covered by the bill at all). In fact, the bill is more protective than the GDPR in that the state CIO must make the algorithmic accountability report public and invite public comment before approving it’ (at 66, references omitted).

What the Bill does, then, is to displace the gatekeeping role from the procurement function itself to the data protection regulator. It also sets the specific substantive criteria the regulator has to apply in deciding whether to authorise the procurement of the AI.

Without getting into the detail of the Washington Bill, this governance approach seems to have two main strengths over the current emerging model of procurement self-regulation of the gatekeeping role (in the EU).

First, it facilitates a standardisation of the substantive criteria to be applied in assessing the potential harms resulting from AI adoption in the public sector, with a concentration on the specific characteristics of decision-making in this context. Importantly, it creates a clear area of illegality. Some of it is in line with eg the prohibition of certain AI uses in the Draft EU AI Act (profiling), or in the GDPR (prohibition of solely automated individual-decision making, including profiling — although it may go beyond it). Moreover, such an approach would allow for an expansion of prohibited uses in the specific context of the public sector, which the EU AI Act mostly fails to tackle (see here). It would also allow for the specification of constraints applicable to the use of AI by the public sector, such as a heightened obligation to provide reasons (see M Fink & M Finck, ‘Reasoned A(I)dministration: Explanation Requirements in EU Law and the Automation of Public Administration‘ (2022) 47(3) European Law Review 376-392).

Second, it introduces an element of external (independent) verification of the assessment of potential AI harms. I think this is a crucial governance point because most proposals relying on the internal (self) assessment by the procurement team fail to consider the extent to which such approach ensures (a) adequate resourcing (eg specialism and experience in the type of assessment) and (b) sufficient objectivity in the assessment. On the second point, with procurement teams often being told to ‘just go and procure what is needed’, moving to a position of gatekeeper or controller could be too big an ask (depending on institutional aspects that require closer consideration). Moreover, this would be different from other aspects of gatekeeping that procurement has progressively been asked to carry out (also excessively, in my view: see here).

When the procurement function is asked to screen for eg potential contractors’ social or environmental compliance track record, it is usually at arms’ length from those being reviewed (and the rules on conflict of interest are there to strengthen that position). Conversely, when the procurement function is asked to screen for the likely impact on citizens and/or users of public services of an initiative promoted by the operational part of the organisation to which it belongs, things are much more complicated.

That is why some systems (like the US FAR) create elements of separation between the procurement team and those in charge of reviewing eg competition issues (by means of the competition advocate). This is a model reflected in the Washington Bill’s approach to requiring external (even if within the public administration) verification and approval of the AI impact assessment. If procurement is to become a properly functioning gatekeeper of the adoption of AI by the public sector, this regulatory approach (ie having an ‘AI Harms Controller’) seems promising. Definitely a model worth thinking about for a little longer.

Happy summer and holidays

Dear HTCaN friends,

As I break for some summer holidays, I wanted to wish you a good period of rest and fun.

I hope to see you again in the blog in September or October. During academic year 2022/23, I will be mainly blogging about draft chapters of my forthcoming monograph on “Digital technologies and procurement governance. Gatekeeping and experimentation in digital public governance”, and related topics. I hope we will have interesting exchanges about the ideas for the book.

Until then, all best wishes for the rest of the summer,
Albert

© liebeslakritze / Flickr.

Digital technologies, hype, and public sector capability

© Martin Brandt / Flickr.

By Albert Sanchez-Graells (@How2CrackANut) and Michael Lewis (@OpsProf).*

The public sector’s reaction to digital technologies and the associated regulatory and governance challenges is difficult to map, but there are some general trends that seem worrisome. In this blog post, we reflect on the problematic compound effects of technology hype cycles and diminished public sector digital technology capability, paying particular attention to their impact on public procurement.

Digital technologies, smoke, and mirrors

There is a generalised over-optimism about the potential of digital technologies, as well as their likely impact on economic growth and international competitiveness. There is also a rush to ‘look digitally advanced’ eg through the formulation of ‘AI strategies’ that are unlikely to generate significant practical impacts (more on that below). However, there seems to be a big (and growing?) gap between what countries report (or pretend) to be doing (eg in reports to the OECD AI observatory, or in relation to any other AI readiness ranking) and what they are practically doing. A relatively recent analysis showed that European countries (including the UK) underperform particularly in relation to strategic aspects that require detailed work (see graph). In other words, there are very few countries ready to move past signalling a willingness to jump onto the digital tech bandwagon.

Some of that over-optimism stems from limited public sector capability to understand the technologies themselves (as well as their implications), which leads to naïve or captured approaches to policymaking (on capture, see the eye-watering account emerging from the #Uberfiles). Given the closer alignment (or political meddling?) of policymakers with eg research funding programmes, including but not limited to academic institutions, naïve or captured approaches impact other areas of ‘support’ for the development of digital technologies. This also trickles down to procurement, as the ‘purchasing’ of digital technologies with public money is seen as a (not very subtle) way of subsidising their development (nb. there are many proponents of that approach, such as Mazzucato, as discussed here). However, this can also generate further space for capture, as the same lack of capability that affects high(er) level policymaking also affects funding organisations and ‘street level’ procurement teams. This results in a situation where procurement best practices such as market engagement result in the ‘art of the possible’ being determined by private industry. There is rarely co-creation of solutions, but too often a capture of procurement expenditure by entrepreneurs.

Limited capability, difficult assessments, and dependency risk

Perhaps the universalist techno-utopian framing (cost savings and efficiency and economic growth and better health and new service offerings, etc.) means it is increasingly hard to distinguish the specific merits of different digitalisation options – and the commercial interests that actively hype them. It is also increasingly difficult to carry out effective impact assessments where the (overstressed) benefits are relatively narrow and short-termist, while the downsides of technological adoption are diffuse and likely to only emerge after a significant time lag. Ironically, this limited ability to diagnose ‘relative’ risks and rewards is further exacerbated by the diminishing technical capability of the state: a negative mirror to Amazon’s flywheel model for amplifying capability. Indeed, as stressed by Bharosa (2022): “The perceptions of benefits and risks can be blurred by the information asymmetry between the public agencies and GovTech providers. In the case of GovTech solutions using new technologies like AI, Blockchain and IoT, the principal-agent problem can surface”.

As Colington (2021) points out, despite the “innumerable papers in organisation and management studies” on digitalisation, there is much less understanding of how interests of the digital economy might “reconfigure” public sector capacity. In studying Denmark’s policy of public sector digitalisation – which had the explicit intent of stimulating nascent digital technology industries – she observes the loss of the very capabilities necessary “for welfare states to develop competences for adapting and learning”. In the UK, where it might be argued there have been attempts, such as the Government Digital Services (GDS) and NHS Digital, to cultivate some digital skills ‘in-house’, the enduring legacy has been more limited in the face of endless demands for ‘cost saving’. Kattel and Takala (2021) for example studied GDS and noted that, despite early successes, they faced the challenge of continual (re)legitimization and squeezed investment; especially given the persistent cross-subsidised ‘land grab’ of platforms, like Amazon and Google, that offer ‘lower cost and higher quality’ services to governments. The early evidence emerging from the pilot algorithmic transparency standard seems to confirm this trend of (over)reliance on external providers, including Big Tech providers such as Microsoft (see here).

This is reflective of Milward and Provan’s (2003) ‘hollow state’ metaphor, used to describe "the nature of the devolution of power and decentralization of services from central government to subnational government and, by extension, to third parties – nonprofit agencies and private firms – who increasingly manage programs in the name of the state.” Two decades after its formulation, the metaphor is all the more applicable, as the hollowing out of the State is arguably a few orders of magnitude larger due the techno-centricity of reforms in the race towards a new model of digital public governance. It seems as if the role of the State is currently understood as being limited to that of enabler (and funder) of public governance reforms, not solely implemented, but driven by third parties—and primarily highly concentrated digital tech giants; so that “some GovTech providers can become the next Big Tech providers that could further exploit the limited technical knowledge available at public agencies [and] this dependency risk can become even more significant once modern GovTech solutions replace older government components” (Bharosa, 2022). This is a worrying trend, as once dominance is established, the expected anticompetitive effects of any market can be further multiplied and propagated in a setting of low public sector capability that fuels risk aversion, where the adage “Nobody ever gets fired for buying IBM” has been around since the 70s with limited variation (as to the tech platform it is ‘safe to engage’).

Ultimately, the more the State takes a back seat, the more its ability to steer developments fades away. The rise of a GovTech industry seeking to support governments in their digital transformation generates “concerns that GovTech solutions are a Trojan horse, exploiting the lack of technical knowledge at public agencies and shifting decision-making power from public agencies to market parties, thereby undermining digital sovereignty and public values” (Bharosa, 2022). Therefore, continuing to simply allow experimentation in the GovTech market without a clear strategy on how to reign the industry in—and, relatedly, how to build the public sector capacity needed to do so as a precondition—is a strategy with (exponentially) increasing reversal costs and an unclear tipping point past which meaningful change may simply not be possible.

Public sector and hype cycle

Being more pragmatic, the widely cited, if impressionistic, “hype cycle model” developed by Gartner Inc. provides additional insights. The model presents a generalized expectations path that new technologies follow over time, which suggests that new industrial technologies progress through different stages up to a peak that is followed by disappointment and, later, a recovery of expectations.

Although intended to describe aggregate technology level dynamics, it can be useful to consider the hype cycle for public digital technologies. In the early phases of the curve, vendors and potential users are actively looking for ways to create value from new technology and will claim endless potential use cases. If these are subsequently piloted or demonstrated – even if ‘free’ – they are exciting and visible, and vendors are keen to share use cases, they contribute to creating hype. Limited public sector capacity can also underpin excitement for use cases that are so far removed from their likely practical implementation, or so heavily curated, that they do not provide an accurate representation of how the technology would operate at production phase in the generally messy settings of public sector activity and public sector delivery. In phases such as the peak of inflated expectations, only organisations with sufficient digital technology and commercial capabilities can see through sophisticated marketing and sales efforts to separate the hype from the true potential of immature technologies. The emperor is likely to be naked, but who’s to say?

Moreover, as mentioned above, international organisations one step (upwards) removed from the State create additional fuel for the hype through mapping exercises and rankings, which generate a vicious circle of “public sector FOMO” as entrepreneurial bureaucrats and politicians are unlikely to want to be listed bottom of the table and can thus be particularly receptive to hyped pitches. This can leverage incentives to support *almost any* sort of tech pilots and implementations just to be seen to do something ‘innovative’, or to rush through high-risk implementations seeking to ‘cash in’ on the political and other rents they can (be spun to) generate.

However, as emerging evidence shows (AI Watch, 2022), there is a big attrition rate between announced and piloted adoptions, and those that are ultimately embedded in the functioning of the public sector in a value-adding manner (ie those that reach the plateau of productivity stage in the cycle). Crucially, the AI literacy and skills in the staff involved in the use of the technology post-pilot are one of the critical challenges to the AI implementation phase in the EU public sector (AI Watch, 2021). Thus, early moves in the hype curve are unlikely to translate into sustainable and expectations-matching deployments in the absence of a significant boost of public sector digital technology capabilities. Without committed long-term investment in that capability, piloting and experimentation will rarely translate into anything but expensive pet projects (and lucrative contracts).

Locking the hype in: IP, data, and acquisitions markets

Relatedly, the lack of public sector capacity is a foundation for eg policy recommendations seeking to avoid the public buyer acquiring (and having to manage) IP rights over the digital technologies it funds through procurement of innovation (see eg the European Commission’s policy approach: “There is also a need to improve the conditions for companies to protect and use IP in public procurement with a view to stimulating innovation and boosting the economy. Member States should consider leaving IP ownership to the contractors where appropriate, unless there are overriding public interests at stake or incompatible open licensing strategies in place” at 10).

This is clear as mud (eg what does overriding public interest mean here?) but fails to establish an adequate balance between public funding and public access to the technology, as well as generating (unavoidable?) risks of lock-in and exacerbating issues of lack of capacity in the medium and long-term. Not only in terms of re-procuring the technology (see related discussion here), but also in terms of the broader impact this can have if the technology is propagated to the private sector as a result of or in relation to public sector adoption.

Linking this recommendation to the hype curve, such an approach to relying on proprietary tech with all rights reserved to the third-party developer means that first mover advantages secured by private firms at the early stages of the emergence of a new technology are likely to be very profitable in the long term. This creates further incentives for hype and for investment in being the first to capture decision-makers, which results in an overexposure of policymakers and politicians to tech entrepreneurs pushing hard for (too early) adoption of technologies.

The exact same dynamic emerges in relation to access to data held by public sector entities without which GovTech (and other types of) innovation cannot take place. The value of data is still to be properly understood, as are the mechanisms that can ensure that the public sector obtains and retains the value that data uses can generate. Schemes to eg obtain value options through shares in companies seeking to monetise patient data are not bullet-proof, as some NHS Trusts recently found out (see here, and here paywalled). Contractual regulation of data access, data ownership and data retention rights and obligations pose a significant challenge to institutions with limited digital technology capabilities and can compound IP-related lock-in problems.

A final further complication is that the market for acquisitions of GovTech and other digital technologies start-ups and scale-ups is very active and unpredictable. Even with standard levels of due diligence, public sector institutions that had carefully sought to foster a diverse innovation ecosystem and to avoid contracting (solely) with big players may end up in their hands anyway, once their selected provider leverages their public sector success to deliver an ‘exit strategy’ for their founders and other (venture capital) investors. Change of control clauses clearly have a role to play, but the outside alternatives for public sector institutions engulfed in this process of market consolidation can be limited and difficult to assess, and particularly challenging for organisations with limited digital technology and associated commercial capabilities.

Procurement at the sharp end

Going back to the ongoing difficulty (and unwillingness?) in regulating some digital technologies, there is a (dominant) general narrative that imposes a ‘balanced’ approach between ensuring adequate safeguards and not stifling innovation (with some countries clearly erring much more on the side of caution, such as the UK, than others, such as the EU with the proposed EU AI Act, although the scope of application of its regulatory requirements is narrower than it may seem). This increasingly means that the tall order task of imposing regulatory constraints on the digital technologies and the private sector companies that develop (and own them) is passed on to procurement teams, as the procurement function is seen as a useful regulatory mechanism (see eg Select Committee on Public Standards, Ada Lovelace Institute, Coglianese and Lampmann (2021), Ben Dor and Coglianese (2022), etc but also the approach favoured by the European Commission through the standard clauses for the procurement of AI).

However, this approach completely ignores issues of (lack of) readiness and capability that indicate that the procurement function is being set up to fail in this gatekeeping role (in the absence of massive investment in upskilling). Not only because it lacks the (technical) ability to figure out the relevant checks and balances, and because the levels of required due diligence far exceed standard practices in more mature markets and lower risk procurements, but also because the procurement function can be at the sharp end of the hype cycle and (pragmatically) unable to stop the implementation of technological deployments that are either wasteful or problematic from a governance perspective, as public buyers are rarely in a position of independent decision-making that could enable them to do so. Institutional dynamics can be difficult to navigate even with good insights into problematic decisions, and can be intractable in a context of low capability to understand potential problems and push back against naïve or captured decisions to procure specific technologies and/or from specific providers.

Final thoughts

So, as a generalisation, lack of public sector capability seems to be skewing high level policy and limiting the development of effective plans to roll it out, filtering through to incentive systems that will have major repercussions on what technologies are developed and procured, with risks of lock-in and centralisation of power (away from the public sector), as well as generating a false comfort in the ability of the public procurement function to provide an effective route to tech regulation. The answer to these problems is both evident, simple, and politically intractable in view of the permeating hype around new technologies: more investment in capacity building across the public sector.

This regulatory answer is further complicated by the difficulty in implementing it in an employment market where the public sector, its reward schemes and social esteem are dwarfed by the high salaries, flexible work conditions and allure of the (Big) Tech sector and the GovTech start-up scene. Some strategies aimed at alleviating the generalised lack of public sector capability, e.g. through a GovTech platform at the EU level, can generate further risks of reduction of (in-house) public sector capability at State (and regional, local) level as well as bottlenecks in the access of tech to the public sector that could magnify issues of market dominance, lock-in and over-reliance on GovTech providers (as discussed in Hoekstra et al, 2022).

Ultimately, it is imperative to build more digital technology capability in the public sector, and to recognise that there are no quick (or cheap) fixes to do so. Otherwise, much like with climate change, despite the existence of clear interventions that can mitigate the problem, the hollowing out of the State and the increasing overdependency on Big Tech providers will be a self-fulfilling prophecy for which governments will have no one to blame but themselves.

 ___________________________________

* We are grateful to Rob Knott (@Procure4Health) for comments on an earlier draft. Any remaining errors and all opinions are solely ours.

Algorithmic transparency: some thoughts on UK's first four published disclosures and the standards' usability

© Fabrice Jazbinsek / Flickr.

The Algorithmic Transparency Standard (ATS) is one of the UK’s flagship initiatives for the regulation of public sector use of artificial intelligence (AI). The ATS encourages (but does not mandate) public sector entities to fill in a template to provide information about the algorithmic tools they use, and why they use them [see e.g. Kingsman et al (2022) for an accessible overview].

The ATS is currently being piloted, and has so far resulted in the publication of four disclosures relating to the use of algorithms in different parts of the UK’s public sector. In this post, I offer some thoughts based on these initial four disclosures, in particular from the perspective of the usability of the ATS in facilitating an enhanced understanding of AI use cases, and accountability for those.

The first four disclosed AI use cases

The ATS pilot has so far published information in two batches (on 1 June and 6 July 2022), comprising the following four AI use cases:

  1. Within Cabinet Office, the GOV.UK Data Labs team piloted the ATS for their Related Links tool; a recommendation engine built to aid navigation of GOV.UK (the primary UK central government website) by providing relevant onward journeys from a content page, with the aim of helping users find useful information and content, aiding navigation.

  2. In the Department for Health and Social Care and NHS Digital, the QCovid team piloted the ATS with a COVID-19 clinical tool used to predict how at risk individuals might be from COVID-19. The tool was developed for use by clinicians in support of conversations with patients about personal risk, and it uses algorithms to combine a number of factors such as age, sex, ethnicity, height and weight (to calculate BMI), and specific health conditions and treatments in order to estimate the combined risk of catching coronavirus and being hospitalised or catching coronavirus and dying. Importantly, “The original version of the QCovid algorithms were also used as part of the Population Risk Assessment to add patients to the Shielded Patient List in February 2021. These patients were advised to shield at that time were provided support for doing so, and were prioritised for COVID-19 vaccination.

  3. The Information Commissioner's Office has piloted the ATS with its Registration Inbox AI, which uses a machine learning algorithm to categorise emails sent to the Information Commissioner's Office’s registration inbox and to send out an auto-reply where the algorithm “detects … a request about changing a business address. In cases where it detects this kind of request, the algorithm sends out an autoreply that directs the customer to a new online service and points out further information required to process a change request. Only emails with an 80% certainty of a change of address request will be sent an email containing the link to the change of address form.”

  4. The Food Standards Agency piloted the ATS with its Food Hygiene Rating Scheme (FHRS) – AI, which is an algorithmic tool to help local authorities to prioritise inspections of food businesses based on their predicted food hygiene rating by predicting which establishments might be at a higher risk of non-compliance with food hygiene regulations. Importantly, the tool is of voluntary use and “it is not intended to replace the current approach to generate a FHRS score. The final score will always be the result of an inspection undertaken by [a local authority] officer.

Harmless (?) use cases

At first glance, and on the basis of the implications of the outcome of the algorithmic recommendation, it would seem that the four use cases are relatively harmless, i.e..

  1. If GOV.UK recommends links to content that is not relevant or helpful, the user may simply ignore them.

  2. The outcome of the QCovid tool simply informs the GPs’ (or other clinicians’) assessment of the risk of their patients, and the GPs’ expertise should mediate any incorrect (either over-inclusive, or under-inclusive) assessments by the AI.

  3. If the ICO sends an automatic email with information on how to change their business address to somebody that had submitted a different query, the receiver can simply ignore that email.

  4. Incorrect or imperfect prioritisation of food businesses for inspection could result in the early inspection of a low-risk restaurant, or the late(r) inspection of a higher-risk restaurant, but this is already a risk implicit in allowing restaurants to open pending inspection; AI does not add risk.

However, this approach could be too simplistic or optimistic. It can be helpful to think about what could really happen if the AI got it wrong ‘in a disaster scenario’ based on possible user reactions (a useful approach promoted by the Data Hazards project). It seems to me that, on ‘worse case scenario’ thinking (and without seeking to be exhaustive):

  1. If GOV.UK recommends content that is not helpful but is confusing, the user can either engage in red tape they did not need to complete (wasting both their time and public resources) or, worse, feel overwhelmed, confused or misled and abandon the administrative interaction they were initially seeking to complete. This can lead to exclusion from public services, and be particularly problematic if these situations can have a differential impact on different user groups.

  2. There could be over-reliance on the QCovid algorithm by (too busy) GPs. This could lead to advising ‘as a matter of routine’ the taking of excessive precautions with significant potential impacts on the day to day lives of those affected—as was arguably the case for some of the citizens included in shielding categories in the earlier incarnation of the algorithm. Conversely, GPs that identified problems in the early use of the algorithm could simply ignore it, thus potentially losing the benefits of the algorithm in other cases where it could have been helpful—potentially leading to under-precaution by individuals that could have otherwise been better safeguarded.

  3. Similarly to 1, the provision of irrelevant and potentially confusing information can lead to waste of resource (e.g. users seeking to change their business registration address because they wrongly think it is a requirement to process their query or, at a lower end of the scale, users having to read and consider information about an administrative process they have no interest in). Beyond that, the classification algorithm could generate loss of queries if there was no human check to verify that the AI classification was correct. If this check takes place anyway, the advantages of automating the sending of the initial email seem rather marginal.

  4. Similar to 2, the incorrect prediction of risk can lead to misuse of resources in the carrying out of inspections by local authorities, potentially pushing down the list of restaurants pending inspection some that are high-risk and that could thus be seen their inspection repeatedly delayed. This could have important public health implications, at least for those citizens using the to be inspected restaurants for longer than they would otherwise have. Conversely, inaccurate prioritisations that did not seem to catch more ‘risky’ restaurants could also lead to local authorities abandoning its use. There is also a risk of profiling of certain types of businesses (and their owners), which could lead to victimisation if the tool was improperly used, or used in relation to restaurants that have been active for a longer period (eg to trigger fresh (re)inspections).

No AI application is thus entirely harmless. Of course, this is just a matter of theoretical speculation—as could also be speculated whether reduced engagement with the AI would generate a second tier negative effect, eg if ‘learning’ algorithms could not be revised and improved on the basis of ‘real-life’ feedback on whether their predictions were or not accurate.

I think that this sort of speculation offers a useful yardstick to assess the extent to which the ATS can be helpful and usable. I would argue that the ATS will be helpful to the extent that (a) it provides information susceptible of clarifying whether the relevant risks have been taken into account and properly mitigated or, failing that (b) it provides information that can be used to challenge the insufficiency of any underlying risk assessments or mitigation strategies. Ultimately, AI transparency is not an end in itself, but simply a means of increasing accountability—at least in the context of public sector AI adoption. And it is clear that any degree of transparency generated by the ATS will be an improvement on the current situation, but is the ATS really usable?

Finding out more on the basis of the ATS disclosures

To try to answer that general question on whether the ATS is usable and serves to facilitate increased accountability, I have read the four disclosures in full. Here is my summary/extracts of the relevant bits for each of them.

GOV.UK Related Links

Since May 2019, the tool has been using an algorithm called node2vec (machine learning algorithm that learns network node embeddings) to train a model on the last three weeks of user movement data (web analytics data). The benefits are described as “the tool … predicts related links for a page. These related links are helpful to users. They help users find the content they are looking for. They also help a user find tangentially related content to the page they are on; it’s a bit like when you are looking for a book in the library, you might find books that are relevant to you on adjacent shelves.

The way the tool works is described in some more detail: “The tool updates links every three weeks and thus tracks changes in user behaviour.” “Every three weeks, the machine learning algorithm is trained using the last three weeks of analytics data and trains a model that outputs related links that are published, overwriting the existing links with new ones.” “The average click through rate for related links is about 5% of visits to a content page. For context, GOV.UK supports an average of 6 million visits per day (Jan 2022). True volumes are likely higher owing to analytics consent tracking. We only track users who consent to analytics cookies …”.

The decision process is fully automated, but there is “a way for publishers to add/amend or remove a link from the component. On average this happens two or three times a month.” “Humans have the capability to recommend changes to related links on a page. There is a process for links to be amended manually and these changes can persist. These human expert generated links are preferred to those generated by the model and will persist.” Moreover, “GOV.UK has a feedback link, “report a problem with this page”, on every page which allows users to flag incorrect links or links they disagree with.” The tool was subjected to a Data Protection Impact Assessment (DPIA), but no other impact assessments (IAs) are listed.

When it comes to risk identification and mitigation, the disclosure indicates: “A recommendation engine can produce links that could be deemed wrong, useless or insensitive by users (e.g. links that point users towards pages that discuss air accidents).” and that, as mitigation: “We added pages to a deny list that might not be useful for a user (such as the homepage) or might be deemed insensitive (e.g. air accident reports). We also enabled publishers or anyone with access to the tagging system to add/amend or remove links. GOV.UK users can also report problems through the feedback mechanisms on GOV.UK.

Overall, then, the risk I had identified is only superficially identified, in that the ATS disclosure does not show awareness of the potential differing implications of incorrect or useless recommendations across the spectrum. The narrative equating the recommendations to browsing the shelves of a library is quite suggestive in that regard, as is the fact that the quality controls are rather limited.

Indeed, it seems that the quality control mechanisms require a high level of effort by every publisher, as they need to check every three weeks whether the (new) related links appearing in each of the pages they publish are relevant and unproblematic. This seems to have reversed the functional balance of convenience. Before the implementation of the tool, only approximately 2,000 out of 600,000 pieces of content on GOV.UK had related links, as they had to be created manually (and thus, hopefully, were relevant, if not necessarily unproblematic). Now, almost all pages have up to five related content suggestions, but only two or three out of 600,000 pages see their links manually amended per month. A question arises whether this extremely low rate of manual intervention is reflective of the high quality of the system, or the reverse evidence of lack of resource to quality-assure websites that previously prevented 98% of pages from having this type of related information.

However, despite the queries as to the desirability of the AI implementation as described, the ATS disclosure is in itself useful because it allows the type of analysis above and, in case someone considers the situation unsatisfactory or would like to prove it further, there are is a clear gateway to (try to) engage the entity responsible for this AI deployment.

QCovid algorithm

The algorithm was developed at the onset of the Covid-19 pandemic to drive government decisions on which citizens to advise to shield, support during shielding, and prioritise for vaccination rollout. Since the end of the shielding period, the tool has been modified. “The clinical tool for clinicians is intended to support individual conversations with patients about risk. Originally, the goal was to help patients understand the reasons for being asked to shield and, where relevant, help them do so. Since the end of shielding requirements, it is hoped that better-informed conversations about risk will have supported patients to make appropriate decisions about personal risk, either protecting them from adverse health outcomes or to some extent alleviating concerns about re-engaging with society.

In essence, the tool creates a risk calculation based on scoring risk factors across a number of data fields pertaining to demographic, clinical and social patient information.“ “The factors incorporated in the model include age, ethnicity, level of deprivation, obesity, whether someone lived in residential care or was homeless, and a range of existing medical conditions, such as cardiovascular disease, diabetes, respiratory disease and cancer. For the latest clinical tool, separate versions of the QCOVID models were estimated for vaccinated and unvaccinated patients.

It is difficult to assess how intensely the tool is (currently) used, although the ATS indicates that “In the period between 1st January 2022 and 31st March 2022, there were 2,180 completed assessments” and that “Assessment numbers often move with relative infection rate (e.g. higher infection rate leads to more usage of the tool).“ The ATS also stresses that “The use of the tool does not override any clinical decision making but is a supporting device in the decision making process.” “The tool promotes shared decision making with the patient and is an extra point of information to consider in the decision making process. The tool helps with risk/benefit analysis around decisions (e.g. recommendation to shield or take other precautionary measures).

The impact assessment of this tool is driven by those mandated for medical devices. The description is thus rather technical and not very detailed, although the selected examples it includes do capture the possibility of somebody being misidentified “as meeting the threshold for higher risk”, as well as someone not having “an output generated from the COVID-19 Predictive Risk Model”. The ATS does stress that “As part of patient safety risk assessment, Hazardous scenarios are documented, yet haven’t occurred as suitable mitigation is introduced and implemented to alleviate the risk.” That mitigation largely seems to be that “The tool is designed for use by clinicians who are reminded to look through clinical guidance before using the tool.

I think this case shows two things. First, that it is difficult to understand how different parts of the analysis fit together when a tool that has had two very different uses is the object of a single ATS disclosure. There seems to be a good argument for use case specific ATS disclosures, even if the underlying AI deployment is the same (or a closely related one), as the implications of different uses from a governance perspective also differ.

Second, that in the context of AI adoption for healthcare purposes, there is a dual barrier to accessing relevant (and understandable) information: the tech barrier and the medical barrier. While the ATS does something to reduce the former, the latter very much remains in place and perhaps turn the issue of trustworthiness of the AI to trustworthiness of the clinician, which is not necessarily entirely helpful (not only in this specific use case, but in many other one can imagine). In that regard, it seems that the usability of the ATS is partially limited, and more could be done to increase meaningful transparency through AI-specific IAs, perhaps as proposed by the Ada Lovelace Institute.

In this case, the ATS disclosure has also provided some valuable information, but arguably to a lesser extent than the previous case study.

ICO’s Registration Inbox AI

This is a tool that very much resembles other forms of email classification (e.g. spam filters), as “This algorithmic tool has been designed to inspect emails sent to the ICO’s registration inbox and send out autoreplies to requests made about changing addresses. The tool has not been designed to automatically change addresses on the requester’s behalf. The tool has not been designed to categorise other types of requests sent to the inbox.

The disclosure indicates that “In a significant proportion of emails received, a simple redirection to an online service is all that is required. However, sifting these types of emails out would also require time if done by a human. The algorithm helps to sift out some of these types of emails that it can then automatically respond to. This enables greater capacity for [Data Protection] Fees Officers in the registration team, who can, consequently, spend more time on more complex requests.” “There is no manual intervention in the process - the links are provided to the customer in a fully automated manner.

The tool has been in use since May 2021 and classifies approximately 23,000 emails a month.

When it comes to risk identification and mitigation, the ATS disclosure stresses that “The algorithmic tool does not make any decisions, but instead provides links in instances where it has calculated the customer has contacted the ICO about an address change, giving the customer the opportunity to self-serve.” Moreover, it indicates that there is “No need for review or appeal as no decision is being made. Incorrectly classified emails would receive the default response which is an acknowledgement.” It further stresses that “The classification scope is limited to a change of address and a generic response stating that we have received the customer’s request and that it will be processed within an estimated timeframe. Incorrectly classified emails would receive the default response which is an acknowledgement. This will not have an impact on personal data. Only emails with an 80% certainty of a change of address request will be sent an email containing the link to the change of address form.”

In my view, this disclosure does not entirely clarify the way the algorithm works (e.g. what happens to emails classified as having requested information on change of address? Are they ‘deleted’ from the backlog of emails requiring a (human) non-automated response?). However, it does provide sufficient information to further consolidate the questions arising from the general description. For example, it seems that the identification of risks is clearly partial in that there is not only a risk of someone asking for change of address information not automatically receiving it, but also a risk of those asking for other information receiving the wrong information. There is also no consideration of additional risks (as above), and the general description makes the claim of benefits doubtful if there has to be a manual check to verify adequate classification.

The ATS disclosure does not provide sufficient contact information for the owner of the AI (perhaps because they were contracted on limited after service terms…), although there is generic contact information for the ICO that could be used by someone that considered the situation unsatisfactory or would like to prove it further.

Food Hygiene Rating Scheme – AI

This tool is also based on machine learning to make predictions. “A machine learning framework called LightGBM was used to develop the FHRS AI model. This model was trained on data from three sources: internal Food Standards Agency (FSA) FHRS data, publicly available Census data from the 2011 census and open data from HERE API. Using this data, the model is trained to predict the food hygiene rating of an establishment awaiting its first inspection, as well as predicting whether the establishment is compliant or not.” “Utilising the service, the Environmental Health Officers (EHOs) are provided with the AI predictions, which are supplemented with their knowledge about the businesses in the area, to prioritise inspections and update their inspection plan.”

Regarding the justification for the development, the disclosure stresses that “the number of businesses classified as ‘Awaiting Inspection’ on the Food Hygiene Rating Scheme website has increased steadily since the beginning of the pandemic. This has been the key driver behind the development of the FHRS AI use case.” “The objective is to help local authorities become more efficient in managing the hygiene inspection workload in the post-pandemic environment of constrained resources and rapidly evolving business models.

Interestingly, the disclosure states that the tool “has not been released to actual end users as yet and hence the maintenance schedule is something that cannot be determined at this point in time (June 2022). The Alpha pilot started at the beginning of April 2022, wherein the end users (the participating Local Authorities) have access to the FHRS AI service for use in their day-to-day workings. This section will be updated depending on the outcomes of the Alpha Pilot ...” It remains to be seen whether there will be future updates on the disclosure, but an error in copy-pasting in the ATS disclosure makes it contain the same paragraph but dated February 2022. This stresses the need to date and reference (eg v.1, v.2) the successive versions of the same disclosure, which does not seem to be a field of the current template, as well as to create a repository of earlier versions of the same disclosure.

The section on oversight stresses that “the system has been designed to provide decision support to Local Authorities. FSA has advised Local Authorities to never use this system in place of the current inspection regime or use it in isolation without further supporting information”. It also stresses that “Since there will be no change to the current inspection process by introducing the model, the existing appeal and review mechanisms will remain in place. Although the model is used for prioritisation purposes, it should not impact how the establishment is assessed during the inspection and therefore any challenges to a food hygiene rating would be made using the existing FHRS appeal mechanism.”

The disclosure also provides detailed information on IAs: “The different impact assessments conducted during the development of the use case were 1. Responsible AI Risk Assessment; 2. Stakeholder Impact Assessment; [and] 3. Privacy Impact Assessment.” Concerning the responsible AI risk assessment, in addition to a personal data issue that should belong in the DPIA, the disclosure reports three identified risks very much in line with the ones I had hinted at above: “2. Potential bias from the model (e.g. consistently scoring establishments of a certain type much lower, less accurate predictions); 3. Potential bias from inspectors seeing predicted food hygiene ratings and whether the system has classified the establishment as compliant or not. This may have an impact on how the organisation is perceived before receiving a full inspection; 4. With the use of AI/ML there is a chance of decision automation bias or automation distrust bias occurring. Essentially, this refers to a user being over or under reliant on the system leading to a degradation of human-reasoning.”

The disclosure presents related mitigation strategies as follows: “2. Integration of explainability and fairness related tooling during exploration and model development. These tools will also be integrated and monitored post-alpha testing to detect and mitigate potential biases from the system once fully operational; 3. Continuously reflect, act and justify sessions with business and technical subject matter experts throughout the delivery of the project, along with the use of the three impact assessments outlined earlier to identify, assess and manage project risks; 4. Development of usage guidance for local authorities specifically outlining how the service is expected to be used. This document also clearly states how the service should not be used, for example, the model outcome must not be the only indicator used when prioritising businesses for inspection.

In this instance, the ATS disclosure is in itself useful because it allows the type of analysis above and, in case someone considers the situation unsatisfactory or would like to prove it further, there are is a clear gateway to (try to) engage the entity responsible for this AI deployment. It is also interesting to see that the disclosure specifies that the private provider was engaged “As well as [in] a development role [… to provide] Responsible AI consulting and delivery services, including the application of a parallel Responsible AI sprint to assess risk and impact, enable model explainability and assess fairness, using a variety of artefacts, processes and tools”. This is clearly reflected in the ATS disclosure and could be an example of good practice where organisations lack that in-house capability and/or outsource the development of the AI. Whether that role should fall with the developer, or should rather be separate to avoid organisational conflicts of interest is a discussion for another day.

Final thoughts

There seems to be a mixed picture on the usability of the ATS disclosures, with some of them not entirely providing (full) usability, or a clear pathway to engage with the specific entity in charge of the development of the algorithmic tool, specifically if it was an outsourced provider. In those cases, the public authority that has implemented the AI (even if not the owner of the project) will have to deal with any issues arising from the disclosure. There is also a mixed practice concerning linking to resources other than previously available (open) data (eg open source code, data sources), with only one project (GOV.UK) including them in the disclosures discussed above.

It will be interesting to see how this assessment scales up (to use a term) once disclosures increase in volume. There is clearly a research opportunity arising as soon as more ATS disclosures are published. As a hypothesis, I would submit that disclosure quality is likely to reduce with volume, as well as with the withdrawal of whichever support the pilot phase has meant for those participating institutions. Let’s see how that empirical issue can be assessed.

The other reflection I have to offer based on these first four disclosures is that there are points of information in the disclosures that can be useful, at least from an academic (and journalistic?) perspective, to assess the extent to which the public sector has the capabilities it needs to harness digital technologies (more on that soon in this blog).

The four reviewed disclosures show that there was one in-house development (GOV.UK), while the other ones were either procured (QCovid, which disclosure includes a redacted copy of the contract), or contracted out, perhaps even directly awarded (ICO email classifier FSA FHRS - AI). And there are some in between the line indications that some of the implementations may have been relatively randomly developed, unless there was strong pre-existing reliable statistical data (eg on information requests concerning change of business address). Which in itself triggers questions on the procurement or commissioning strategy developed by institutions seeking to harness AI potential.

From this perspective, the ATS disclosures can be a useful source of information on the extent to which the adoption of AI by the public sector depends as strongly on third party capabilities as the literature generally hypothesises or/and is starting to demonstrate empirically.

The perils of not carrying out technology-centered research into digital technologies and procurement governance -- re Sava and Dragos (2022), plus authors' response

This is a post in two parts. The first part addresses my methodological concerns with research on digital technologies and public procurement (and public governance more generally), as exemplified by a recent paper. The second part collects the response by the authors of that paper.

This pair of points of view are offered together to try to create debate. While the authors found my comments harsh (I cannot judge that), they engaged with them and provided their own counter-arguments. In itself, I think that is laudable and already has value. Any further discussion with the broader community, via comments (or email), would be a bonus.

Part 1: The perils of not carrying out technology-centered research into digital technologies and procurement governance -- re Sava and Dragos (2022)

When I started researching the interaction between digital technologies and procurement governance, it was clear to me that a technology-centered legal method was required. A significant amount of the scholarship that is published fails to properly address the governance implications of digital technologies because it simply does not engage with their functionality—or, put otherwise, because the technology is not understood. This can lead to either excessive claims of what ‘technology fixes’ can achieve or, perhaps even more problematic, it can generate analysis that is based on a misleading, shallow and oftentimes purely literal reading of the labels with which the technology is described and referred to.

A recent paper on smart contracts and procurement clearly exemplifies this problem: N.A. Sava & D. Dragos, ‘The Legal Regime of Smart Contracts in Public Procurement’ (2022) Transylvanian Review of Administrative Sciences, No. 66 E/2022, pp. 99–112.

Conceptual problems

From the outset, the paper is at pains to distinguish blockchain and smart contracts, and proposes ’a needed conceptual distinction that would fit the public contracts theory: before a contract is signed, it is logical to refer to blockchain technology when discussing digital means of awarding the procurement contract. As a result of this award, the concluded contract could be a “smart contract”’ (at 101).

The trap into which the paper falls, of course, is that of believing that blockchain and smart contracts can be distinguished ‘conceptually’ (in a legal sense), rather than on the basis of their technological characteristics and functionality.

Blockchain is a type of distributed ledger technology (DLT). In some more detail: ‘A DLT system is a system of electronic records that enables a network of independent participants to establish a consensus around the authoritative ordering of cryptographically-validated (‘signed’) transactions. These records are made persistent by replicating the data across multiple nodes, and tamper-evident by linking them by cryptographic hashes. The shared result of the reconciliation/consensus process - the ‘ledger’ - serves as the authoritative version for these records’ (M Rauchs et al, Distributed Ledger Technology Systems. A Conceptual Framework (2018), at 24). Blockchain is thus a ‘passive’ digital technology in the sense that it cannot perform any sort of automation of (decision-making) processes because it simply serves to create a data infrastructure.

In turn, smart contracts are a type of ‘active’ (or automating) digital technology that can be deployed on top of a DLT. In more detail: ‘Smart contracts are simply programs stored on a blockchain that run when predetermined conditions are met. They typically are used to automate the execution of an agreement so that all participants can be immediately certain of the outcome, without any intermediary’s involvement or time loss. They can also automate a workflow, triggering the next action when conditions are met’ (IBM, What are smart contracts on blockchain? (undated, accessed 1 July 2022)).

What this means is that, functionally, ‘smart contracts’ may or may not map onto the legal concept of contract, as a ‘smart contract’ can be a unilaterally programmed set of instructions aimed at the automation of a workflow underpinned by data held on a DLT.

Taking this to the public procurement context, it is then clear that both the management of the award process and the execution of an awarded public contract, to the extent that they could be automated, would both need to be instrumentalised via smart contracts plus an underlying blockchain (I would though be remiss not to stress that the practical possibilities of automating either of those procurement phases are extremely limited, if at all realistic; see here and here, which the paper refers to in passing). It does not make any (technological/functional) sense to try to dissociate both layers of digital technology to suggest that ‘blockchain technology [should be used] when discussing digital means of awarding the procurement contract. As a result of this award, the concluded contract could be a “smart contract”’ (Sava & Dragos, above, 101).

This is important, because that technology-incongruent conceptual distinction is then the foundation of legal analysis. The paper e.g. posits that ‘the award of public contracts is a unilateral procedure, organized by state authorities according to specific rules, and that automation of such procedure may be done using blockchain technology, but it is not a ‘“smart contract” (sic). Smart contracts, on the other hand, can be an already concluded procurement contract, which is executed, oversaw (sic) and even remedied transparently, using blockchain technology (sic)’ (ibid, 103, emphasis added).

There are three problems here. First, the automation of the procurement award procedure carried out on top of a DLT layer would require a smart contract (or a number of them). Second, the outcome of that automated award would only be a ‘smart contract’ in itself if it was fully coded and its execution fully automated. In reality, it seems likely that some parts of a public contract could be coded (e.g. payments upon invoice approval), whereas other parts could not (e.g. anything that has to happen offline). Third, the modification of the smart contract (ie coded) parts of a public contract could not be modified (solely) using blockchain technology, but would require another (or several) smart contract/s.

Some more problems

Similarly, the lack of technology-centricity of the analysis leads the paper to present as open policy choices some issues that are simply technologically-determined.

For example, the paper engages in this analysis:

… the question is where should the smart public contracts be awarded? In the electronic procurement systems already developed by the different jurisdictions? On separate platforms using blockchain technology? The best option for integrating smart contracts into the procurement procedures may be the already existing digital infrastructure, therefore on the electronic procurement platforms of the member states. We believe this would be an optimal solution, as smart contracts should enhance the current electronic procurement framework and add value to it, thus leveraging the existing system and not replacing it (at 103, emphasis added).

Unless the existing electronic procurement platforms ran on blockchain—which I do not think they do—then this is not a policy option at all, as it is not possible to deploy smart contracts on top of a different layer of information. It may be possible to automate some tasks using different types of digital technologies (e.g. robotic process automation), but not smart contracts (if the technological concept, as discussed above, is to be respected).

The problems continue with the shallow approach to the technology (and to the underlying legal and practical issues), as also evidenced in the discussion of the possibility of automating checks related to the European Single Procurement Document (ESPD), which is a self-declaration that the economic operator is not affected by exclusion grounds (see Art 59 Directive 2014/24/EU).

The paper states

In the context of automatized checks, the blockchain technology can provide an avenue for checking the validity of proofs presented. The system could automate the verifications of the exclusion grounds and the selection criteria by checking the original documents referenced in the ESPD in real time (that is, before determining the winning tender). The blockchain technology could verify the respect of the exclusions grounds and rule out any economic operator that does not comply with this condition (at 104, emphasis added).

This is a case of excessive claim based on a misunderstanding of the technology. A smart contract could only verify whatever information was stored in a DLT. There is no existing DLT capturing the information required to assess the multiplicity of exclusion grounds regulated under EU law. Moreover, the check would never be of the original documents, but rather of digital records that would either be self-declared by the economic operators or generated by a trusted authority. If the latter, what is the point of a blockchain (or other DLT), given that the authority and veracity of the information comes from the legal authority of the issuer, not the consensus mechanism?

There are also terminological/conceptual inconsistencies in the paper, which does not consistently stick to its conceptual distinction that blockchain should be used to refer to the automation of the award procedure, with smart contracts being reserved to the awarded contract. For example, it (correctly) asserts that ‘When it comes to selection criteria, the smart contract could also perform automatic checks on the elements listed in the contract notice’ (at 104). However, this can creates confusion for a reader not familiar with the technology.

Other issues point at the potentially problematic implications of analysis based on a lack of in-depth exploration of the technologies. For example, the paper discusses a project in Colombia, which ‘created a blockchain software that allowed for record keeping, real time auditability, automation through smart contracts and enhanced citizen engagement’ (at 105). After limited analysis, the paper goes on to stress that ‘Our opinion is that the system in Colombia resembles very much the regular e-procurement systems in Europe. For instance, Romania’s SEAP (Electronic Public Procurement System) insures exactly the same features — non-alteration of bids, traceability and automatic evaluation of tenders (price). So, the question is whether the smart contract system in Colombia is anything else than a functional e-procurement system’ (ibid). This reflects a conflation of functionality with technology, at best.

In the end, the lack of technology-centered (legal) analysis significantly weakens the paper and makes its insights and recommendations largely unusable.

The need for a technology-centric legal methodology

To avoid this type of problems in much-needed legal scholarship on the impact of digital technologies on public governance, it is necessary to develop a technology-centric legal methodology. This is something I am working on, in the context of my project funded by the British Academy. I will seek to publish a draft methodology towards the end of the year. Comments and suggestions on what to take into account would be most welcome: a.sanchez-graells@bristol.ac.uk.

Part 2: authors’ response

Dear Professor,

As a first-year PhD student, being read and offered feedback, especially in the incipient phase of the research, is an amazing learning opportunity. Not all PhD students have the chance to exchange on their topic, and even more with a revered name in the doctrine of public procurement like yourself, therefore am I am very grateful for this debate (Sava).

The co-author Dragos also shares the respect and gratitude for the scholarly critique, although considers the comments rather theoretical and lacking an alternative constructive conclusion.

Concerning the need to conduct a ʻtechnology-centered legal’ research, I fully agree, and I will try to integrate more technology-centered research into the thesis.

However, being lawyers, we believe that technology-centered research does not take into account the established concepts from law and especially public procurement law, therefore an interdisciplinary perspective is needed.

Now we will address the arguments you formulated.

1) Conceptual problems

Concerning the definitions of blockchain and smart contract that you offer, we are of course familiar with them and agree with them.

We agree that blockchain-based smart-contracts could automate certain aspects of the procurement procedures, both in the award and in the execution phase. In our paper, we acknowledge the fact that ʻsmart contracts could automate any process that can be presented as an IF+THEN formula’ (p. 100-101). In this sense, like you noticed, we give the example of automating the check of the selection criteria: ‘When it comes to selection criteria, the smart contract could also perform automatic checks on the elements listed in the contract notice’ (p. 104).

However, beyond these two concepts (blockchain and smart contracts), there is a third concept, that of a ʻsmart legal contract’.

DiMatteo, L., Cannarsa, M. and Poncibò, C., in The Cambridge Handbook of Smart Contracts, Blockchain Technology and Digital Platforms (Cambridge: Cambridge University Press, 2019, p. 63) draw attention to the inadequacy of the terminology: ʻFor blockchain-based smart contracts, a useful dichotomy can be drawn between the ‘smart contract code’ that is, the computer code that is ‘– stored, verified, and executed on a blockchain and the ‘smart legal contract’ - a complement (or maybe even a substitute) for a legal contract that applies that technology. In essence, a ‘smart legal contract’ is a combination of the ‘smart contract code’ and traditional legal language.

'The LawTech panel recently decided that (...) smart contracts could still be legally binding provided that they include the typical elements of a contract.’ (https://juro.com/learn/smart-contracts, consulted on the 2nd of July 2022). Like you mention, ‘functionally, ‘smart contracts’ may or may not map onto the legal concept of contract, as a ‘smart contract’ can be a unilaterally programmed set of instructions aimed at the automation of a workflow underpinned by data held on a DLT’.

Therefore, the correct conceptual distinction would be between ʻsmart contract code’ and ʻsmart legal contract’. In the paper, we tried to focus on the smart legal contract, and discuss its compatibility with public procurement contracts. Through the conceptual distinction, we actually wanted to point out the fact that it would be difficult to imagine a smart legal contract (legally binding) exclusively in the award phase. On the other hand, concerning the ʻsmart contract code’ we agree that it could be applicable to both the award and the execution phase, although the terminology remains debatable.

2) The question of where to integrate smart contracts

We state that ʻThe best option for integrating smart contracts into the procurement procedures may be the already existing digital infrastructure, therefore on the electronic procurement platforms of the member states. We believe this would be an optimal solution, as smart contracts should enhance the current electronic procurement framework and add value to it, thus leveraging the existing system and not replacing it’ (p. 103).

Of course, we do not believe that the current system works on blockchain (in the paper we explore why this would be a difficult task), but we did discuss the integration of emerging technologies in the existing context of e-procurement tools. However, this would be an integration among the e-procurement tools, not on top of the existing tools, as adequate infrastructure would be needed.

Actually we mean exactly what you pointed out in your conclusions, so we are in agreement here: some aspects of the procedure could be automated, yet the rest of the procedure could function based on the rules already in place. By the idea of not replacing the e-procurement system, we mean automatizing some punctual aspects, but not replacing the entire system.

3) The ESPD

The idea was that smart contracts could automatically check certain documents, such as the ones referenced in the ESPD.

In our text, we only discuss the idea of a verification, we do not describe in detail how this should be performed and we do not state that the DLT should capture on its own ʻthe information required to assess the multiplicity of exclusion grounds regulated under EU law’. Of course, these documents would need to be uploaded to the DLT and the uploaded documents would have a digital form. By ‘original document’ we refer to the document per se, the reference document and not the simple declaration from the ESPD.

An analogy of this idea could be made with the Canadian ‘Supplier information registration system, which facilitates the registration of supplier information on blockchain to validate it against different records and to validate it in an automated way’ (NTT Data Presentation at EPLD Meeting, May 2022).

4) The Colombian example

We could not understand your critique here. The referenced example described a system for selecting economic operators in public procurement (for more information: https://www.weforum.org/reports/exploring-blockchain-technology-for-government-transparency-to-reduce-corruption/), which we believe is comparable with a regular e-procurement portal.

5) Conclusions

Through our analysis, we intended to raise the following question: would automating some aspects of the public procurement procedure through “smart contracts” ensure the same characteristics and guarantees as the ones offered by an e-public procurement system of an EU member state? In that case, what is the added value of “smart contracts” in public procurement? It is a research question that we will try to focus on in the future, we merely pose it here.

This paper is an exploratory and incipient one. For the moment, our goal was to raise some questions and to explore some potential paths. Apart from theoretical “what ifs”, it is hard to find specificities of assertions that new digital technologies will definitely have numerous and game-changing applications in the procurement process, as long as the procurement process is still managed unilaterally by public bodies and entertains a public law regime.

The intention is to challenge a rather theoretical assumption on the role of digital technologies in public procurement and subsequently trying to find real, practical examples or applications, if any.

In no circumstance did we state that we are formulating policy recommendations, this was misunderstood. Only after extensive research conclusions may lead to policy recommendations but we are still far from that moment.

However, we believe that in order to actually draw some conclusions on the use of such technologies in public procurement, scholars should delve in more depth into the topic, by critically assessing the current literature in the field and trying to have an interdisciplinary (legal, technological and managerial) look at the topic. As of now, the literature is too theoretical.

In other words, in our opinion, the exclusive tech-centered approach that you suggest would be equally harmful as an exclusively legal one.

Thank you for this chance of a constructive dialogue, we are looking forward to future exchange on the topic.

More detail on the UK's procurement transparency ambitions -- some comments and criticisms

© GraceOda / Flickr.

On 30 June 2022, the UK Government’s Cabinet Office published the policy paper ‘Transforming Public Procurement - our transparency ambition’ (the ‘ambitions paper’, or the ‘paper’). The paper builds on the Green Paper and the Government’s response to its public consultation, and outlines ‘proposals to dramatically improve transparency of UK public contracts and spending’. The ambitions paper provides a vision well beyond the scant (almost null) detail in the Procurement Bill (clause 88), which is attracting a number of proposed amendments to try to enshrine in law the basic elements now spelled out in the paper.

In this post, I reflect on the need to amend the Procurement Bill to bind (successive) UK Governments to the current transparency aspirations. I also comment on other aspects of the paper, including persistent issues with the lack of granularity in planned access to procurement data, which I already raised in relation to the Green Paper (see here, Q27 and Q29, and here).

A necessary amendment of the Procurement Bill

The additional level of detail in the paper is welcome and helpful in understanding how the UK plans to operationalise its procurement transparency ambitions. However, a first point to make is that the publication of the ambitions paper should in no way deactivate concerns on the insufficiency of the Procurement Bill to ensure that a significant change in the way procurement information is captured and disseminated in the UK is achieved. In particular, the wording of clause 88(1) has to change.

It is nowhere close to good enough to simply have a weak enabling clause in legislation, stating that ‘An appropriate authority may by regulations make provision requiring certain information to be shared in a particular way, including through a specified online system’. The obvious first shortcoming is that the authority may do so, which also means it may not do so. The second is that the indication of a specified online system as a possible particular way of sharing information seems to take us back quite a few years. If not online (and if not as open data), how would a transparency aspiration be commensurate to the UK’s commitment to e.g. the open contracting data standard?.

Given the high level of aspiration in the paper, a more solid legal grounding is required. My proposal, which builds on discussions with the open contracting community, as well as the amendment already tabled by Baroness Hayman of Ullock, would be to amend clause 88(1) of the Procurement Bill, so it reads:

'An appropriate authority shall by regulations make provision requiring certain information to be shared through a specified online system. Such online system shall, at a minimum, establish and operate a freely accessible, machine-readable and licence-free digital register for all public procurement notices under this Act, wherein all information will be regularly updated in accordance with the time limits for the publication notices set out in the Act.'

Comments on the aspirations paper

Once the general commitment to having single digital register is strengthened, we can move on to consider the detail of what (and how) should be published in the register, what should be kept for restricted use, and what further transparency-related interventions can build upon it—e.g. the creation of a dashboard with useful data analytics, or the interconnection of the register with other sources of e.g. relevant anti-corruption information (for discussion, see here). There are some indications of what the UK aspires to do, but also some lack of clarity in the paper, and some clear risks of undesirable knock-on effects from the maximalist approach to procurement transparency it embraces.

Vision

The aspirations paper indeed starts from a maximalist position, indicating that the vision is ‘to create a fully transparent public procurement system’. However, there are two clear limitations to that approach.

First, the proposal itself includes a proportionate approach to transparency requirements: ‘we want to ensure that we are only asking for the most detailed information - contract documents, performance markings etc - from the largest contracts, in order to maintain transparency without bogging procurement teams down in unnecessary bureaucracy for low-value contracts’. This immediately means that a potentially large volume of (local) procurement will not be subjected to (some aspects) of the new transparency regime. Moreover, as the Procurement Bill stands, there would also be significant exclusions from important transparency obligations e.g. in relation to light touch contracts (see here, section 7, issues #21 on performance-related KPIS and non-performance notices, and #23 on modification notices). That already falls short of generating a ‘fully transparent’ procurement system, precisely in relation to the award of contracts where the risk of capture can be high.

Second, the publication of procurement information remains subjected to the general exclusions and carve-outs resulting from i.a. the Freedom of Information Act 2000 (FOIA). Interestingly, the ambitions paper does not refer to it at all, despite the Green Paper having made clear that, in the absence of FOIA reform (which is not sought), ‘only data which would be required to be made available under FOIA … would be publishable’ (at 167). Regardless of the paper’s silence on the issue, FOIA will continue to play a significant role in establishing which level of detail is disclosed, in particular in relation to disclosure of information not captured as a matter of mandatory disclosure in the relevant (award) notices, and perhaps even in relation to that.

The importance of preserving commercial confidentiality in the procurement setting is clear, and was also a clear focus of concern in the Green Paper consultation, leading e.g. to the Cabinet Office dropping its initial ambition of publishing tenders received in procurement procedures. As the Government’s response stressed: ‘We have considered the potential impact of public disclosure of information, such as (but not limited to) tenders. The feedback we received from stakeholders was that publishing tenders at this stage could prejudice future competitions that may run if the initial one is aborted and re-run for any reason, as bids will have been disclosed to the competition. As a result, we will not require disclosure of tenders submitted in a procurement’ (at 221).

Therefore, the system will not (and should not be) fully transparent. What is more useful is to see what the vision wants to enable in relation to procurement data and related analytics and insights. The vision indicates that the UK Government would like for everyone ‘to be able to view, search and understand what the UK public sector wants to buy, how much it is spending, and with whom’. This is a more realistic aspiration that does not necessarily entail total transparency and, given some safeguards and a more granular approach to the disclosure of differing levels of detail in the information (see here and discussion below), it should be welcome. Ultimately, the Government wants the future platform to help people understand:

  1. current and future procurement opportunities created in the UK public sector; including pipelines of future work. [This should open up opportunities within the public sector to small businesses, driving down prices, increasing innovation and improving the business landscape across the country];

  2. how much money the public sector spends on purchasing essential goods and services. [This should] allow taxpayers to see how much is being spent through procurement on and in their local area, who it is spent with and how it is delivering on local priorities. [Moreover, this should show] which routes to market are available to contracting authorities, and how much has been spent through each of those. [This should] give contracting authorities the data they need to collaborate better, drive value for money and identify cost savings in their procurements, so they can monitor for signs of waste and inefficiency;

  3. which contracts finished on time and on budget–and which did not. [This means providing more detail across] the true lifecycle of government contracts, including how much the final amount spent on a contract differs from its original intended value, or how often contracts have been extended;

  4. which companies have been excluded from winning future work due to fraud, corruption or persistent poor performance; [and]

  5. who is really benefiting from public money - not just the companies winning contracts but the ownership of those companies

This list (which regroups the longer and slightly repetitive list in the paper, as well as aggregate the purpose for the disclosure of specific information) points to three categories. First, a category where the information is purely notice-based (categories 1, 4). Second, a category where the related insights should be easily derived from the information included mandatory notices (categories 2 and 3). Third, a category (mainly 5) that concerns non-procurement information and will require either (a) embedding disclosure obligations in the procurement life-cycle (thus raising the red tape and participation costs), or (b) interconnection with non-procurement databases.

The first category is relatively unproblematic, although there is an inherent tension between the disclosure of planned procurement opportunities and the facilitation of collusive practices (more details below).

The second category probably points at the need of considering the extent to which data dashboards should differentiate between different users, including the level of detail (and timeliness) of the information published in each of them (also discussed below).

The third category points at the need to consider issues of design and interoperability of the platform, as it would be preferable for it to be susceptible of plugging into other databases. Moreover, there are other (anti-corruption) functionalities that could be enabled, such as cross-checks against databases of political donations to identify potentially problematic relationships between procurement awardees and political donors. In relation to this category, and to anti-corruption efforts more generally, the ambitions paper is not particularly ambitious. However, the creation of a solid procurement data architecture on the basis of OCDS could facilitate those extensions in the future.

The future platform

The ambitions paper indicates that the Government seeks to operationalise the new transparency regime through two main elements (as the ‘tell us once’ supplier register is a parallel and distinct intervention):

  • The introduction of a number of new procurement ‘notices’, covering the entire procurement lifecycle from planning through to contract expiry

  • A digital platform which will display all of this information publicly, with API access to data published to the Open Contracting Data Standard (OCDS). Once we have completed the core notice development, over time we also plan to build a number of useful registers, and explore integrating commercial data analysis tools

What this means is that the future platform will initially simply bring into one place what is currently published across a scattered landscape of transparency tools (see section 3.1 in the paper). That is an improvement, but the more significant change will only come when register and dashboard insights get developed. Importantly, however, the design of these registers and dashboards need to be very carefully considered and linked back to the intended (and likely) use by different audiences. However, the ambitions paper does not seem to consider this need and rather seeks to establish a system accessible to any type of data user on an undifferentiated form (see section 4.4).

Research has shown that most of the gains from procurement transparency concern ex ante disclosure of information [M Bauhr et al, ‘Lights on the shadows of public procurement: Transparency as an antidote to corruption’ (2020) 33(3) Governance 495-523]. Conversely, the publication of ex post information is particularly risky in relation to e.g. anticompetitive practices, as well as corruption, and can generate limited benefits as it is unlikely that there will be a sustained level of engagement with that information by most stakeholders with a theoretical motivation to engage in procurement oversight [N Köbis, C Starke and I Rahwan, ‘The promise and perils of using artificial intelligence to fight corruption’ (2022) 4 Nature Machine Intelligence 418-424].

In that regard, it is particularly problematic that the aspirations paper seems to indicate that the UK Government would be publishing (in real time, for everyone to see) information such as: ‘Analysis of bid and win rates, analysis of supplier & bidder beneficial ownership patterns, general market trends analysis’. This should concern regulators such as the Competition and Markets Authority, as well as the Serious Fraud Office. While the latter should absolutely have access to that information and market intelligence, its public disclosure (in detail, with no time lag) could be counterproductive and help, rather than hinder, corrupt and collusive practices. In that regard, it is of paramount importance that those authorities (and others, such as the National Audit Office) are involved in the design of the system—which is not entirely clear from the ‘user-centric’ approach embraced in the aspirations paper (see section 4.1).

A multi-layered level of transparency

In relation to these risks and issues, it is necessary to reiterate a call for a more nuanced and discriminating approach than the one that transpires from the aspirations paper. As stressed in the response to the Green Paper consultation (here Q29), while it can but be endorsed that the platform needs to be created, and the data automatically fed into it in accordance with OCDS and other technical interoperability requirements, a key feature of the new system should be its multi-layered level of access/transparency.

Analysis carried elsewhere (see here) supports a nuanced approach to the level of transparency created by public contract registries similar to the envisaged central digital platform, which needs to fall short of the full transparency paradigm in which it seems to have been conceived. As a functional criterion, only the information that is necessary to ensure proper oversight and the effectiveness of anti-corruption measures should be disclosed, whereas the information that can be most damaging for competition should be withheld.

Generally, what is needed is granularity in the levels of information that are made accessible to different stakeholders. A full transparency approach whereby all information was made available to everyone would fall very short from the desired balance between the transparency and competition goals of public procurement. A system based on enabling or targeted transparency, whereby each stakeholder gets access to the information it needs for a specific purpose, is clearly preferable.

In more specific terms, it is submitted that:

  • The content of the central digital platform should not be fully available to the public. Access to the full registry should be restricted to public sector officials under a strong duty of confidentiality protected by appropriate sanctions in cases of illegitimate disclosure.

  • Even within the public sector, full access to the central digital platform should be made available on a need-to-know basis. Oversight entities, such as the National Audit Office, the Serious Fraud Office, or the Competition and Markets Authority, as well as the new public procurement review unit (PPRU) should have full access. However, other entities or specific civil servants should only access the information they require to carry out their functions.

  • Limited versions of the central digital platform that are made accessible to the public should aggregate information by contracting authority and avoid disclosing any particulars that could be traced back to specific tenders, specific contracts, or specific undertakings.

  • Representative institutions, such as third sector organisations, journalists or academics should have the opportunity of seeking full access to the central digital platform on a case-by-case basis where they can justify a legitimate or research-related interest. In case of access, ethical approval shall be obtained, anonymization of data attempted, and specific confidentiality requirements duly imposed.

  • Delayed full access to the central digital platform could also be allowed for, provided there are sufficient safeguards to ensure that historic information does not remain relevant for the purposes of protecting market competition, business secrets and commercial interests.

  • Tenderers should have access to their own records, even if they are not publicly-available, so as to enable them to check their accuracy. This is particularly relevant if public contract registries are used for the purposes of assessing past performance under the new rules.

  • Big data should be published on an anonymised basis, so that general trends can be analysed without enabling ‘reverse engineering’ of information that can be traced to specific bidders.

  • The entity in charge of the central digital platform should regularly publish aggregated statistics by type of procurement procedure, object of contract, or any other items deemed relevant for the purposes of the public accountability of public buyers (such as percentages of expenditure in green procurement, etc).

  • The entity in charge of the central digital platform should develop a system of red flag indicators and monitor them with a view to reporting instances of legal non-compliance to the relevant oversight entity, or potential collusion to the competition authority. In that regard, the earlier attempts (eg through the abandoned ‘Screening for Cartels’ tool) should be carefully analysed to avoid replicating past errors.

Protecting procurement's AI gatekeeping role in domestic law, and trade agreements? -- re Irion (2022)

© r2hox / Flickr.

The increasing recognition of the role of procurement as AI gatekeeper, or even as AI (pseudo)regulator, is quickly galvanising and leading to proposals to enshrine it in domestic legislation. For example, in the Parliamentary process of the UK’s 2022 Procurement Bill, an interesting amendment has surfaced. The proposal by Lord Clement-Jones would see the introduction of the following clause:

Procurement principles: automated decision-making and data ethics

In carrying out a procurement, a contracting authority must ensure the safe, sustainable and ethical use of automated or algorithmic decision-making systems and the responsible and ethical use of data.”

The purpose of the clause would be to ensure ‘that the ethical use of automated decision-making and data is taken into account when carrying out a procurement.’ This is an interesting proposal that would put the procuring entity, even if not the future user of the AI (?), in the legally-mandated position of custodian or gatekeeper for trustworthy AI—which, of course, depending on future interpretation could be construed narrowly or expansively (e.g. on whether to limit it to automated decision-making, or extend it to decision-making support algorithmic systems?).

This would go beyond current regulatory approaches in the UK, where this gatekeeping position arises from soft law, such as the 2020 Guidelines for AI procurement. It would probably require significant additional guidance on how this role is to be operationalised, presumably through algorithmic impact assessments and/or other forms of ex ante intervention, such as the imposition of (standard) requirements in the contracts for AI procurement, or even ex ante algorithmic audits.

These requirements would be in line with influential academic proposals [e.g. M Martini, ‘Regulating Algorithms. How to Demystify the Alchemy of Code?’ in M Ebers & S Navas, Algorithms and Law (CUP 2020) 100, 115, and 120-22], as well as largely map onto voluntary compliance with EU AI Act’s requirements for high-risk AI uses (which is the approach also currently followed in the proposal for standard contractual clauses for the procurement of AI by public organisations being developed under the auspices of the European Commission).

One of the key practical considerations for a contracting authority to be able to discharge this gatekeeping role (amongst many others on expertise, time, regulatory capture, etc) is access to source code (also discussed here). Without accessing the source code, the contracting authority can barely understand the workings of the (to be procured) algorithms. Therefore, it is necessary to preserve the possibility of demanding access to source code for all purposes related to the procurement (and future re-procurement) of AI (and other software).

From this perspective, it is interesting to take a look at current developments in the protection of source code at the level of international trade regulation. An interesting paper coming out of the on-going FAccT conference addresses precisely this issue: K Irion, ‘Algorithms Off-limits? If digital trade law restricts access to source code of software then accountability will suffer’ (2022) FAccT proceedings 1561-70.

Irion’s paper provides a good overview of the global efforts to protect source code in the context of trade regulation, maps how free trade agreements are increasingly used to construct an additional layer of protection for software source code (primarily from forced technology transfer), and rightly points at risks of regulatory lock-out or pre-emption depending on the extent to which source code confidentiality is pierced for a range of public interest cases.

What is most interesting for the purposes of our discussion is that source code protection is not absolute, but explicitly deactivated in the context of public procurement in all emerging treaties (ibid, 1564-65). Generally, the treaties either do not prohibit, or have an explicit exception for, source code transfers in the context of commercially negotiated contracts—which can in principle include contracts with the public sector (although the requirement for negotiation could be a hurdle in some scenarios). More clearly, under what can be labelled as the ‘EU approach’, there is an explicit carve-out for ‘the voluntary transfer of or granting of access to source code for instance in the context of government procurement’ (see Article 8.73 EU-Japan EPA; similarly, Article 207 EU–UK TCA; and Article 9 EU-Mexico Agreement in principle). This means that the EU (and other major jurisdictions) are very clear in their (intentional?) approach to preserve the gatekeeping role of procurement by enabling contracting authorities to require access to software source code.

Conversely, the set of exceptions generally emerging in source code protection via trade regulation can be seen as insufficient to ensure high levels of algorithmic governance resulting from general rules imposing ex ante interventions. Indeed, Irion argues that ‘Legislation that mandates conformity assessments, certification schemes or standardized APIs would be inconsistent with the protection of software source code inside trade law’ (ibid, 1564). This is debatable, as a less limiting interpretation of the relevant exceptions seems possible, in particular as they concern disclosure for regulatory examination (with the devil, of course, being in the detail of what is considered a regulatory body and how ex ante interventions are regulated in a particular jurisdiction).

If this stringent understanding of the possibility to mandate regulatory compliance with this being seen as a violation of the general prohibition on source code disclosure for the purposes of its ‘tradability’ in a specific jurisdiction becomes the prevailing interpretation of the relevant FTAs, and regulatory interventions are thus constrained to ex post case-by-case investigations, it is easy to see how the procurement-related exceptions will become an (even more important) conduit for ex ante access to software source code for regulatory purposes, in particular where the AI is to be deployed in the context of public sector activity.

This is thus an interesting area of digital trade regulation to keep an eye on. And, more generally, it will be important to make sure that the AI gatekeeping role assigned to the procurement function is aligned with international obligations resulting from trade liberalisation treaties—which would require a general propagation of the ‘EU approach’ to explicitly carving out procurement-related disclosures.

Public procurement and [AI] source code transparency, a (downstream) competition issue (re C-796/18)

Two years ago, in its Judgment of 28 May 2020 in case C-796/18, Informatikgesellschaft für Software-Entwicklung, EU:C:2020:395 (the ‘ISE case’), the Court of Justice of the European Union (CJEU) answered a preliminary ruling that can have very significant impacts in the artificial intelligence (AI) space, despite it being concerned with ‘old school’ software. More generally, the ISE case set the requirements to ensure that a contracting authority does not artificially distort competition for public contracts concerning (downstream) software services generally, and I argue AI services in particular.

The case risks going unnoticed because it concerned a relatively under-discussed form of self-organisation by the public administration that is exempted from the procurement rules (i.e. public-public cooperation; on that dimension of the case, see W Janssen, ‘Article 12’ in R Caranta and A Sanchez-Graells, European Public Procurement. Commentary on Directive 2014/24/EU (EE 2021) 12.57 and ff). It is thus worth revisiting the case and considering how it squares with regulatory developments concerning the procurement of AI, such as the development of standard clauses under the auspices of the European Commission.

The relevant part of the ISE case

In the ISE case, one of the issues at stake concerned whether a contracting authority would be putting an economic operator (i.e. the software developer) in a position of advantage vis-à-vis its competitors by accepting the transfer of software free of charge from another contracting authority, conditional on undertaking to further develop that software and to share (also free of charge) those developments of the software with the entity from which it had received it.

The argument would be that by simply accepting the software, the receiving contracting authority would be advantaging the software publisher because ‘in practice, the contracts for the adaptation, maintenance and development of the base software are reserved exclusively for the software publisher since its development requires not only the source code for the software but also other knowledge relating to the development of the source code’ (C-796/18, para 73).

This is an important issue because it primarily concerns how to deal with incumbency (and IP) advantages in software-related procurement. The CJEU, in the context of the exemption for public-public cooperation regulated in Article 12 of Directive 2014/24/EU, established that

in order to ensure compliance with the principles of public procurement set out in Article 18 of Directive 2014/24 … first [the collaborating contracting authorities must] have the source code for the … software, second, that, in the event that they organise a public procurement procedure for the maintenance, adaptation or development of that software, those contracting authorities communicate that source code to potential candidates and tenderers and, third, that access to that source code is in itself a sufficient guarantee that economic operators interested in the award of the contract in question are treated in a transparent manner, equally and without discrimination (para 75).

Functionally, in my opinion, there is no reason to limit that three-pronged test to the specific context of public-public cooperation and, in my view, the CJEU position is generalisable as the relevant test to ensure that there is no artificial narrowing of competition in the tendering of software contracts due to incumbency advantage.

Implications of the ISE case

What this means is that, functionally, contracting authorities are under an obligation to ensure that they have access and dissemination rights over the source code, at the very least for the purposes of re-tendering the contract, or tendering ancillary contracts. More generally, they also need to have a sufficient understanding of the software — or technical documentation enabling that knowledge — so that they can share it with potential tenderers and in that manner ensure that competition is not artificially distorted.

All of this is of high relevance and importance in the context of emerging practices of AI procurement. The debates around AI transparency are in large part driven by issues of commercial opacity/protection of business secrets, in particular of the source code, which both makes it difficult to justify the deployment of the AI in the public sector (for, let’s call them, due process and governance reasons demanding explainability) and also to manage its procurement and its propagation within the public sector (e.g. as a result of initiatives such as ‘buy once, use many times’ or collaborative and joint approaches to the procurement of AI, which are seen as strategically significant).

While there is a movement towards requiring source code transparency (e.g. but not necessarily by using open source solutions), this is not at all mainstreamed in policy-making. For example, the pilot UK algorithmic transparency standard does not mention source code. Short of future rules demanding source code transparency, which seem unlikely (see e.g. the approach in the proposed EU AI Act, Art 70), this issue will remain one for contractual regulation and negotiations. And contracts are likely to follow the approach of the general rules.

For example, in the proposal for standard contractual clauses for the procurement of AI by public organisations being developed under the auspices of the European Commission and on the basis of the experience of the City of Amsterdam, access to source code is presented as an optional contractual requirement on transparency (Art 6):

<optional> Without prejudice to Article 4, the obligations referred to in article 6.2 and article 6.3 [on assistance to explain an AI-generated decision] include the source code of the AI System, the technical specifications used in developing the AI System, the Data Sets, technical information on how the Data Sets used in developing the AI System were obtained and edited, information on the method of development used and the development process undertaken, substantiation of the choice for a particular model and its parameters, and information on the performance of the AI System.

For the reasons above, I would argue that a clause such as that one is not at all voluntary, but a basic requirement in the procurement of AI if the contracting authority is to be able to legally discharge its obligations under EU public procurement law going forward. And given the uncertainty on the future development, integration or replacement of AI solutions at the time of procuring them, this seems an unavoidable issue in all cases of AI procurement.

Let’s see if the CJEU is confronted with a similar issue, or the need to ascertain the value of access to data as ‘pecuniary interest’ (which I think, on the basis of a different part of the ISE case, is clearly to be answered in the positive) any time soon.

Procurement recommenders: a response by the author (García Rodríguez)

It has been refreshing to receive a detailed response by the lead author of one of the papers I recently discussed in the blog (see here). Big thanks to Manuel García Rodríguez for following up and for frank and constructive engagement. His full comments are below. I think they will help round up the discussion on the potential, constraints and data-dependency of procurement recommender systems.

Thank you Prof. Sánchez Graells for your comments, it has been a rewarding reading. Below I present my point of view to continue taking an in-depth look about the topic.

Regarding the percentage of success of the recommender, a major initial consideration is that the recommender is generic. It means, it is not restricted to a type of contract, CPV codes, geographical area, etc. It is a recommender that uses all types of Spanish tenders, from any CPV and over 6 years (see table 3). This greatly influences the percentage of success because it is the most difficult scenario. An easier scenario would have restricted the browser to certain geographic areas or CPVs, for example. In addition, 102,000 tenders have been used to this study and, presumably, they are not enough for a search engine which learn business behaviour patterns from historical tenders (more tenders could not be used due to poor data quality).

Regarding the comment that ‘the recommender is an effective tool for society because it enables and increases the bidders participation in tenders with less effort and resources‘. With this phrase we mean that the Administration can have an assistant to encourage participation (in the tenders which are negotiations with or without prior notice) or, even, in which the civil servants actively search for companies and inform those companies directly. I do not know if the public contracting laws of the European countries allow to search for actively and inform directly but it would be the most efficient and reasonable. On the other hand, a good recommender (one that has a high percentage of accuracy) can be an analytical tool to evaluate the level of competition by the contracting authorities. That is, if the tenders of a contracting authority attract very little competition but the recommender finds many potential participating companies, it means that the contracting authority can make its tenders more attractive for the market.

Regarding the comment that “It is also notable that the information of the Companies Register is itself not (and probably cannot be, period) checked or validated, despite the fact that most of it is simply based on self-declarations.” The information in the Spanish Business Register are the annual accounts of the companies, audited by an external entity. I do not know the auditing laws of the different countries. Therefore, I think that the reliability of the data is quite high in our article.

Regarding the first problematic aspect that you indicate: “The first one is that the recommender seems by design incapable of comparing the functional capabilities of companies with very different structural characteristics, unless the parameters for the filtering are given such range that the basket of recommendations approaches four digits”. There will always be the difficulty of comparing companies and defining when they are similar. That analysis should be done by economists, engineers can contribute little. There is also the limitation of business data, the information of the Business Register is usually paywalled and limited to certain fields, as is the case with the Spanish Business Registry. For these reasons, we recognise in the article that it is a basic approach, and it should be modified the filters/rules in the future: “Creating this profile to search similar companies is a very complex issue, which has been simplified. For this reason, the searching phase (3) has basic filters or rules. Moreover, it is possible to modify or add other filters according to the available company dataset used in the aggregation phase”.

Regarding the second problematic aspect that you indicate: “The second issue is that a recommender such as this one seems quite vulnerable to the risk of perpetuating and exacerbating incumbency advantages, and/or of consolidating geographical market fragmentation (given the importance of eg distance, which cannot generate the expected impact on eg costs in all industries, and can increasingly be entirely irrelevant in the context of digital/remote delivery).” This will not happen in the medium and long term because the recommender will adapt to market conditions. If there are companies that win bids far away, the algorithm will include that new distance range in its search. It will always be based on the historical winner companies (and the rest of the bidders if we have that information). You cannot ask a machine learning algorithm (the one used in this article) to make predictions not based on the previous winners and historical market patterns.

I totally agree with your final comment: “It would in my view be preferable to start by designing the recommender system in a way that makes theoretical sense and then make sure that the required data architecture exists or is created.” Unfortunately, I did not find any articles that discuss this topic. Lawyers, economists and engineers must work together to propose solid architectures. In this article we want to convince stakeholders that it is possible to create software tools such as a bidder recommender and the importance of public procurement data and the company’s data in the Business Registers for its development.

Thank you for your critical review. Different approaches are needed to improve on the important topic of public procurement.

The importance of procurement for public sector AI uptake

In case there was any question on the importance and central role of public procurement for the uptake of artificial intelligence (AI) by the public sector (there wasn’t, though), two recent policy reports confirm that this is the case, at the very least in the European context.

AI Watch’s must-read ‘European landscape on the use of Artificial Intelligence by the Public Sector’ (1 June 2022) makes the point very clearly by reference to the analysis of AI strategies adopted by 24 EU Member States: ‘the procurement of AI technologies or the increased collaboration with innovative private partners is seen as an important way to facilitate the introduction of AI within the public sector. Guidance on how to stimulate and organise AI procurement by civil servants should potentially be strengthened and shared among Member States’ (at 26). Concerning guidance, the report refers to the European Commission’s supported process of developing standard contractual clauses for the procurement of AI (see here), and there is also a twin AI Watch Handbook for the adoption of AI by the public sector (25 May 2022) that includes a recommendation on procurement guidance (‘Promote the development of multilingual guidelines, criteria and tools for public procurement of AI solutions in the public sector throughout Europe‘, recommendation 2.5, and details at 34-35).

The European landscape report provides some more interesting detail on national strategies considering AI procurement adaptations.

The need to work together with the private sector in this area is repeatedly stressed. However, strategies mention that historically it has been difficult for innovative companies to work together with government authorities due to cumbersome procurement regulations. In this area, several strategies (12, 50%) [though note the table below indicates 13, rather than 12 strategies] come up with new policy initiatives to improve the procurement processes. The Spanish strategy, for example, mentions that new innovative public procurement mechanisms will be introduced to help the procurement of new solutions from the market, while the Maltese government describes how existing public procurement processes will be changed to facilitate the procurement of emerging technologies such as AI. The Dutch and Czech strategies mention that hackathons for public sector AI will be introduced to assist in the procurement of AI. Civil servants will be given training and awareness in procurement to assist them in this process, something that is highlighted in the Estonian strategy. The French strategy stresses that current procurement regulation already provides a lot of freedom for innovative procurement but that because of risk aversion present within public administrations all possibilities are not taken into consideration (at 25-26, emphasis in the original).

Own elaboration, based on Table 7 in the AI Watch report.

There is also an interesting point on the need to create internal public sector AI capabilities: “Some strategies say that the public organisations should work more together with private organisations (where the missing skillsets are present), either through partnerships or by procurement. On the one hand, this is an extremely important and promising shift in the public sector that more and more must move towards a networking perspective. In fact, the complexity and variety of skills required by AI cannot be always completely internalised. On the other hand, such partnerships and procurement still require a baseline in expertise in AI within the public sector staff to avoid common mistakes or dependency on external parties” (at 23, emphasis added).

Given the strategic importance of procurement, as well as the need to upskill the procurement workforce and to build additional AI capacity in the public sector to manage procurement process, this is an area of research and policy that will only increase in relevance in the near and longer term.

This same direction of travel is reflected in the also recent UK's Central Digital and Data Office ‘Transforming for a digital future: 2022 to 2025 roadmap for digital and data’ (9 June 2022). One of its main aspirations is to generate ‘Significant savings by leveraging government’s combined purchasing power and reducing duplicative procurement, to shift to a “buy once, use many times” approach to technology’. This should be achieved by the horizontal promotion of ‘a “buy once, use many times” approach to technology, including by making use of a common code, pattern and architecture repository for government’. Implicitly, this will also require a review of procurement policies and practices.

Importantly—and potentially problematically—it will also raise the stakes of AI procurement, in particular if the roll-out of the ‘bought once’ technology is rushed and its negative impacts or implications can only be identified once it has already been propagated, or in relation to some implementations only. Avoiding this will require very careful IA impact assessments, as well as piloting and scalability approaches that have strong risk-management systems embedded by design.

As always, this will be an area fun to keep an eye on.

Procurement recommender systems: how much better before we trust them? -- re García Rodríguez et al (2020)

© jm3 on Flickr.

How great would it be for a public buyer if an algorithm could identify the likely best bidder/s for a contract it sought to award? Pretty great, agreed.

For example, it would allow targeted advertising or engagement of public procurement opportunities to make sure those ‘best suited’ bidders came forward, or to start negotiations where this is allowed. It could also enable oversight bodies, such as competition authorities, to screen for odd (anti)competitive situations where well-placed providers did not bid for the contract, or only did in worse than expected conditions. If the algorithm was flipped, it would also allow potential bidders to assess for which tenders they are particularly well suited (or not).

It is thus not surprising that there are commercial attempts being developed (eg here) and interesting research going on trying to develop such recommender systems—which, at root, work similarly to recommender systems used in e-commerce (Amazon) or digital content platforms (Netflix, Spotify), in the sense that they try to establish which of the potential providers are most likely to satisfy user needs.

An interesting paper

On this issue, on which there has been some research for at least a decade (see here), I found this paper interesting: García Rodríguez et al, ‘Bidders Recommender for Public Procurement Auctions Using Machine Learning: Data Analysis, Algorithm, and Case Study with Tenders from Spain’ (2020) Complexity Art 8858258.

The paper is interesting in the way it builds the recommender system. It follows three steps. First, an algorithm trained on past tenders is used to predict the winning bidder for a new tender, given some specific attributes of the contract to be awarded. Second, the predicted winning bidder is matched with its data in the Companies Register, so that a number of financial, workforce, technical and location attributes are linked to the prediction. Third and final, the recommender system is used to identify companies similar to the predicted winner. Such identification is based on similarities with the added attributes of the predicted winner, which are subject to some basic filters or rules. In other words, the comparison is carried out at supplier level, not directly in relation to the object of the contract.

Importantly, such filters to sieve through the comparison need to be given numerical values and that is done manually (i.e. set at rather random thresholds, which in relation to some categories, such as technical specialism, make little intuitive sense). This would in principle allow the user of the recommender system to tailor the parameters of the search for recommended bidders.

In the specific case study developed in the paper, the filters are:

  • Economic resources to finance the project (i.e. operating income, EBIT and EBITDA);

  • Human resources to do the work (i.e. number of employees):

  • Specialised work which the company can do (based on code classification: NACE2, IAE, SIC, and NAICS); and

  • Geographical distance between the company’s location and the tender’s location.

Notably, in the case study, distance ‘is a fundamental parameter. Intuitively, the proximity has business benefits such as lower costs’ (at 8).

The key accuracy metric for the recommender system is whether it is capable of identifying the actual winner of a contract as the likely winning bidder or, failing that, whether it is capable of including the actual winner within a basket of recommended bidders. Based on the available Spanish data, the performance of the recommender system is rather meagre.

The poor results can be seen in the two scenarios developed in the paper. In scenario 1, the training and test data are split 80:20 and the 20% is selected randomly. In scenario 2, the data is also split 80:20, but the 20% test data is the most recent one. As the paper stresses, ‘the second scenario is more appropriate to test a real engine search’ (at 13), in particular because the use of the recommender will always be ‘for the next tender’ after the last one included in the relevant dataset.

For that more realistic scenario 2, the recommender has an accuracy of 10.25% in correctly identifying the actual winner, and this only raises to 23.12% if the recommendation includes a basket of five companies. Even for the more detached from reality scenario 1, the accuracy of a single prediction is only 17.07%, and this goes up to 31.58% for 5-company recommendations. The most accurate performance with larger baskets of recommended companies only reaches 38.52% in scenario 1, and 30.52% in scenario 2, although the much larger number of recommended companies (approximating 1,000) also massively dilutes the value of the information.

Comments

So, with the available information, the best performance of the recommender system creates about 1 in 10 chances of correctly identifying the most suitable provider, or 1 in 5 chances of having it included in a basket of 5 recommendations. Put the other way, the best performance of the realistic recommender is that it fails to identify the actual winner for a tender 9 out of 10 times, and it still fails 4 out of 5 times when it is given five chances.

I cannot say how this compares with non-automated searches based on looking at relevant company directories, other sources of industry intelligence or even the anecdotal experience of the public buyer, but these levels of accuracy could hardly justify the adoption of the recommender.

In that regard, the optimistic conclusion of the paper (‘the recommender is an effective tool for society because it enables and increases the bidders participation in tenders with less effort and resources‘ at 17) is a little surprising.

The discussion of the limitations of the recommender system sheds some more light:

The main limitation of this research is inherent to the design of the recommender’s algorithm because it necessarily assumes that winning companies will behave as they behaved in the past. Companies and the market are living entities which are continuously changing. On the other hand, only the identity of the winning company is known in the Spanish tender dataset, not the rest of the bidders. Moreover, the fields of the company’s dataset are very limited. Therefore, there is little knowledge about the profile of other companies which applied for the tender. Maybe in other countries the rest of the bidders are known. It would be easy to adapt the bidder recommender to this more favourable situation (at 17).

The issue of the difficulty of capturing dynamic behaviour is well put. However, there are more problems (below) and the issue of disclosure of other participants in the tender is not straightforwardly to the benefit of a more accurate recommender system, unless there was not only disclosure of other bidders but also of the full evaluations of their tenders, which is an unlikely scenario in practice.

There is also the unaddressed issue of whether it makes sense to compare the specific attributes selected in the study, which it mostly does not, but is driven by the available data.

What is ultimately clear from the paper is that the data required for the development of a useful recommender is simply not there, either at all or with sufficient quality.

For example, it is notable that due to data quality issues, the database of past tenders shrinks from 612,090 recorded to 110,987 useable tenders, which further shrink to 102,087 due to further quality issues in matching the tender information with the Companies Register.

It is also notable that the information of the Companies Register is itself not (and probably cannot be, period) checked or validated, despite the fact that most of it is simply based on self-declarations. There is also an issue with the lag with which information is included and updated in the Companies Register—e.g. under Spanish law, company accounts for 2021 will only have to be registered over the summer of 2022, which means that a use of the recommender in late 2022 would be relying on information that is already a year old (as the paper itself hints, at 14).

And I also have the inkling that recommender systems such as this one would be problematic in at least two aspects, even if all the necessary data was available.

The first one is that the recommender seems by design incapable of comparing the functional capabilities of companies with very different structural characteristics, unless the parameters for the filtering are given such range that the basket of recommendations approaches four digits. For example, even if two companies were the closest ones in terms of their specialist technical competence (even if captured only by the very coarse and in themselves problematic codes used in the model)—which seems to be the best proxy for identifying suitability to satisfy the functional needs of the public buyer—they could significantly differ in everything else, especially if one of them is a start-up. Whether the recommender would put both in the same basket (of a useful size) is an empirical question, but it seems extremely unlikely.

The second issue is that a recommender such as this one seems quite vulnerable to the risk of perpetuating and exacerbating incumbency advantages, and/or of consolidating geographical market fragmentation (given the importance of eg distance, which cannot generate the expected impact on eg costs in all industries, and can increasingly be entirely irrelevant in the context of digital/remote delivery).

So, all in all, it seems like the development of recommender systems needs to be flipped on its head if data availability is driving design. It would in my view be preferable to start by designing the recommender system in a way that makes theoretical sense and then make sure that the required data architecture exists or is created. Otherwise, the adoption of suboptimal recommender systems would not only likely generate significant issues of technical debt (for a thorough warning, see Sculley et al, ‘Hidden Technical Debt in Machine Learning Systems‘ (2015)), but also risk significantly worsening the quality (and effectiveness) of procurement decision-making. And any poor implementation in ‘real life’ would deal a sever blow to the prospects of sustainable adoption of digital technologies to support procurement decision-making.

UK Procurement Bill, general principles and additivity -- why there is no such risk

© hehaden / Flickr.

Those following the commentary on the UK Procurement Bill will have noticed the discussions concerning the absence of a clause on the general principles of procurement [see e.g. K McGaughey, ‘Losing your principles – some early thoughts on the Procurement Bill’ (13 May 2022) http://shorturl.at/tFJP2]. In fact, there is already a proposed amendment by Baroness Hayman seeking to introduce the principles as initially envisaged in the green paper, which risks losing the additions that resulted from the public consultation. However, it is not certain that the amendment will make it to the final version of the future Act. One of the reasons behind resisting the inclusion of general principles seems to be a concern by legislative drafters that it would generate additivity — which I understand as the risk of creating self-standing obligations beyond those explicitly imposed by the specific provisions of the primary (and future secondary) legislation.

In my view, the inclusion of general principles cannot generate such a risk of additivity, as the role and function of those principles is to act as interpretive guides for the provisions in the legislation. They can hardly be seen as gap fillers or generators of self-standing obligations. Conversely, the absence of such general principles can be problematic, not only for creating a vacuum of interpretive guidance, but also for seemingly signalling a deviation from global standards.

Below are the reasons why I think the general principles of procurement, and in particular those of transparency and competition, should be included in an amended Bill before it completes its Parliamentary procedure.

General principles as global standards

Transparency and competition are crucial and intertwined general principles and/or goals in every procurement legislative framework. However, both are missing in the Procurement Bill, which thus lags international standards and best practice.

The fundamental importance of transparency and competition is recognised at the higher level of international legislation, starting with the United Nations Convention Against Corruption (UNCAC), which Article 9(1) explicitly requires signatory States (including the UK) to ‘take the necessary steps to establish appropriate systems of procurement, based on transparency, competition and objective criteria in decision-making, that are effective, inter alia, in preventing corruption’.

The same applies to the World Trade Organisation Government Procurement Agreement (WTO GPA), which explicitly links to UNCAC and translates its requirements into Art IV(4), which binds its parties (including the UK) to ensure that ‘A procuring entity shall conduct covered procurement in a transparent and impartial manner that: a) is consistent with this Agreement, using methods such as open tendering, selective tendering and limited tendering; b) avoids conflicts of interest; and c) prevents corrupt practices’.

There should thus be no question that the UK is bound under international law to ensure that its procurement is based on principles of transparency, competition and objectivity.

The UNCITRAL Model Law on public procurement also places transparency as a general goal amongst the overarching objectives of any domestic legislation enacting it. The preamble clearly sets out that the enacting State: ‘considers it desirable to regulate procurement so as to promote the objectives of: … (c) Promoting competition among suppliers and contractors for the supply of the subject matter of the procurement; … [and] (f) Achieving transparency in the procedures relating to procurement.’ Even if the Procurement Bill is not enacting the UNCITRAL Model Law, it can reasonably be expected to meet the best practices it highlights, not least because this is a benchmark that will be used to assess the quality of the UK procurement legislation post-reform.

Inclusion of the principle of transparency in the Bill

The intended inclusion of a principle/goal of transparency was clear in the Transforming Public Procurement Green Paper of December 2020 (para 27), and there was no indication of a change of position in the government’s response to the public consultation in December 2021 (para 33). Moreover, the response clarified that ‘The transparency principle previously proposed will set a minimum standard in terms of the quality and accessibility of information where there is a publication obligation elsewhere in the Bill’ (para 35).

The inclusion of an explicit principle of transparency was thus not meant to (or arguably capable of) generating additional self-standing obligations, but simply to establish an interpretive guideline in line with international obligations and best practice benchmarks. If there are concerns that the principle can in itself generate additivity over and above the specific transparency obligations in the Bill, it should be stressed that the existence of an explicit principle of transparency in the Public Contracts Regulations 2015 (reg.18(1)) has not led to an expansion of the transparency duties under the current regime. To the contrary, where such expansion has arguably taken place, it has been on the basis of common law doctrines (see e.g. R (Good Law Project & Others) v Secretary of State for Health and Social Care [2021] EWHC 346 (Admin) [at 132 ff]). 

Moreover, there are safeguards in the Bill preventing a maximalist interpretation of transparency requirements. Clause 85 (General exemptions from duties to publish or disclose information) affords the government the possibility to withhold information for specific purposes. This would thus ensure that there is no risk of additivity from the inclusion of a general principle dictating that data should be made transparent.

The inclusion of the principle of transparency has been supported by the entire spectrum of academic commentators, including those of a pro-deregulation persuasion (e.g. S Arrowsmith ‘Transforming Public Procurement Law after Brexit: Early Reflections on the Government’s Green Paper’ (Dec 2020) at 4). I have also stressed how, in the absence of a reform of e.g. the Freedom of Information Act 2000, the inclusion of a transparency principle will not generate meaningful practical changes to the existing disclosure obligations (e.g. A Sanchez-Graells, ‘The UK’s Green Paper on Post-Brexit Public Procurement Reform: Transformation or Overcomplication?’ (Jan 2021) at 6).

Inclusion of the principle of competition in the Bill

The principle of competition was not included in the Transforming Public Procurement Green Paper of December 2020. However, following submissions by the Competition and Markets Authority and commentators such as myself (see here for details), the government’s response to the public consultation of December 2021 indicated in no ambiguous terms that ‘We will introduce an additional objective of promoting the importance of open and fair competition that will draw together a number of different threads in the Green Paper that encourage competitive procurement’ (para 39).

The inclusion of an explicit principle of competition was thus also not meant to (or arguably capable of) generating additional self-standing obligations, but simply to establish an interpretive guideline in line with international obligations and best practice benchmarks. Similarly to the analysis above in relation to the principle of transparency, the existence of a principle of competition (or a narrower prohibition on the artificial narrowing of competition, as others interpret it) can hardly be seen as capable of generating self-standing obligations (for discussion, see A Sanchez-Graells, ‘Initial comments on the UK’s Procurement Bill: A lukewarm assessment’ (May 2022) 7).

Even where recent UK case law has derived obligations from general principles (R (Good Law Project and EveryDoctor) v Secretary of State for Health and Social Care [2022] EWHC 46 (TCC)), the obligations did not derive from the principle of competition, or the other principles (especially equal treatment) themselves, but from an essentialisation of the general requirements of procurement leading to the identification of ‘an irreducible minimum standard of objective fairness that applies to such procurements, even in the absence of open competition’ (at para 334, see my criticism here). As above, this does not point out to an additivity risk resulting from the general principle of competition, but rather from broader judicial considerations of the proper way in which procurement needs to be conducted.

It is worth reiterating that the importance of the inclusion of the principle of competition in the Bill was underlined by the Competition and Markets Authority, in particular in relation to its interaction with the principle of transparency: ‘Transparency can play a vital role in effective public procurement by dispelling perceptions of favouritism and maintaining trust in the procurement process – which in turn encourages competitors to contest the market. However, higher levels of transparency can also make collusion between bidders easier to sustain ... The CMA considers it essential that public procurement officials are aware of the link between collusion and transparency and report any suspicious activity by suppliers to the CMA. … The CMA proposes that … the new regulatory framework for public procurement should include a further principle of ‘effective competition’: Effective competition - procurement should promote healthy, competitive markets, which in turn drive better value for money and reduce the risk of illegal bid-rigging cartel.’ (at paras 3.2 and 3.3).

The inclusion of the principle of transparency thus needs to be twinned to the introduction of the principle of competition (for discussion of the interaction between the triad of overarching principles of competition, transparency, and integrity, see Steve Schooner, ‘Desiderata: Objectives for a System of Government Contract Law‘ (March 2002) 3 ff).

Implications and final thoughts 

Given the UK’s international commitments and the universal recognition of the importance of enshrining the general principles of transparency and competition in procurement legislation, their absence in the Procurement Bill can:

  1. generate doubts as to the intended transparency and pro-competition orientation of the system—which could be used e.g. in the context of the WTO GPA by trading partners seeking to raise issues with the UK’s position in the agreement; as well as

  2. push for a pro-competition and/or transparency-regarding interpretation of other general goals included in the Bill and, in particular, the ones in clause 11(1)(a) of ‘delivering value for money’, clause 11(1)(c) of ‘sharing information for the purpose of allowing suppliers and others to understand the authority’s procurement policies and decisions’, and clause 11(1)(d) of ‘acting, and being seen to act, with integrity’. Such interpretation could, coupled with common law doctrines and other precedent (as above), generate additional (self-standing) obligations in a way that the more generic principles of transparency and competition may not. And, even if they did, there would be no risk of additivity compared to the original text of the Bill.

There is thus no clear advantage to the omission of the principles, whereas their explicit inclusion would facilitate alignment of the Procurement Bill with the international standards and regulatory benchmarks it will be assessed against. The explicit inclusion of the principles of transparency and competition is thus the preferable regulatory approach.

In my view, the easiest way of ensuring the introduction of both principles would be to alter the amendment proposed by Baroness Hayman as follows (with bold indicating changes or additions):

After Clause 10

BARONESS HAYMAN OF ULLOCK

Insert the following new Clause

“Procurement principles

(1) In carrying out a procurement, a contracting authority must pursue the following principles—

(a) [omit]
(b) value for money, by having regard to the optimal whole-life blend of economy, efficiency and effectiveness that achieves the intended outcome of the business case,
(c) transparency, by acting openly to underpin accountability for public money, anti-corruption and the effectiveness of procurements,
(d) integrity, by providing good management, preventing misconduct, and control in order to prevent fraud and corruption,
(e) equal treatment of suppliers, by ensuring that decision-making is impartial and without conflict of interest,
(f) non-discrimination, by ensuring that decision-making is not discriminatory, and
(g) effective competition, by ensuring that procurement does not artificially narrow competition for a specific contract, promotes healthy, competitive markets, and reduces the risk of illegal bid-rigging cartels.

As there is no good reason why a contracting authority should not be able to act in accordance with those principles, I would advocate for a deletion of the second paragraph of the amendment as proposed.

Law, technology and broad socio-legal considerations -- re Schrepel (2022)

© Automatic Eyes / Flickr.

I have just read T Schrepel’s ‘Law + technology’, which main premise is that the ‘classical approach to “law & technology” focuses on harms created by technology … [whereas] another approach dubbed “law + technology” can better increase the common good … [because it can] consider both the issues and positive contributions technology brings to society’, with ultimately the ‘goal … to address the negative ramifications of technology while leveraging its positive regulatory power’ (at 1). This leads to the claim that ‘“law + technology” can further increase the common good than a classical “law & technology” approach because it better preserves technology that regulates society in ways legal rules and standards cannot’ (at 3).

This is a weird paper and another exercise in creative labelling (or click bait) by the author (see other notable examples, such as ‘Antitrust without Romance’). The creative labelling starts with the term ‘classical “law & technology”’ itself, as the author notes: ‘Not all scholars that use the label “law & technology” recognize themselves in the meaning I attribute to the label in this article. I, nonetheless, assign a specific meaning to the label “law & technology” to highlight the differences between the dominant legal approach to technology and the one … propose[d] in this article’ (fn 2). The creative labelling exercise is completed by the artificial use of “law + technology” as a distinguishing label. I wonder how one could appreciate the (non-visual) differences if the argument was made without written support (unless one is given the clue that it should be read as 'law plus technology’, see fn 87) …

More importantly, the distinction (and the paper in general) is both artificial and far overshoots the mark of making the much simpler points that the regulation of technology needs to be underpinned by proper impact assessments (at 15-16), allow for iteration or incrementalism in particular in relation to immature technologies (at 17), and follow a certain element of proportionality to constrain e.g. the application of the precautionary principle, where too stringent legal rules could deprive society from beneficial technological advances without materially impinging on superior socio-legal values—which is what I think the author actually says on substance in the paper.

The paper thus does not really deviate from the criticised ‘classical “law & technology”’ approach, as it also recognises the two main issues: that certain socio-legal values (should) weigh more than technological innovation, and that such weighing needs to pay attention to the different (positive and negative) impacts.

In fact, the clear superiority of legally-protected values or interests is seemingly acknowledged in the paper, as it submits that ‘When law and technology present irreconcilable interests, the law must prevail in a rule of law system’ (fn 13)—even if this is then muddied in the promotion of a ‘Darwinian take on regulating technology’ that should seek not to eliminate a technology’s distinguishing features even if they breach such higher level socio-legal values (such as eg the fundamental right to an effective remedy) (at 7), or the statement that ‘When legal rules reduce technology’s chances of survival, policymakers and regulators deny one of “law + technology” two pillars. The “law + technology” approach thus requires considering different methods’ (at 17-18). Therefore, the extent to which the paper either really upholds the superiority of certain socio-legal values or, conversely, takes a more technology-centric approach is ultimately unclear (but that lack of clarity is in itself evidence of the limited deviation from the criticised approach, if any).

Similarly, the main focus on (obscurely) advocating for a regulatory approach that ceteris paribus (and only ceteris paribus) allows for a higher level of socio-technological benefits is also tucked away, but present, in the statement that ‘Under a “law & technology” approach, regulators are not comparing the effect of different intervention methods on the positive ramification of technology. They are not in a position to balance the effectiveness of the rule and its effect on the technology. Regulators may choose a regulation with comparable efficiency to others but a more negative impact on the technology’ (fn 14). Here the paper seems to simply insist on a comprehensive impact assessment, which should capture any losses derived from restrictions or prohibitions concerning the use of a given technology. This is, however, obscured by the proposal of an ‘EM ratio’ as some sort of mathematical formalisation (see fn 81) of what is simply a proportionality assessment that will almost never be susceptible to quantitative reductionism), which obscures or glosses over the impossibility of directly comparing some of the potential positive and negative impacts as they affect different socio-legal values, some of them with specific (constitutional) protection.

Overall, creative labelling aside, the paper seems to make two relatively uncontroversial statements that are also not new. Technology can facilitate legal compliance, and law and regulation should not disproportionately stifle technological innovation. So far, so good.

The labelling is still highly problematic, though, especially as it carries the risk (or intent?) of sullying ‘law and technology’ scholarship as partial or unnecessarily biased in a pro-interventionist manner. So the labelling deserves some further scrutiny.

From where I stand, it is almost impossible to assign specific meaning to “law and technology” as a field, as the interaction between law and technology can be and is being assessed from a wide-ranging and diverse set of perspectives (see e.g. the very interesting political economy approach by Julie E. Cohen, Between Truth and Power: The Legal Constructions of Informational Capitalism (OUP, 2019); or the explicit consideration of blockchain as a regulatory technology by Michèle Finck, Blockchain Regulation and Governance in Europe (CUP, 2018)). More importantly, the main hypothesis or postulate of the paper, i.e. that ‘technology and law can better increase the common good together than in a silo’ (at 4) ignores the fact that the mutual interdependence and interaction between technology and law is very much at the core of the political economy analysis of what the paper would term ‘classic “law and technology”’, as lucidly articulated by Cohen (above, 1-2).

It is also difficult to support a statement attributing to such (deemed) ‘classical’ approach to “law & technology” a one-way consideration of potential negative impacts of technologies only—unless one ignores all work on e.g. SupTech, or automated compliance; or one is blind to the fact that the balance of interests and potential impingement of rights that triggers regulatory and legislative intervention cannot result from a mere cost-benefit analysis that allows trade-offs that imply e.g. violations of fundamental rights or essential protections in consumer, labour or data privacy as key elements of the legal system. The author seems reluctantly aware of this, although the paper quickly discounts it in stressing that: ‘To be sure, the positive ramifications of technology are sometimes mentioned under “law & technology,” but they are excluded from the analytical scope when tackling the negative ramifications. In short, “law & technology” expresses at best an “on-the-one-hand-on-the-other-hand-ism,” but it fails to connect both positive and negative aspects’ (at 2-3).

Simply, then, the premises of the paper are highly questionable and generate a caricature of 'law and technology’ scholarship that is simply too far removed from reality.

Moreover, the use of unnecessarily flashy terms (e.g. Darwinian take on regulation, based on complexity theory, when what the author means is very close to systems thinking; or the formulation of an ‘EM ratio’ to refer to what is simply a proportionality assessment) is pervasive in the paper and cannot really mask the limited originality of thought underpinning the arguments.

Overall, I think this is not a helpful contribution to the debate and I hope not much time will be lost on labelling a field where the key regulatory challenges are otherwise well understood (if difficult to tackle).

Initial comments on the UK's Procurement Bill: A lukewarm assessment

Having read the Procurement Bill, its Impact Assessment and the Explanatory Notes, I have some initial comments, which I have tried to articulate in a working paper.

In the paper I offer some initial comments on the Bill and related documents, including: (i) the economic justification in its impact assessment; (ii) some general comments on legislative technique and the quality of the Bill and its Explanatory Notes; (iii) some observations on what may have not been carried over from the Transforming Public Procurement consultation and government response; (iv) a mapping of important aspects of procurement regulation that the Bill does not cover and will thus have to wait for secondary legislation and/or guidance; (v) some general considerations on the unclear impact of different wording for ‘terms of art’, including their interpretation; and (vi) fifty selected issues I have spotted in my first reading of the Bill. I close with some considerations on the difficulty of ensuring a sufficient fix along the legislative process.

In case of interest, the paper can be dowloaded here: https://ssrn.com/abstract=4114141.

More than ever, this is work in progress and I would be grateful for any feedback or discussion: a.sanchez-graells@bristol.ac.uk.

Not a hot take on the UK's Procurement Bill

As anticipated, the UK Government has moved at tremendous speed to introduce the Procurement Bill for Parliamentary passage. The text of the Bill as introduced, and information on the Parliamentary process, are available here.

The Procurement Bill comprises 116 sections and 11 schedules, and it will take some careful reading to identify how the Bill:

  • meets the UK’s international commitments under the WTO GPA, the EU-UK TCA, and other FTAs with procurement chapters;

  • deviates from the current EU-derived Public Contracts Regulations 2015, and the rest of the regulations transposing EU procurement law;

  • embeds the key changes resulting from the Transforming Public Procurement consultation — which will also largely depend on secondary legislation and guidance yet to be published;

  • generates potential interpretative issues that could be ironed out through the Parliamentary procedure; and

  • is likely to work out in practice to deliver the ambitious goals of the UK Government.

So this is not material suitable for a hot take. Sorry to disappoint! I will try to publish a more considered view by the end of the month, although it may take longer… For now, happy reading of the Bill.

UK procurement law reform: Queen's Speech update

© Morten Morland / The Times.

The post-Brexit de/re/regulation of public procurement in the UK requires legislative reform to create the new overarching framework supporting the policy and regulatory changes described in the 2020-21 Transforming Public Procurement public consultation (see here and here).

However, finding Parliamentary time to take the process forward has proved difficult. A Procurement Bill was initially announced in the 2021 Queen’s Speech, but was not introduced in the last Parliamentary session. This delayed the timeline for the entry into force of the new procurement regime, which the Government’s response to the public consultation considered ‘unlikely to come into force until 2023 at the earliest’.

In April 2022, the Government confirmed that it would be introducing the Procurement Bill for the coming session, and this was also considered a clear possibility in recent Parliamentary briefings and quasi-insider commentators.

Today’s 2022 Queen’s Speech has reiterated that ‘Public sector procurement will be simplified to provide new opportunities for small businesses’.

What does this mean for the timeline of UK procurement law reform?

Unfortunately, this is not entirely clear. Or, as you would expect from a lawyer, the answer is that it depends.

First, because a Bill being announced in the Queen’s Speech does not guarantee that it will be effectively introduced, as we saw in the 2021 session (although this may have had to do with the large volume of responses to the public consultation, which made the process more protracted and could have had a knock-on effect on the Cabinet Office team’s bandwidth to work on the Procurement Bill itself). The likelihood of the Bill being effectively introduced is hard to guess, as the 2022 Queen’s Speech also included proposed legislation to tackle quite a few urgent challenges with electoral tags clearly attached to them (eg cost of living crisis), as well as controversial constitutional reform bills that, by themselves, could take up most Parliamentary time—especially if there is extended ping-pong with the House of Lords, as one would hope.

Second, because the Procurement Bill has been announced as part of the ‘Brexit Package’ in the Queen’s Speech, together with the Brexit Freedoms Bill, as well as the reform of the Data Protection Bill, and the Financial Services Bill. It will be interesting to see if there is internal competition for Parliamentary time within this group of Brexit-related Bills. If that is the case, I would not be surprised if the Procurement Bill was put on the backburner again, especially if the Government is aware of the limited practical changes that a new Procurement Bill can deliver in terms of one of their main political promises linked to procurement: a (sort of ) Buy British procurement policy.

However, there are also indications that the procurement reform team within Cabinet Office is pushing hard for advances in procurement reform. On 29 April 2022, the UK Government published a new programme website where it states that ‘New legislation is introducing a reformed public procurement regime that will come into effect in 2023’ (emphasis added, and note the change of wording compared to ‘unlikely … until 2023 at the earliest’ above — unless there are different intended meanings between ‘entry into force’ and ‘entry into effect’ — one for legal drafting aficionados…). A few job ads linked to the rollout of the training programme supporting the transition to the new regime have also been published, so investment in this area seems to have started to materialise (could not find details, though).

If there is indeed a push, and given that the Government has committed to giving a minimum of 6 months’ notice before the new regime goes live, the Procurement Bill should receive Royal Assent by end of June 2023 at the latest, if the 2023 deadline is to be met (in extremis). Based on the outcome of the public consultation, the likely approach will be to have a minimalistic, bare bones legislative instrument twinned with voluminous guidance. Therefore, the Procurement Bill can be expected to be relatively short.

However, it will include some controversial issues and, as above, it will be competing for limited Parliamentary time — and perhaps appetite for and attention to highly technical legislation. If the Government wants to have the new system in place at the end of 2023 (or even 1 Jan 2024, or early April 2024 to match the fiscal year …), the Procurement Bill should be introduced sooner rather than later.

Therefore, we may be about to enter a rather intense 12-month period of discussion (and public scrutiny) of the more definite plans for UK public procurement law reform. Watch this space.