Procurement conferences & webinars: dates for the diary

Before your agenda fills up for the coming Spring and Summer, consider putting the following dates on your diary. These are all events where I will be participating. It would be lovely to have a chance to meet (again).

25-26 April 2023 - Public Procurement Conference – Centralization and new trends. Organised by Prof Carina Risvig Hamer and held at the Law Faculty of the University of Copenhagen. It promises to provide two full days of discussions on emerging and challenging procurement governance issues.

27 April 2023 - PhD Conference in Public Procurement & Competition Law. Also organised by Prof Carina Risvig Hamer and Magdalena Socha, and held at the Law Faculty of the University of Copenhagen. A good opportunity for PhD students to present work-in-progress and receive feedback, and for everyone to have a grasp of where emerging research is leading.

23 May 2023 - Can Procurement Be Used to Effectively Regulate AI? [Webinar online] 2pm UK / 3pm CET / 9am EST. This will be a panel discussion co-organised by the University of Bristol Law School and The George Washington University Law School, as part of my current research project on digital technologies and procurement governance [further details to be announced soon].

4 July 2023 - AI and Public Governance Commercialisation: What Role for Public Procurement? [Public lecture, in person]. Bristol, UK 2pm (followed by coffee and cake reception). This will be a lecture to mark the end of my research project, where I will pick out some of the main themes and findings [recording available online thereafter].

Micro-purchases as political football? -- some thoughts on the UK's GPC files and needed regulatory reform

The issue of public micro-purchases has just gained political salience in the UK. The opposition Labour party has launched a dedicated website and an aggressive media campaign calling citizens to scrutinise the use of government procurement cards (GPCs). The analysis revealed so far and the political spin being put on it question the current government’s wastefulness and whether ‘lavish’ GPC expenses are adequate and commensurate with the cost of living crisis and other social pressures. Whether this will yield the political results Labour hopes for is anybody’s guess (I am sceptical), but this is an opportunity to revisit GPC regulation and to action long-standing National Audit Office recommendations on transparency and controls, as well as to reconsider the interaction between GPCs and procurement vehicles based on data analysis. The political football around the frugality expected of a government in times of economic crisis should not obscure the clear need to strengthen GPC regulation in the UK.

Background

GPCs are debit or credit cards that allow government officials to pay vendors directly. In the UK, their issue is facilitated by a framework agreement run by the Crown Commercial Service. These cards are presented as a means to accelerate payment to public vendors (see eg current UK policy). However, their regulatory importance goes beyond their providing an (agile) means of payment, as they generate the risk of public purchases bypassing procurement procedures. If a public official can simply interact with a vendor of their choice and ‘put it on the card’, this can be a way to funnel public funds and engage with direct awards outside procurement procedures. There is thus a clear difference between the use of GPCs within procurement transactions (eg to pay for call-offs within a pre-existing framework agreement) and their use instead of procurement transactions (eg a public official buying something off your preferred online retailer and paying with a card).

Uses within procurement seem rather uncontroversial and the specific mechanism used to pay invoices should be driven by administrative efficiency considerations. There are also good reasons for (some) government officials to hold a GPC to cover the types of expenses that are difficult to procure (eg those linked to foreign travel, or unavoidably ‘spontaneous’ expenses, such as those relating to hospitality). In those cases, GPCs substitute for either the need to provide officials with cash advances (and thus create much sounder mechanisms to control the expenditure, as well as avoiding the circulation of cash with its own corruption and other risks), or to force them to pay in advance from their private pockets and then claim reimbursement (which can put many a public sector worker in financial difficulties, as eg academics know all too well).

The crucial issue then becomes how to control the expenditure under the GPCs and how to impose limits that prevent the bypassing of procurement rules and existing mechanisms. From this perspective, procurement cards are not a new phenomenon at all, and the challenges they pose from a procurement and government contracting perspective have long been understood and discussed—see eg Steven L Schooner and Neil S Whiteman, ‘Purchase Cards and Micro-Purchases: Sacrificing Traditional United States Procurement Policies at the Alter of Efficiency’ (2000) 9 Public Procurement Law Review 148. The UK’s National Audit Office (NAO) also carried out an in-depth investigation and published a report on the issue in 2012.

The regulatory and academic recommendations seeking to ensure probity and value for money in the use of GPCs as a (procurement) mechanism generally address three issues: (1) limits on expenditure, (2) (internal) expenditure control, and (3) expenditure transparency. I would add a fourth issue, which relates to (4) bypassing existing (or easy to set up) procurement frameworks. It is worth noting that the GPC files report provides useful information on each of these issues, all of which requires rethinking in the context of the UK’s current process of reforming procurement law.

Expenditure limits

The GPC files show how there are three relevant value thresholds: the threshold triggering expenditure transparency (currently £500), the maximum single transaction limit (currently £20,000, which raised the pre-pandemic £10,000), and the maximum monthly expenditure (currently £100,000, which raised the pre-pandemic limits if they were lower). It is worth assessing these limits from the perspective of their interaction with procurement rules, as well as broader considerations.

The first consideration is that the £500 threshold triggering expenditure transparency has remained fixed since 2011. Given a cumulative inflation of close to 30% in the period 2011-2022, this means that the threshold has constantly been lower in comparative purchase parity. This should make us reconsider the relevance of some of the findings in the GPC files. Eg the fact that, within its scope, there were ‘65,824 transactions above £500 in 2021, compared to 35,335 in 2010-11’ is not very helpful. This raises questions on the adequacy of having a (fixed) threshold below which expenditure is not published. While the NAO was reluctant to recommend full transparency in 2011, it seems that the administrative burden of providing such transparency has massively lowered in the intervening period, so this may be the time to scrape the transparency threshold. As below, however, this does not mean that the information should be immediately published in open data (as below).

The single transaction limit is the one with the most relevance from a procurement perspective. If a public official can use a GPC for a value exceeding the threshold of regulated procurement, then the rules are not well aligned and there is a clear regulatory risk. Under current UK law, central government contracts with a value above £12,000 must be advertised. This would be kept as the general rule in the Procurement Bill (clause 86(4)), unless there are further amendments prior to its entry into force. This evidences a clear regulatory risk of bypassing procurement (advertising) obligations through GPC use. The single transaction limit should be brought back to pre-pandemic levels (£10,000) or, at least, to the value threshold triggering procurement obligations (£12,000).

The maximum monthly expenditure should be reassessed from an (internal) control perspective (as below), but the need to ensure that GPCs cannot be used to fraction (above threshold) direct awards over short periods of time should also be taken into consideration. From that perspective, ensuring that a card holder cannot spend more than eg £138,760 in a given category of goods or services per month (which is the relevant threshold under both current rules and the foreseen Procurement Bill). Current data analytics in basic banking applications should facilitate such classification and limitation.

(internal) expenditure controls

The GPC files raise questions not only on the robustness of internal controls, but also on the accounting underpinning them (see pp 11-12). Most importantly, there seems to be no meaningful internal post-expenditure control to check for accounting problems or suspected fraudulent use, or no willingness to disclose how any such mechanisms operate. This creates expenditure control opacity that can point to a big governance gap. Expenditure controls should not only apply at the point of deciding who to authorise to hold and use a GPC and up to which expenditure limit, but also (and perhaps more importantly), to how expenditure is being carried out. From a regulatory theory perspective, it is very clear that the use of GPCs is framed under an agency relationship and it is very important to continuously signal to the agent that the principal is monitoring the use of the card and that there are serious (criminal) consequences to misuse. As things stand, it seems that ex post internal controls may operate in some departments (eg those that report recovery for inappropriately used funds) but not (effectively) in others. This requires urgent review of the mechanisms of pre- and post-expenditure control. An update of the 2012 NAO report seems necessary.

Expenditure transparency

The GPC files (pp 10-11) show clear problems in the implementation of the policy of disclosing all expenditure in transactions exceeding £500, which should be published published monthly, 2 months in arrears, despite (relatively clear) guidance to that effect. In addition to facilitating the suppression of the transparency threshold, developments in the collection and publication of open data should also facilitate the rollout of a clear plan to ensure effective publication without the gaps identified in the GPC files (and other problems in practice). However, this is also a good time to carefully consider the purpose of these publications and the need to harmonise them with the publication of other procurement information.

There are conflicting issues at hand. First, the current policy of publishing 2 months in arrears does not seem justified in relation to some qualified users of that information, such as those with an oversight role (or fraud investigation powers). Second, in relation to the general public, publication in full of all details may not be adequate within that time period in some cases, and the publication of some information may not be appropriate at all. There are, of course, intermediate situations, such as data access for journalists of research academics. In relation to this data, as well as all procurement data, this is an opportunity to create a sophisticated data-management architecture that can handle of multi-tiered access to different types of information at different times, by different stakeholders and under different conditions (see here and here).

bypassing procurement frameworks

A final consideration is that the GPC files evidence a risk that GPCs may be used in ways that bypass existing procurement frameworks, or in ways that would require setting up new frameworks (or other types of procurement vehicle, such as dynamic purchasing systems). The use of GPCs to buy goods off Amazon is the clearest example (see pp 24-25), as there is nothing in the functioning of Amazon that could not be replicated through pre-procured frameworks supported by electronic catalogues. In that regard, GPC data should be used to establish the (administrative) efficiency of creating (new) frameworks and to inform product (and service) selection for inclusion therein. There should also be a clear prohibition of using GPCs outside existing frameworks unless better value for money for identical products can be documented, in which case this should also be reported to the entity running the relevant framework (presumably, the Crown Commercial Service) for review.

Conclusion

In addition to discussions about the type and level of expenditure that (high-raking) public officials should be authorised to incur as a political and policy matter, there is clearly a need and opportunity to engage in serious discussions on the tightening of the regulation of GPCs in the UK, and these should be coordinated with the passage of the Procurement Bill through the House of Commons. I have identified the following areas for action:

  • Suppression of the value threshold triggering transparency of specific transactions, so that all transactions are subjected to reporting.

  • Coordination of the single transaction threshold with that triggering procurement obligations for central government (which is to also apply to local and other contracting authorities).

  • Coordination of the maximum monthly spend limit with the threshold for international advertising of contract opportunities, so that no public official can spend more than the relevant amount in a given category of goods or services per month.

  • Launch of a new investigation and report by NAO on the existing mechanisms of pre- and post-expenditure control.

  • Creation of a sophisticated data-management architecture that can handle of multi-tiered access to different types of information at different times, by different stakeholders and under different conditions. This needs to be in parallel or jointly with proposals under the Procurement Bill.

  • There should also be a clear prohibition of using GPCs outside existing frameworks unless better value for money for identical products can be documented. GPC data should be used to inform the creation and management of procurement frameworks and other commercial vehicles.

Regulating public and private interactions in public sector digitalisation through procurement

As discussed in previous entries in this blog (see here, here, here, here or here), public procurement is progressively being erected as the gatekeeper of the public interest in the process of digital technology adoption by the public sector, and thus positioned as digital technology regulator—especially in the EU and UK context.

In this gatekeeping role, procurement is expected to ensure that the public sector only acquires and adopts trustworthy technologies, and that (private) technology providers adhere to adequate technical, legal, and ethical standards to ensure that this is the case. Procurement is also expected to operate as a lever for the propagation of (soft) regulatory tools, such as independently set technical standards or codes of conduct, to promote their adoption and harness market dynamics to generate effects beyond the public sector (ie market-shaping). Even further, where such standards are not readily available or independently set, the procurement function is expected to formulate specific (contractual) requirements to ensure compliance with the overarching regulatory goals identified at higher levels of policymaking. The procurement function is thus expected to leverage the design of public tenders and public contracts as tools of digital technology regulation to plug the regulatory gap resulting from the absence of binding (legal) requirements. This is a tall order.

Analysing this gatekeeping role and whether procurement can adequately perform it is the focus of the last part of my current research project. In this latest draft book chapter, I focus on an analysis of the procurement function as a regulatory actor. The following chapter will focus on an analysis of procurement rules on the design of tender procedures and some elements of contractual design as regulatory tools. Combined, the analyses will shed light on the unsuitability of procurement to carry out this gatekeeping role in the absence of minimum mandatory requirements and external oversight, which will also be explored in detail in later chapters. This draft book chapter is giving me a bit of a hard time and some of the ideas there are still slightly tentative, so I would more than ever welcome any and all feedback.

In ‘Regulating public and private interactions in public sector digitalisation through procurement: the clash between agency and gatekeeping logics’, my main argument is that the proposals to leverage procurement to regulate public sector digitalisation, which seek to use public sector market power and its gatekeeping role to enforce standards of technological regulation by embedding them in public contracts, are bound to generate significant dysfunction due to a break in regulatory logic. That regulatory logic results from an analysis of the procurement function from an agency theory and a gatekeeping theory perspective, which in my view evidence the impossibility for procurement to carry out conflicting roles. To support this claim, I explore: 1) the position of the procurement function amongst the public and private actors involved in public sector digitalisation; 2) the governance implications of the procurement function’s institutional embeddedness; and 3) the likely (in)effectiveness of public contracts in disciplining private and public behaviour, as well as behaviour that is mutually influenced or coproduced by public and private actors during the execution of public contracts.

My analysis finds that, in the regulation of public-private interactions, the regulatory logic underpinning procurement is premised on the existence of a vertical relationship between the public buyer and (potential) technology providers and an expectation of superiority of the public buyer, which is thus (expected to be) able to dictate the terms of the market interaction (through tender requirements), to operate as gatekeeper (eg by excluding potential providers that fall short of pre-specified standards), and to dictate the terms of the future contract (eg through contract performance clauses with a regulatory component). This regulatory logic hits obvious limitations when the public buyer faces potential providers with market power, an insufficient offer of (regulated) goods and services, or significant information asymmetries, which result in a potential ‘weak public buyer’ problem. Such problem has generally been tried to be addressed through procurement centralisation and upskilling of the (centralised) procurement workforce, but those measures create additional governance challenges (especially centralisation) and are unlikely to completely re-establish the balance of power required for the effective regulation by contract of public sector digitalisation, as far as the provider side is concerned.

Parking the ‘weak public buyer’ problem, my analysis then focuses on the regulation of public-public interactions between the adopting public sector entity and the procurement function. I separate them for the purposes of the analysis, to point out that at theoretical level, there is a tension between the expectations of agency and gatekeeping theories in this context. While both of them conceptualise the relationship as vertical, they operate on an opposite understanding of who holds a predominant position. Under agency theory, the public buyer is the agent and thus subject to the instructions of the public entity that will ultimately adopt the digital technology. Conversely, under gatekeeping theory, the public buyer is the (independent) guarantor of a set of goals or attributes in public sector digitalisation projects and is thus tasked with ensuring compliance therewith. This would place the public buyer in a position of (functional) superiority, in that it would (be expected to) be able to dictate (some of) the terms of the technological adoption. This conflict in regulatory logics creates a structural conflict of interest for the procurement function as both agent and gatekeeper.

The analysis then focuses on how the institutional embeddedness of procurement exacerbates this problem. Where the procurement function is embedded in the same administrative unit or entity that is seeking to adopt the technology, it is subjected to hierarchical governance and thus lacks the independence required to carry out the gatekeeping role. Similarly, where the procurement function is separate (eg in the case of centralised or collaborative procurement), in the absence of mandatory requirements (eg to use the centralised procurement vehicle), the adopting public entity retains discretion whether to subject itself to the (gatekeeper) procurement function or to carry out its own procurement. Moreover, even when it uses centralised procurement vehicles, it tends to retain discretion (eg on the terms of mini-competitions or for the negotiation of some contractual clauses), which also erodes the position of the procurement function to effectively carry out its gatekeeping role.

On the whole, the procurement function is not in a good position to discipline the behaviour of the adopting public entity and this creates another major obstacle to the effectiveness of the proposed approach to the regulation by contract of public sector digitalisation. This is exacerbated by the fact that the adopting public entity will be the principal of the regulatory contract with the (chosen) technology provider, which means that the contractual mechanisms designed to enforce regulatory goals will be left to interpretation and enforcement by those actors whose behaviour it seeks to govern.

In such decentred interactions, procurement lacks any meaningful means to challenge deviations from the contract that are in the mutual interest of both the adopting entity and the technology provider. The emerging approach to regulation by contract cannot properly function where the adopting public entity is not entirely committed to maximising the goals of digital regulation that are meant to be enforced by contract, and where the public contractor has a concurring interest in deviating from those goals by reducing the level of demand of the relevant contractual clauses. In the setting of digital technology regulation, this seems a likely common case, especially if we consider that the main regulatory goals (eg explainability, trustworthiness) are open-ended and thus the question is not whether the goals in themselves are embraced in abstracto by the adopting entity and the technology provider, but the extent to which effective (and costly or limiting) measures are put in place to maximise the realisation of such goals. In this context, (relational) contracts seem inadequate to prevent behaviour (eg shirking) that is the mutual interest of the contractual parties.

This generates what I label as a ‘two-sided gatekeeping’ challenge. This challenge encapsulates the difficulties for the procurement function to effectively influence regulatory outcomes where it needs to discipline both the behaviour of technology providers and adopting entities, and where contract implementation depends on the decentred interaction of those two agents with the procurement function as a (toothless) bystander.

Overall, then, the analysis shows that agency and gatekeeping theory point towards a disfunction in the leveraging of procurement to regulate public sector digitalisation by contract. There are two main points of tension or rupture with the regulatory logic. First, the regulatory approach cannot effectively operate in the absence of a clear set of mandatory requirements to bind the discretion of the procurement function during the tendering and contract formation phase, as well as the discretion of the adopting public entity during contract implementation phase, and which are also enforceable on the technology provider regardless of the terms of the contract. Second, the regulatory approach cannot effectively operate in the absence of an independent actor capable of enforcing those standards and monitoring continuous compliance during the lifecycle of technological adoption and use by the public sector entity. As things stand, the procurement function is affected by structural and irresolvable conflicts between its overlaid roles. Moreover, even if the procurement function was not caught by the conflicting logics and requirements of agency and gatekeeping (eg as a result of the adoption of the mandatory requirements mentioned above), it would still not be in an adequate position to monitor and discipline the behaviour of the adopting public entity—and, relatedly, of the technology provider—after the conclusion of the procurement phase.

The regulatory analysis thus points to the need to discharge the procurement function from its newest gatekeeping role, to realign it with agency theory as appropriate. This would require both the enactment of mandatory requirements and the subjection to external oversight of the process of technological adoption by the public sector. This same conclusion will be further supported by an analysis of the limitations of procurement law to effectively operate as a regulatory tool, which will be the focus of the next chapter in the book.

Some further thoughts on setting procurement up to fail in 'AI regulation by contract'

The next bit of my reseach project concerns the leveraging of procurement to achieve ‘AI regulation by contract’ (ie to ensure in the use of AI by the public sector: trustworthiness, safety, explainability, human rights compliance, legality especially in data protection terms, ethical use, etc), so I have been thinking about it for the last few weeks to build on my previous views (see here).

In this post, I summarise my further thoughts — which have been prompted by the rich submissions to the House of Commons Science and Technology Committee [ongoing] inquiry on the ‘Governance of Artificial Intelligence’.

Let’s do it via procurement

As a starting point, it is worth stressing that the (perhaps unsurprising) increasingly generalised position is that procurement has a key role to play in regulating the adoption of digital technologies (and AI in particular) by the public sector—which consolidates procurement’s gatekeeping role in this regulatory space (see here).

More precisely, the generalised view is not that procurement ought to play such a role, but that it can do so (effectively and meaningfully). ‘AI regulation by contract’ via procurement is seen as an (easily?) actionable policy and governance mechanism despite the more generalised reluctance and difficulties in regulating AI through general legislative and policy measures, and in creating adequate governance architectures (more below).

This is very clear in several submissions to the ongoing Parliamentary inquiry (above). Without seeking to be exhaustive (I have read most, but not all submissions yet), the following points have been made in written submissions (liberally grouped by topics):

Procurement as (soft) AI regulation by contract & ‘Market leadership’

  • Procurement processes can act as a form of soft regulation Government should use its purchasing power in the market to set procurement requirements that ensure private companies developing AI for the public sector address public standards. ’ (Committee on Standards in Public Life, at [25]-[26], emphasis added).

  • For public sector AI projects, two specific strategies could be adopted [to regulate AI use]. The first … is the use of strategic procurement. This approach utilises government funding to drive change in how AI is built and implemented, which can lead to positive spill-over effects in the industry’ (Oxford Internet Institute, at 5, emphasis added).

  • Responsible AI Licences (“RAILs”) utilise the well-established mechanisms of software and technology licensing to promote self-governance within the AI sector. RAILs allow developers, researchers, and companies to publish AI innovations while specifying restrictions on the use of source code, data, and models. These restrictions can refer to high-level restrictions (e.g., prohibiting uses that would discriminate against any individual) as well as application-specific restrictions (e.g., prohibiting the use of a facial recognition system without consent) … The adoption of such licenses for AI systems funded by public procurement and publicly-funded AI research will help support a pro-innovation culture that acknowledges the unique governance challenges posed by emerging AI technologies’ (Trustworthy Autonomous Systems Hub, at 4, emphasis added).

Procurement and AI explainability

  • public bodies will need to consider explainability in the early stages of AI design and development, and during the procurement process, where requirements for transparency could be stipulated in tenders and contracts’ (Committee on Standards in Public Life, at [17], emphasis added).

  • In the absence of strong regulations, the public sector may use strategic procurement to promote equitable and transparent AI … mandating various criteria in procurement announcements and specifying design criteria, including explainability and interpretability requirements. In addition, clear documentation on the function of a proposed AI system, the data used and an explanation of how it works can help. Beyond this, an approved vendor list for AI procurement in the public sector is useful, to which vendors that agree to meet the defined transparency and explainability requirements may be added’ (Oxford Internet Institute, at 2, referring to K McBride et al (2021) ‘Towards a Systematic Understanding on the Challenges of Procuring Artificial Intelligence in the Public Sector’, emphasis added).

Procurement and AI ethics

  • For example, procurement processes should be designed so products and services that facilitate high standards are preferred and companies that prioritise ethical practices are rewarded. As part of the commissioning process, the government should set out the ethical principles expected of companies providing AI services to the public sector. Adherence to ethical standards should be given an appropriate weighting as part of the evaluation process, and companies that show a commitment to them should be scored more highly than those that do not (Committee on Standards in Public Life, at [26], emphasis added).

Procurement and algorithmic transparency

  • … unlike public bodies, the private sector is not bound by the same safeguards – such as the Public Sector Equality Duty within the Equality Act 2010 (EA) – and is able to shield itself from criticisms regarding transparency behind the veil of ‘commercial sensitivity’. In addition to considering the private company’s purpose, AI governance itself must cover the private as well as public sphere, and be regulated to the same, if not a higher standard. This could include strict procurement rules – for example that private companies need to release certain information to the end user/public, and independent auditing of AI systems’ (Liberty, at [20]).

  • … it is important that public sector agencies are duly empowered to inspect the technologies they’re procuring and are not prevented from doing so by the intellectual property rights. Public sector buyers should use their purchasing power to demand access to suppliers’ systems to test and prove their claims about, for example, accuracy and bias’ (BILETA, at 6).

Procurement and technical standards

  • Standards hold an important role in any potential regulatory regime for AI. Standards have the potential to improve transparency and explainability of AI systems to detail data provenance and improve procurement requirements’ (Ada Lovelace Institute, at 10)

  • The speed at which the technology can develop poses a challenge as it is often faster than the development of both regulation and standards. Few mature standards for autonomous systems exist and adoption of emerging standards need to be encouraged through mechanisms such as regulation and procurement, for example by including the requirement to meet certain standards in procurement specification’ (Royal Academy of Engineering, at 8).

Can procurement do it, though?

Implicit in most views about the possibility of using procurement to regulate public sector AI adoption (and to generate broader spillover effects through market-based propagation mechanisms) is an assumption that the public buyer does (or can get to) know and can (fully, or sufficiently) specify the required standards of explainability, transparency, ethical governance, and a myriad other technical requirements (on auditability, documentation, etc) for the use of AI to be in the public interest and fully legally compliant. Or, relatedly, that such standards can (and will) be developed and readily available for the public buyer to effectively refer to and incorporate them into its public contracts.

This is a BIG implicit assumption, at least in relation with non trivial/open-ended proceduralised requirements and in relation to most of the complex issues raised by (advanced) forms of AI deployment. A sobering and persuasive analysis has shown that, at least for some forms of AI (based on neural networks), ‘it appears unlikely that anyone will be able to develop standards to guide development and testing that give us sufficient confidence in the applications’ respect for health and fundamental rights. We can throw risk management systems, monitoring guidelines, and documentation requirements around all we like, but it will not change that simple fact. It may even risk giving us a false sense of confidence’ [H Pouget, ‘The EU’s AI Act Is Barreling Toward AI Standards That Do Not Exist’ (Lawfare.com, 12 Jan 2023)].

Even for less complex AI deployments, the development of standards will be contested and protracted. This not only creates a transient regulatory gap that forces public buyers to ‘figure it out’ by themselves in the meantime, but can well result in a permanent regulatory gap that leaves procurement as the only safeguard (on paper) in the process of AI adoption in the public sector. If more general and specialised processes of standard setting are unlikely to plug that gap quickly or ever, how can public buyers be expected to do otherwise?

seriously, can procurement do it?

Further, as I wrote in my own submission to the Parliamentary inquiry, ‘to effectively regulate by contract, it is at least necessary to have (i) clarity on the content of the obligations to be imposed, (ii) effective enforcement mechanisms, and (iii) public sector capacity to establish, monitor, and enforce those obligations. Given that the aim of regulation by contract would be to ensure that the public sector only adopts trustworthy AI solutions and deploys them in a way that promotes the public interest in compliance with existing standards of protection of fundamental and individual rights, exercising the expected gatekeeping role in this context requires a level of legal, ethical, and digital capability well beyond the requirements of earlier instances of regulation by contract to eg enforce labour standards’ (at [4]).

Even optimistically ignoring the issues above and adopting the presumption that standards will emerge or the public buyer will be able to (eventually) figure it out (so we park requirement (i) for now), and also assuming that the public sector will be able to develop the required level of eg digital capability (so we also park (iii), but see here)), does however not overcome other obstacles to leveraging procurement for ‘AI regulation by contract’. In particular, it does not address the issue of whether there can be effective enforcement mechanisms within the contractual relationship resulting from a procurement process to impose compliance with the required standards (of explainability, transparency, ethical use, non-discrimination, etc).

I approach this issue as the challenge of enforcing not entirely measurable contractual obligations (ie obligations to comply with a contractual standard rather than a contractual rule), and the closest parallel that comes to my mind is the issue of enforcing quality requirements in public contracts, especially in the provision of outsourced or contracted-out public services. This is an issue on which there is a rich literature (on ‘regulation by contract’ or ‘government by contract’).

Quality-related enforcement problems relate to the difficulty of using contract law remedies to address quality shortcomings (other than perhaps price reductions or contractual penalties where those are permissible) that can do little to address the quality issues in themselves. Major quality shortcomings could lead to eg contractual termination, but replacing contractors can be costly and difficult (especially in a technological setting affected by several sources of potential vendor and technology lock in). Other mechanisms, such as leveraging past performance evaluations to eg bar access to future procurements can also do too little too late to control quality within a specific contract.

An illuminating analysis of the ‘problem of quality’ concluded that the ‘structural problem here is that reliable assurance of quality in performance depends ultimately not on contract terms but on trust and non-legal relations. Relations of trust and powerful non-legal sanctions depend upon the establishment of long-term … relations … The need for a governance structure and detailed monitoring in order to achieve co-operation and quality seems to lead towards the creation of conflictual relations between government and external contractors’ [see H Collins, Regulating Contracts (OUP 1999) 314-15].

To me, this raises important questions about the extent to which procurement and public contracts more generally can effectively deliver the expected safeguards and operate as an adequate sytem of ‘AI regulation by contract’. It seems to me that price clawbacks or financial penalties, even debarment decisions, are unilkely to provide an acceptable safety net in some (or most) cases — eg high-risk uses of complex AI. Not least because procurement disputes can take a long time to settle and because the incentives will not always be there to ensure strict enforcement anyway.

More thoughts to come

It seems increasingly clear to me that the expectations around the leveraging of procurement to ‘regulate AI by contract’ need reassessing in view of its likely effectiveness. Such effectiveness is constrained by the rules on the design of tenders for the award of public contracts, as well as those public contracts, and mechanisms to resolve disputes emerging from either tenders or contracts. The effectiveness of this approach is, of course, also constrained by public sector (digital) capability and by the broader difficulties in ascertaining the appropriate approach to (standards-based) AI regulation, which cannot so easily be set aside. I will keep thinking about all this in the process of writing my monograph. If this is of interested, keep an eye on this blog fior further thougths and analysis.

Interoperable Europe Act: Quick Procurement Annotation

© European Commission.

In November 2022, the European Commission published its proposal for an ‘Interoperable Europe Act’ to strengthen cross-border interoperability and cooperation in the public sector across the EU (the ‘IEA Proposal’, or ‘IEAP’) . The IEA Proposal seeks to revamp and strengthen the current European Interoperability Framework, which has seen very limited uptake since its inception in 2004, as detailed in the Communication ‘Linking public services, supporting public policies and delivering public benefits. Towards an “Interoperable Europe”’ (the ‘IEA Communication’).

The IEA Proposal thus seeks to introduce mandatory obligations and support mechanisms to foster the creation of a network of sovereign and interconnected digital public administrations and to accelerate the digital transformation of Europe's public sector, as an attempt to achieve Europe's 2030 digital targets and support trusted data flows. It also seeks to stimulate public sector innovation and public-private GovTech projects.

The IEA Proposal has a few procurement implications, some more evident than others. In this post, I try to map them, and offer some comments.

Some basics of the IEA Proposal

The IEA Proposal seeks to create a toolkit to promote increasing levels of interoperability in the network and information systems that enable public services to be delivered or managed electronically, with a primary focus on cross-border digital public services (Arts 3-14). The toolkit is complemented by institutional mechanisms for the governance of cross-border interoperability (Arts 15-18), as well as some central planning and monitoring instruments (Arts 19-20).

From a procurement perspective, some elements in the toolkit are particularly relevant, including: (i) an obligation to carry out interoperability assessments; (ii) an obligation to exchange information on ‘interoperability solutions’ and to cooperate with other public sector bodies; (iii) innovation measures with a GovTech focus; and (iv) regulatory sandboxes. Other measures, such as the creation of a portal for the publication of information on ‘interoperability solutions’, the possibility to set up Commission-driven policy implementation projects, provisions on training, or peer review mechanisms, are of lesser direct relevance. The rest of this post focuses on the four elements with a more direct procurement link.

Using procurement to trigger interoperability assessments

Interoperability assessments are one of the main elements in the IEAP toolkit. Recital (8) stresses that

To set up cross-border interoperable public services, it is important to focus on … interoperability … as early as possible in the policymaking process. Therefore, the public organisation that intends to set up a new or to modify an existing network and information system that is likely [to] result in high impacts on the cross-border interoperability, should carry out an interoperability assessment. This assessment is necessary to understand the magnitude of impact of the planned action and to propose measures to reap up the benefits and address potential costs.

Recital (10) then adds that

The outcome of that [interoperability] assessment should be taken into account when determining the appropriate measures that need to be taken in order to set up or modify the network and information system.

The minimum content of the interoperability assessment is prescribed and includes specific analysis of the ‘level of alignment of the network and information systems concerned with the European Interoperability Framework, and with the Interoperable Europe solutions [a new form of recommended interoperability standard]’ (Art 3(4)(b) IEAP). The purpose of the assessment is clearly to promote convergence towards European standards, even if there is no strict obligation to do so. The outcome of the interoperability assessment must be published on the public sector body’s website (Art 3(2) IEAP). Such transparency may support convergence towards European standards.

The IEA Proposal uses the likelihood of a procurement process as one of three triggers for the obligation to carry out an interoperability assessment. Article 3(1)(b) IEA Proposal indeed makes it mandatory to carry out such interoperability assessment ‘where the intended set-up or modification [of an existing network and information system that enables public services to be delivered or managed electronically] will most likely result in procurements for network and information systems used for the provision of cross-border services above the threshold set out in Article 4 of Directive 2014/24/EU’.

This trigger raises the question why the same obligation is not imposed when other EU procurement rules may be applicable — notably Directive 2014/23/EU on concessions, but also Directive 2014/25/EU as the infrastructure for digital public services may not be directly procured by an entity covered by Directive 2014/24/EU — although it is possible to carry out interoperability assessments on a voluntary basis.

Be it as it may, as a first procurement implication, the IEA Proposal would create an add-on regulatory obligation to carry out an interoperability assessment for (likely) procurements covered by Directive 2014/24/EU. It may be worth noting that the obligation to carry out an interoperability assessment is also triggered where ‘the intended set-up or modification affects one or more network and information systems used for the provision of cross-border services across several sectors or administrations’ (Art 3(1)(a) IEAP), so the obligation would not be circumvented in eg cases of public-public cooperation or in-house provision, whether they are considered covered and exempted, or excluded, from Directive 2014/24/EU.

The obligation to carry out the interoperability assessment can have a knock-on effect on the setting of technical specifications for the future procurement, to the extent that it promotes the adoption of Interoperable Europe solutions as standards. In that regard, it is worth noting that the IEA Proposal highlights that ‘Interoperability is a condition for avoiding technological lock-in, enabling technical developments, and fostering innovation’ (rec (22)), and also establishes a clear link between its objectives and the standardisation of technical specifications. In Recital (18), is stresses that

Interoperability is directly connected with, and dependent on the use of open specifications and standards. Therefore, the Union public sector should be allowed to agree on cross-cutting open specifications and other solutions to promote interoperability. The new framework should provide for a clear process on the establishment and promotion of such agreed interoperability solutions in the future. This way, the public sector will have a more coordinated voice to channel public sector needs and public values into broader discussions.

Therefore, a secondary procurement implication is that the IEA Proposal can have implications for the setting of technical specifications, in particular to promote the use of Interoperable Europe solutions. These can propagate beyond cross-border digital public services to the extent that such standardisation can also generate functional and financial advantages in a strictly domestic context. Moreover, as Interoperable Europe solutions are developed, they can simply become de facto industry standards.

obligations to exchange information: need for new or additional clauses in public contracts?

Another of the key goals of the IEA Proposal is to facilitate (cross-border) information exchanges between public administrations on the interoperability solutions they have implemented. Such exchange of information is meant to promote sharing and reusing proven tools as a ‘fast and cost-effective approach to designing digital public services’ (IEA Communication, at 2).

In that regard, Recital (12) of the IEA Proposal programmatically stresses that

Public sector bodies or institutions, bodies or agencies of the Union that search for interoperability solutions should be able to request from other public sector bodies or institutions, bodies or agencies of the Union the software code those organisations use, together with the related documentation. Sharing should become a default among public sector bodies, and institutions, bodies and agencies of the Union while not sharing would need a legal justification. In addition, public sector bodies or institutions, bodies, or agencies of the Union should seek to develop new interoperability solutions or to further develop existing interoperability solutions.

Such a maximalist approach would generalise a practice of ‘EU-wide’ ‘software code’ and technical documentation exchange that would likely raise some eyebrows, especially in relation to proprietary software and in relation to algorithmic source code protection. The IEA Proposal justifies this in Recital (13) on grounds that

When public administrations decide to share their solutions with other public administrations or the public, they are acting in the public interest. This is even more relevant for innovative technologies: for instance, open code makes algorithms transparent and allows for independent audits and reproducible building blocks. The sharing of interoperability solutions among public administration should set the conditions for the achievement of an open ecosystem of digital technologies for the public sector that can produce multiple benefits.

However, the IEA Proposal is much more limited than the recitals would suggest. The information exchange regime created by the IEA Proposal is regulated in Article 4. It needs to be read bearing in mind that Article 2(3) defines an ‘interoperability solution’ as a ‘technical specification, including a standard, or another solution, including conceptual frameworks, guidelines and applications, describing legal, organisational, semantic or technical requirements to be fulfilled by a network and information system in order to enhance cross-border interoperability’.

Depending on its interpretation, this definition can severely limit the scope of the information exchange obligations under the IEA Proposal, in particular due to the (functional) requirement that the covered ‘interoperability solutions’ refer to ‘requirements to be fulfilled by a network and information system in order to enhance cross-border interoperability’ (emphasis added). It should be noted that ‘cross-border interoperability’ is defined as ‘the ability of network and information systems to be used by public sector bodies in different Member States and institutions, bodies, and agencies of the Union in order to interact with each other by sharing data by means of electronic communication’. The IEA Communication and several aspects of the IEA Proposal seem to indicate that the purpose is not to restrict the relevant obligations to cases of existing cross-border interaction, but to facilitate potential cross-border interoperability. In that regard, it seems that it would have been preferable to define the scope of application as concerning information on any ‘solutions’ adopted by a public sector institution, so long as the information request was based on the potential interoperability of such solution with that (to be) adopted by the requesting institution. Nonetheless, it also seems functionally necessary for the information exchange mechanism not to be constrained to interoperability solutions already addressing issues of cross-border interoperability.

According to Article 4(1), ‘A public sector body or an institution, body or agency of the Union shall make available to any other such entity that requests it, interoperability solutions that support the public services that it delivers or manages electronically. The shared content shall include the technical documentation and, where applicable, the documented source code.’

Importantly, though, this obligation is excluded in the crucial case of interoperability solutions ‘for which third parties hold intellectual property rights and do not allow sharing’ (Art 4(1)(b)). It is also excluded regarding interoperability solutions that support processes which fall outside the scope of the public task of the public sector bodies or institutions, bodies, or agencies of the Union concerned (Art 4(1)(a)), and those with restricted access due to the protection of critical infrastructure, defence interests, or public security (Art 4(1)(c)).

So, what is left? Primarily, exchanges based on open source interoperability solutions, or exchanges of proprietary information permitted by the IP holder — eg through a licence that allows for the reuse by other public sector bodies or institutions, bodies or agencies of the Union, or other contractual means. In that regard, the obligation to exchange information is much more limited than may at first seem and does not create significant new technology governance duties on public buyers—other than the primary duty to disclose which solution is being used and to participate in the exchange of open (or permissioned) information, which can be done through a new portal to avoid multiple bilateral interactions (see Art 4(3) IEAP).

It may however be necessary to develop contractual clauses to clarify whether IP protected interoperability solutions can or cannot be shared (and in which terms), along the lines of some of the obligations regulated in the standard contractual clauses of the procurement of artificial intelligence, currently under development. Such contractual regime is also necessary in relation to software source code in any case, as a result of the CJEU Judgment in Informatikgesellschaft für Software-Entwicklung, C-796/18, EU:C:2020:395 (the ‘ISE case’, see here for discussion).

‘mandatory’ public-public cooperation

To support the reuse of (exchanged) interoperability solutions, Article 4(2) IEA Proposal includes an interesting provision on cooperation between the requesting (reusing) and the disclosing (sharing) public sector bodies:

To enable the reusing entity to manage the interoperability solution autonomously, the sharing entity shall specify the guarantees that will be provided to the reusing entity in terms of cooperation, support and maintenance. Before adopting the interoperability solution, the reusing entity shall provide to the sharing entity an assessment of the solution covering its ability to manage autonomously the cybersecurity and the evolution of the reused interoperability solution.

The sharing and reusing entities can also ‘conclude an agreement on sharing the costs for future developments of the interoperability solution’ (Art 4(5) IEAP). However, this cooperation obligation is excluded if the ‘sharing’ public sector body has published the interoperability solution in the relevant portal (Art 4(3) IEAP), which seems like a clear incentive to publish open source or broadly licensed interoperability solutions.

It is worth noting that, where arranged, such cooperation agreements (especially if they deal with future development costs) can in themselves constitute a public contract and thus be subject to compliance with Directive 2014/24/EU if the (wide) boundaries of public-public cooperation are exceeded—again, by reference to the ISE case. This seems an unlikely scenario given that the remit of the IEA Proposal is primarily concerned with networks for the cross-border (joint or linked) provision of digital public services, but it cannot be excluded if the broader interpretation of (potential) cross-border interoperability is adopted, especially in the context of reuse of a solution for a purpose (slightly) different than that for which the ‘sharing’ public sector entity implemented it.

Importantly, it is also necessary to consider whether the sharing of non-open access interoperability solutions under a cooperation agreement can have the effect of placing the IP holder in a position of advantage vis-à-vis its competitors, in which case the cooperation agreement would be in breach of Directive 2014/24/EU, once again, by reference to the ISE case. It can well be that this is a further disincentive for the sharing of IP protected interoperability solutions, even if a broad licence for public sector re-use is available.

In general, it seems like most of the mechanisms of the IEA Proposal can only really work in relation to open code and software. This is an important, general point. The IEA Communication stresses that interoperability assets ‘need to be open in order to be readily reusable by public administrations at all levels, that create interoperable systems and services, and by private sector and industry partners working with these administrations … This is why the proposed Interoperable Europe Act provides for access to reusable solutions, including code, where appropriate and possible.’ The main issue is that the IEA Proposal does not contain any explicit requirement for Member States’ public sector bodies to use open source solutions. Therefore, the effectiveness of most of its mechanisms ultimately depends on the level of uptake of open source solutions at national level.

innovation measures with a GovTech focus

Another procurement-relevant aspect of the IEA Proposal is its attempt to foster GovTech (peculiarly) defined as a ‘a technology-based cooperation between public and private sector actors supporting public sector digital transformation’ (Art 2(7) EIAP). The IEA Communication stresses that

Public-private ‘GovTech’ or ‘CivicTech’ cooperation stimulates public sector innovation, supports Europe’s technological sovereignty and opens pathways to public procurement. Gaining access to public procurement is a core concern for smaller companies, to be able to scale up and gain recognition and stable operating income (at 8).

Along the same lines, Recitals (24) and (25) of the IEA Proposal stress that

All levels of government should cooperate with innovative organisations, be it companies or non-profit entities, in design, development and operation of public services. Supporting GovTech cooperation between public sector bodies and start-ups and innovative SMEs, or cooperation mainly involving civil society organisations (‘CivicTech’), is an effective means of supporting public sector innovation and promoting use of interoperability tools across private and public sector partners. Supporting an open GovTech ecosystem in the Union that brings together public and private actors across borders and involves different levels of government should allow to develop innovative initiatives aimed at the design and deployment of GovTech interoperability solutions.

Identifying shared innovation needs and priorities and focusing common GovTech and experimentation efforts across borders would help Union public sector bodies to share risks, lessons learnt, and results of innovation support projects. Those activities will tap in particular into the Union’s rich reservoir of technology start-ups and SMEs. Successful GovTech projects and innovation measures piloted by Interoperable Europe innovation measures should help scale up GovTech tools and interoperability solutions for reuse.

However, there is little detail in the IEA Proposal on how GovTech uptake should be promoted. Article 10 indicates that the Interoperable Europe Board may propose that the Commission sets up innovation measures to support the development and uptake of innovative interoperability solutions in the EU, and that such measures ‘shall involve GovTech actors’. Such measures can be regulatory sandboxes (below). The Commission is also tasked with monitoring ‘the cooperation with GovTech actors in the field of cross-border interoperable public services to be delivered or managed electronically in the Union’ (Art 20(2)(c) IEAP).

None of this is very precise. The lack of detail on how to promote GovTech leaves many questions unanswered. This is particularly problematic because it is clear that engaging in GovTech requires rather sophisticated and advanced procurement, commercial and digital skills (see eg this report for the European Parliament) — even if only to understand the limits to pre-commercial procurement and other procurement-compliant ways to create a ‘route to market’ for GovTech companies.

It is also clear that existing support mechanisms (eg the Commission’s Guidance on Innovation Procurement) are insufficient. It remains to be seen whether the Commission can develop effective innovation measures under the IEA Proposal, which implementation will likely require overcoming the non-negligible obstacles to cross-border procurement under Directive 2014/24/EU — as the scope of the IEA Proposal is primarily constrained to cross-border digital public services and, more generally, to facilitating interoperability in different Member States.

regulatory Sandboxes and procurement?

As mentioned above in relation to GovTech, the IEA Proposal also includes the creation of regulatory sandboxes in its toolkit. Article 11 establishes that ‘Regulatory sandboxes shall provide a controlled environment for the development, testing and validation of innovative interoperability solutions supporting the cross-border interoperability of network and information systems which are used to provide or manage public services to be delivered or managed electronically for a limited period of time before putting them into service’. The aims of the sandboxes are specified, and include facilitating ‘cross-border cooperation between national competent authorities and synergies in public service delivery’; and facilitating ‘the development of an open European GovTech ecosystem, including cooperation with small and medium enterprises and start-ups’ (Art 11(3)(b) and (c) IEAP).

To me, it is unclear whether there will be much uptake of the possibility to participate in a sandbox to develop interoperability solutions for the public sector that are (tendentially at least) to be open source, as the economic incentives are not the same as those for participation in regulatory sandboxes that have as a sole purpose to exempt compliance from applicable regulatory obligations for the development of (otherwise) marketable products and services—eg in relation to FinTech services, or the pilot regulatory sandbox on Artificial Intelligence.

It seems to me more likely that the IEA regulatory sandboxes will be used in conjunction with a procurement process or for the implementation of public (services) contracts. In that case, it is unclear how the two mechanisms will interact. The IEA Proposal’s provisions on sandboxes only have detailed rules on data protection compliance, which clearly is a focus of legal risk. However, more could have been said in relation to coordinating the sandbox with the rules on cross-border procurement in Directive 2014/24/EU. Additional guidance seems necessary.

Final thoughts

The IEA Proposal has clear and not so clear interactions with public procurement. Notably, it forms part of a broader soft approach to fostering the procurement of open source digital solutions. As such, its effectiveness will be mostly constrained by the Member States’ willingness to embrace open source by default in their domestic procurement policies, as well as their proactive participation in the publication and cooperation mechanisms included in the IEA Proposal. It will be interesting to see how far such a change in public sector technology governance goes in coming years.

More Nuanced Procurement Transparency to Protect Competition: Has the Court of Justice Hit the Brakes on Open Procurement Data in Antea Polska (C-54/21)?

** This comment was first published as an Op-Ed for EU Law Live on 8 December 2022 (see formatted version). I am reposting it here in case of broader interest. **

In Antea Polska (C-54/21), the Court of Justice provided further clarification of the duties incumbent on contracting authorities to protect the confidentiality of different types of information disclosed by economic operators during tender procedures for the award of public contracts. Managing access to such information is challenging. On the one hand, some of the information will have commercial value and be sensitive from a market competition perspective, or for other reasons. On the other hand, disappointed tenderers can only scrutinise and challenge procurement decisions reliant on that information if they can access it as part of the duty to give reasons incumbent on the contracting authority. There is thus a clash of private interests that the public buyer needs to mediate as the holder of the information.

However, in recent times, procurement transparency has also gained a governance dimension that far exceeds the narrow confines of the tender procedures and related disputes. Open contracting approaches have focused on procurement transparency as a public governance tool, emphasising the public interest in the availability of such information. This creates two overlapping tracks for discussions on procurement transparency and its limitations: a track concerning private interests, and a track concerning the public interest. In this Op-Ed, I examine the judgment of Court of Justice in Antea Polska from both perspectives. I first consider the implications of the judgment for the public interest track, ie the open data context. I then focus on the specifics of the judgment in the private interest track, ie the narrower regulation of access to remedies in procurement. I conclude with some broader reflections on the need to develop the institutional mechanisms and guidance required by the nuanced approach to procurement transparency demanded by the Court of Justice, which is where both tracks converge.

Procurement Transparency and Public Interest

In the aftermath of the covid-19 pandemic, procurement transparency became a mainstream topic. Irregularities and corruption in the extremely urgent direct award of contracts could only be identified where information was made public, sometimes after extensive litigation to force disclosure. And the evidence that slowly emerged was concerning. The improper allocation of public funds through awards not subjected to most (or any) of the usual checks and balances renewed concerns about corruption and maladministration in procurement. This brought the spotlight back on proactive procurement transparency as a governance tool and sparked new interest in open data approaches. These would generate access to (until then) confidential procurement information without the need for an explicit request by the interested party.

A path towards ‘open by default’ procurement data has been plotted in the Open Data Directive, the Data Governance Act, and the new rules on Procurement eForms. Combined, these measures impose minimum open data requirements and allow for further ‘permissioned’ openness, including the granting of access to information subject to the rights of others—eg on grounds of commercial confidentiality, the protection of intellectual property (IP) or personal data (see here for discussion). In line with broader data strategies (notably, the 2020 Data Strategy), EU digital law seems to gear procurement towards encouraging ‘maximum transparency’—which would thus be expected to become the new norm soon (although I have my doubts, see here).

However, such ‘maximum transparency’ approach does not fit well the informational economics of procurement. Procurement is at its core an information or data-intensive exercise, as public buyers use tenders and negotiations to extract private information from willing economic operators to identify the contractor that can best satisfy the relevant needs. Subjecting the private information revealed in procurement procedures to maximum (or full) transparency would thus be problematic, as the risk of disclosure could have chilling and anticompetitive effects. This has long been established in principle in EU procurement law—and more generally in freedom of information law—although the limits to (on-demand and proactive) procurement transparency remain disputed and have generated wide variation across EU jurisdictions (for extensive discussion, see the contributions to Halonen, Caranta & Sanchez-Graells, Transparency in EU Procurements (2019)).

The Court’s Take

The Court of Justice’s case law has progressively made a dent on ‘maximum transparency’ approaches to confidential procurement information. Following its earlier Judgment in Klaipėdos regiono atliekų tvarkymo centras (C-927/19), the Court of Justice has now provided additional clarification on the limits to disclosure of information submitted by tenderers in public procurement procedures in its Judgment in Antea Polska. From the open data perspective, the Court’s approach to the protection of public interests in the opacity of confidential information are relevant.

Firstly, the Court of Justice has clearly endorsed limitations to procurement transparency justified by the informational economics of procurement. The Court has been clear that ‘the principal objective of the EU rules on public procurement is to ensure undistorted competition, and that, in order to achieve that objective, it is important that the contracting authorities do not release information relating to public procurement procedures which could be used to distort competition, whether in an ongoing procurement procedure or in subsequent procedures. Since public procurement procedures are founded on a relationship of trust between the contracting authorities and participating economic operators, those operators must be able to communicate any relevant information to the contracting authorities in such a procedure, without fear that the authorities will communicate to third parties items of information whose disclosure could be damaging to those operators’; Antea Polska (C-54/21, para 49). Without perhaps explicitly saying it, the Court has established the protection of competition and the fostering of trust in procurement procedures as elements inherently placed within the broader public interest in the proper functioning of public procurement mechanisms.

Second, the Court has recognised that ‘it is permissible for each Member State to strike a balance between the confidentiality [of procurement information] and the rules of national law pursuing other legitimate interests, including that … of ensuring “access to information”, in order to ensure the greatest possible transparency in public procurement procedures’; Antea Polska (C-54/21, para 57). However, in that regard, the exercise of such discretion cannot impinge on the effectiveness of the EU procurement rules seeking to align practice with the informational economics of procurement (ie to protect competition and the trust required to facilitate the revelation of private information, as above) to the extent that they also protect public interests (or private interests with a clear impact on the broader public interest, as above). Consequently, the Court stressed that ‘[n]ational legislation which requires publicising of any information which has been communicated to the contracting authority by all tenderers, including the successful tenderer, with the sole exception of information covered by the [narrowly defined] concept of trade secrets [in the Trade Secrets Directive], is liable to prevent the contracting authority … from deciding not to disclose certain information pursuant to interests or objectives [such as the protection of competition or commercial interests, but also the preservation of law enforcement procedures or the public interest], where that information does not fall within that concept of a trade secret’; Antea Polska (C-54/21, para 62).

In my view, the Court is clear that a ‘maximum transparency’ approach is not permissible and has stressed the duties incumbent on contracting authorities to protect public and private interests opposed to transparency. This is very much in line with the nuanced approach it has taken in another notable recent Judgment concerning open beneficial ownership data: Luxembourg Business Registers (C‑37/20 and C‑601/20) (see here for discussion). In Antea Polska, the Court has emphasised the need for case-by-case analysis of the competing interests in the confidentiality or disclosure of certain information.

This could have a significant impact on open data initiatives. First, it comes to severely limit ‘open by default’ approaches. Second, if contracting authorities find themselves unable to engage with nuanced analysis of the implications of information disclosure, they may easily ‘clam up’ and perpetuate (or resort back to) generally opaque approaches to procurement disclosure. Developing adequate institutional mechanisms and guidance will thus be paramount (as below).

Procurement Transparency and Private Interest

In its more detailed analysis of the specific information that contracting authorities need to preserve in order to align their practice with the informational economics of procurement (ie to promote trust and to protect market competition), the Court’s views in Antea Polska are also interesting but more problematic. The starting point is that the contracting authority cannot simply take an economic operator’s claim that a specific piece of information has commercial value or is protected by IP rights and must thus be kept confidential (Antea Polska, C-54/21, para 65), as that could generate excessive opacity and impinge of the procedural rights of competing tenderers. Moving beyond this blanket approach requires case-by-case analysis.

Concerning information over which confidentiality is claimed on the basis of its commercial value, the Court has stressed that ‘[t]he disclosure of information sent to the contracting authority in the context of a public procurement procedure cannot be refused if that information, although relevant to the procurement procedure in question, has no commercial value in the wider context of the activities of those economic operators’; Antea Polska (C-54/21, para 78). This requires the contracting authority to be able to assess the commercial value of the information. In the case, the dispute concerned whether the names of employees and subcontractors of the winning tenderer should be disclosed or not. The Court found that ‘in so far as it is plausible that the tenderer and the experts or subcontractors proposed by it have created a synergy with commercial value, it cannot be ruled out that access to the name-specific data relating to those commitments must be refused on the basis of the prohibition on disclosure’; Antea Polska (C-54/21, para 79). This points to the emergence of a sort of rebuttable presumption of commercial value that will be in practice very difficult to overcome by a contracting authority seeking to disclose information—either motu proprio, or on the request of a disappointed tenderer.

Concerning information over which confidentiality is claimed on the basis that it is protected by an IP right, in particular by copyright, the Court stressed that it is unlikely that copyright protection will apply to ‘technical or methodological solutions’ of procurement relevance (Antea Polska, C-54/21, para 82). Furthermore, ‘irrespective of whether they constitute or contain elements protected by an intellectual property right, the design of the projects planned to be carried out under the public contract and the description of the manner of performance of the relevant works or services may … have a commercial value which would be unduly undermined if that design and that description were disclosed as they stand. Their publication may, in such a case, be liable to distort competition, in particular by reducing the ability of the economic operator concerned to distinguish itself using the same design and description in future public procurement procedures’; Antea Polska (C-54/21, para 83). Again, this points to the emergence of a rebuttable presumption of commercial value and anticompetitive potential that will also be very difficult to rebut in practice.

The Court has also stressed that keeping this type of information confidential does not entirely bar disclosure. To discharge their duty to give reasons and facilitate access to remedies by disappointed tenderers, contracting authorities are under an obligation to disclose, to the extent possible, the ‘essential content’ of the protected information; Antea Polska (C-54/21, paras 80 and 84). Determining such essential content and ensuring that the relevant underlying (competing) rights are adequately protected will also pose a challenge to contracting authorities.

In sum, the Court has stressed that preserving competing interests related to the disclosure of confidential information in procurement requires the contracting authority to ‘assess whether that information has a commercial value outside the scope of the public contract in question, where its disclosure might undermine legitimate commercial concerns or fair competition. The contracting authority may, moreover, refuse to grant access to that information where, even though it does not have such commercial value, its disclosure would impede law enforcement or would be contrary to the public interest. A contracting authority must, where full access to information is refused, grant that tenderer access to the essential content of that information, so that observance of the right to an effective remedy is ensured’; Antea Polska (C-54/21, para 85). Once again, developing adequate institutional mechanisms and guidance will thus be paramount (as below).

Investing in the Way Forward

As I have argued elsewhere, and the Antea Polska Judgment has made abundantly clear, under EU procurement (and digital) law, it is simply not possible to create a system that makes all procurement data open. Conversely, the Judgment also makes clear that it is not possible to operate a system that keeps all procurement data confidential (Antea Polska, C-54/21, para 68).

Procurement data governance therefore requires the careful management of a system of multi-tiered access to different types of information at different times, by different stakeholders and under different conditions. This will require investing in data and analysis capabilities by public buyers, which can no longer treat the regulation of confidentiality in procurement as an afterthought or secondary consideration. In the data economy, public buyers need to create the required institutional mechanisms to discharge their growing data governance obligations.

Moreover, and crucially, creating adequate data governance approaches requires the development of useful guidance by the European Commission and national competition authorities, as well as procurement oversight bodies. The Court of Justice’s growing case law points to the potential emergence of (difficult to challenge) rebuttable presumptions of justified confidentiality that could easily result in high levels of procurement opacity. To promote a better balance of the competing public and private interests, a more nuanced approach needs to be supported by actionable guidance. This will be very important across all EU jurisdictions, as it is not only jurisdictions that had embraced ‘maximum transparency’ that now need to correct course—but also those that continue to lag in the disclosure of procurement information. Ensuring a level playing field in procurement data governance depends on the harmonisation of currently widely diverging practices. Procurement digitalisation thus offers an opportunity that needs to be pursued.

Happy holidays and all the best for 2023

Dear HTCaN friends,

The last few months have required intense work to make progress on the digital technologies and procurement governance research project. And more remains to be done before the final deadline in July 2023.

Knowing that you are there and that the draft chapters and posts are being read is a source of constant motivation. Receiving some useful feedback is always a gift. Thank you for your continued support and engagement with my scholarship during 2022.

I will take a break now, and I hope you will all also be able to disconnect, recharge and enjoy yourselves over the coming weeks. See you in the new year.

Season’s greetings and all best wishes,
Albert

"Tech fixes for procurement problems?" [Recording]

The recording and slides for yesterday’s webinar on ‘Tech fixes for procurement problems?’ co-hosted by the University of Bristol Law School and the GW Law Government Procurement Programme are now available for catch up if you missed it.

I would like to thank once again Dean Jessica Tillipman (GW Law), Professor Sope Williams (Stellenbosch), and Eliza Niewiadomska (EBRD) for really interesting discussion, and to all participants for their questions. Comments most welcome, as always.

AI regulation by contract: submission to UK Parliament

In October 2022, the Science and Technology Committee of the House of Commons of the UK Parliament (STC Committee) launched an inquiry on the ‘Governance of Artificial Intelligence’. This inquiry follows the publication in July 2022 of the policy paper ‘Establishing a pro-innovation approach to regulating AI’, which outlined the UK Government’s plans for light-touch AI regulation. The inquiry seeks to examine the effectiveness of current AI governance in the UK, and the Government’s proposals that are expected to follow the policy paper and provide more detail. The STC Committee has published 98 pieces of written evidence, including submissions from UK regulators and academics that will make for interesting reading. Below is my submission, focusing on the UK’s approach to ‘AI regulation by contract’.

A. Introduction

01. This submission addresses two of the questions formulated by the House of Commons Science and Technology Committee in its inquiry on the ‘Governance of artificial intelligence (AI)’. In particular:

  • How should the use of AI be regulated, and which body or bodies should provide regulatory oversight?

  • To what extent is the legal framework for the use of AI, especially in making decisions, fit for purpose?

    • Is more legislation or better guidance required?

02. This submission focuses on the process of AI adoption in the public sector and, particularly, on the acquisition of AI solutions. It evidences how the UK is consolidating an inadequate approach to ‘AI regulation by contract’ through public procurement. Given the level of abstraction and generality of the current guidelines for AI procurement, major gaps in public sector digital capabilities, and potential structural conflicts of interest, procurement is currently an inadequate tool to govern the process of AI adoption in the public sector. Flanking initiatives, such as the pilot algorithmic transparency standard, are unable to address and mitigate governance risks. Contrary to the approach in the AI Regulation Policy Paper,[1] plugging the regulatory gap will require (i) new legislation supported by a new mechanism of external oversight and enforcement (an ‘AI in the Public Sector Authority’ (AIPSA)); (ii) a well-funded strategy to boost in-house public sector digital capabilities; and (iii) the introduction of a (temporary) mechanism of authorisation of AI deployment in the public sector. The Procurement Bill would not suffice to address the governance shortcomings identified in this submission.

B. ‘AI Regulation by Contract’ through Procurement

03. Unless the public sector develops AI solutions in-house, which is extremely rare, the adoption of AI technologies in the public sector requires a procurement procedure leading to their acquisition. This places procurement at the frontline of AI governance because the ‘rules governing the acquisition of algorithmic systems by governments and public agencies are an important point of intervention in ensuring their accountable use’.[2] In that vein, the Committee on Standards in Public Life stressed that the ‘Government should use its purchasing power in the market to set procurement requirements that ensure that private companies developing AI solutions for the public sector appropriately address public standards. This should be achieved by ensuring provisions for ethical standards are considered early in the procurement process and explicitly written into tenders and contractual arrangements’.[3] Procurement is thus erected as a public interest gatekeeper in the process of adoption of AI by the public sector.

04. However, to effectively regulate by contract, it is at least necessary to have (i) clarity on the content of the obligations to be imposed, (ii) effective enforcement mechanisms, and (iii) public sector capacity to establish, monitor, and enforce those obligations. Given that the aim of regulation by contract would be to ensure that the public sector only adopts trustworthy AI solutions and deploys them in a way that promotes the public interest in compliance with existing standards of protection of fundamental and individual rights, exercising the expected gatekeeping role in this context requires a level of legal, ethical, and digital capability well beyond the requirements of earlier instances of regulation by contract to eg enforce labour standards.

05. On a superficial reading, it could seem that the National AI Strategy tackled this by highlighting the importance of the public sector’s role as a buyer and stressing that the Government had already taken steps ‘to inform and empower buyers in the public sector, helping them to evaluate suppliers, then confidently and responsibly procure AI technologies for the benefit of citizens’.[4] The National AI Strategy referred, in particular, to the setting up of the Crown Commercial Service’s AI procurement framework (the ‘CCS AI Framework’),[5] and the adoption of the Guidelines for AI procurement (the ‘Guidelines’)[6] as enabling tools. However, a close look at these instruments will show their inadequacy to provide clarity on the content of procedural and contractual obligations aimed at ensuring the goals stated above (para 03), as well as their potential to widen the existing public sector digital capability gap. Ultimately, they do not enable procurement to carry out the expected gatekeeping role.

C. Guidelines and Framework for AI procurement

06. Despite setting out to ‘provide a set of guiding principles on how to buy AI technology, as well as insights on tackling challenges that may arise during procurement’, the Guidelines provide high-level recommendations that cannot be directly operationalised by inexperienced public buyers and/or those with limited digital capabilities. For example, the recommendation to ‘Try to address flaws and potential bias within your data before you go to market and/or have a plan for dealing with data issues if you cannot rectify them yourself’ (guideline 3) not only requires a thorough understanding of eg the Data Ethics Framework[7] and the Guide to using Artificial Intelligence in the public sector,[8] but also detailed insights on data hazards.[9] This leads the Guidelines to stress that it may be necessary ‘to seek out specific expertise to support this; data architects and data scientists should lead this process … to understand the complexities, completeness and limitations of the data … available’.

07. Relatedly, some of the recommendations are very open ended in areas without clear standards. For example, the effectiveness of the recommendation to ‘Conduct initial AI impact assessments at the start of the procurement process, and ensure that your interim findings inform the procurement. Be sure to revisit the assessments at key decision points’ (guideline 4) is dependent on the robustness of such impact assessments. However, the Guidelines provide no further detail on how to carry out such assessments, other than a list of some generic areas for consideration (eg ‘potential unintended consequences’) and a passing reference to emerging guidelines in other jurisdictions. This is problematic, as the development of algorithmic impact assessments is still at an experimental stage,[10] and emerging evidence shows vastly diverging approaches, eg to risk identification.[11] In the absence of clear standards, algorithmic impact assessments will lead to inconsistent approaches and varying levels of robustness. The absence of standards will also require access to specialist expertise to design and carry out the assessments.

08. Ultimately, understanding and operationalising the Guidelines requires advanced digital competency, including in areas where best practices and industry standards are still developing.[12] However, most procurement organisations lack such expertise, as a reflection of broader digital skills shortages across the public sector,[13] with recent reports placing civil service vacancies for data and tech roles throughout the civil service alone close to 4,000.[14] This not only reduces the practical value of the Guidelines to facilitate responsible AI procurement by inexperienced buyers with limited capabilities, but also highlights the role of the CCS AI Framework for AI adoption in the public sector.

09. The CCS AI Framework creates a procurement vehicle[15] to facilitate public buyers’ access to digital capabilities. CCS’ description for public buyers stresses that ‘If you are new to AI you will be able to procure services through a discovery phase, to get an understanding of AI and how it can benefit your organisation.’[16] The Framework thus seeks to enable contracting authorities, especially those lacking in-house expertise, to carry out AI procurement with the support of external providers. While this can foster the uptake of AI in the public sector in the short term, it is highly unlikely to result in adequate governance of AI procurement, as this approach focuses at most on the initial stages of AI adoption but can hardly be sustainable throughout the lifecycle of AI use in the public sector—and, crucially, would leave the enforcement of contractualised AI governance obligations in a particularly weak position (thus failing to meet the enforcement requirement at para 04). Moreover, it would generate a series of governance shortcomings which avoidance requires an alternative approach.

D. Governance Shortcomings

10. Despite claims to the contrary in the National AI Strategy (above para 05), the approach currently followed by the Government does not empower public buyers to responsibly procure AI. The Guidelines are not susceptible of operationalisation by inexperienced public buyers with limited digital capabilities (above paras 06-08). At the same time, the Guidelines are too generic to support sophisticated approaches by more advanced digital buyers. The Guidelines do not reduce the uncertainty and complexity of procuring AI and do not include any guidance on eg how to design public contracts to perform the regulatory functions expected under the ‘AI regulation by contract’ approach.[17] This is despite existing recommendations on eg the development of ‘model contracts and framework agreements for public sector procurement to incorporate a set of minimum standards around ethical use of AI, with particular focus on expected levels transparency and explainability, and ongoing testing for fairness’.[18] The guidelines thus fail to address the first requirement for effective regulation by contract in relation to clarifying the relevant obligations (para 04).

11. The CCS Framework would also fail to ensure the development of public sector capacity to establish, monitor, and enforce AI governance obligations (para 04). Perhaps counterintuitively, the CCS AI Framework can generate a further disempowerment of public buyers seeking to rely on external capabilities to support AI adoption. There is evidence that reliance on outside providers and consultants to cover immediate needs further erodes public sector capability in the long term,[19] as well as creating risks of technical and intellectual debt in the deployment of AI solutions as consultants come and go and there is no capture of institutional knowledge and memory.[20] This can also exacerbate current trends of pilot AI graveyard spirals, where most projects do not reach full deployment, at least in part due to insufficient digital capabilities beyond the (outsourced) pilot phase. This tends to result in self-reinforcing institutional weaknesses that can limit the public sector’s ability to drive digitalisation, not least because technical debt quickly becomes a significant barrier.[21] It also runs counter to best practices towards building public sector digital maturity,[22] and to the growing consensus that public sector digitalisation first and foremost requires a prioritised investment in building up in-house capabilities.[23] On this point, it is important to note the large size of the CCS AI Framework, which was initially pre-advertised with a £90 mn value,[24] but this was then revised to £200 mn over 42 months.[25] Procuring AI consultancy services under the Framework can thus facilitate the funnelling of significant amounts of public funds to the private sector, rather than using those funds to build in-house capabilities. It can result in multiple public buyers entering contracts for the same expertise, which thus duplicates costs, as well as in a cumulative lack of institutional learning by the public sector because of atomised and uncoordinated contractual relationships.

12. Beyond the issue of institutional dependency on external capabilities, the cumulative effect of the Guidelines and the Framework would be to outsource the role of ‘AI regulation by contract’ to unaccountable private providers that can then introduce their own biases on the substantive and procedural obligations to be embedded in the relevant contracts—which would ultimately negate the effectiveness of the regulatory approach as a public interest safeguard. The lack of accountability of external providers would not only result from the weakness (or absolute inability) of the public buyer to control their activities and challenge important decisions—eg on data governance, or algorithmic impact assessments, as above (paras 06-07)—but also from the potential absence of effective and timely external checks. Market mechanisms are unlikely to deliver adequate checks due market concentration and structural conflicts of interest affecting both providers that sometimes provide consultancy services and other times are involved in the development and deployment of AI solutions,[26] as well as a result of insufficiently effective safeguards on conflicts of interest resulting from quickly revolving doors. Equally, broader governance controls are unlikely to be facilitated by flanking initiatives, such as the pilot algorithmic transparency standard.

13. To try to foster accountability in the adoption of AI by the public sector, the UK is currently piloting an algorithmic transparency standard.[27] While the initial six examples of algorithmic disclosures published by the Government provide some details on emerging AI use cases and the data and types of algorithms used by publishing organisations, and while this information could in principle foster accountability, there are two primary shortcomings. First, completing the documentation requires resources and, in some respects, advanced digital capabilities. Organisations participating in the pilot are being supported by the Government, which makes it difficult to assess to what extent public buyers would generally be able to adequately prepare the documentation on their own. Moreover, the documentation also refers to some underlying requirements, such as algorithmic impact assessments, that are not yet standardised (para 07). In that, the pilot standard replicates the same shortcomings discussed above in relation to the Guidelines. Algorithmic disclosure will thus only be done by entities with high capabilities, or it will be outsourced to consultants (thus reducing the scope for the revelation of governance-relevant information).

14. Second, compliance with the standard is not mandatory—at least while the pilot is developed. If compliance with the algorithmic transparency standard remains voluntary, there are clear governance risks. It is easy to see how precisely the most problematic uses may not be the object of adequate disclosures under a voluntary self-reporting mechanism. More generally, even if the standard was made mandatory, it would be necessary to implement an external quality control mechanism to mitigate problems with the quality of self-reported disclosures that are pervasive in other areas of information-based governance.[28] Whether the Central Digital and Data Office (currently in charge of the pilot) would have capacity (and powers) to do so remains unclear, and it would in any case lack independence.

15. Finally, it should be stressed that the current approach to transparency disclosure following the adoption of AI (ex post) can be problematic where the implementation of the AI is difficult to undo and/or the effects of malicious or risky AI are high stakes or impossible to revert. It is also problematic in that the current approach places the burden of scrutiny and accountability outside the public sector, rather than establishing internal, preventative (ex ante) controls on the deployment of AI technologies that could potentially be very harmful for fundamental and individual socio-economic rights—as evidenced by the inclusion of some fields of application of AI in the public sector as ‘high risk’ in the EU’s proposed EU AI Act.[29] Given the particular risks that AI deployment in the public sector poses to fundamental and individual rights, the minimalistic and reactive approach outlined in the AI Regulation Policy Paper is inadequate.

E. Conclusion: An Alternative Approach

16. Ensuring that the adoption of AI in the public sector operates in the public interest and for the benefit of all citizens will require new legislation supported by a new mechanism of external oversight and enforcement. New legislation is required to impose specific minimum requirements of eg data governance and algorithmic impact assessment and related transparency across the public sector. Such legislation would then need to be developed in statutory guidance of a much more detailed and actionable nature than the current Guidelines. These developed requirements can then be embedded into public contracts by reference. Without such clarification of the relevant substantive obligations, the approach to ‘AI regulation by contract’ can hardly be effective other than in exceptional cases.

17. Legislation would also be necessary to create an independent authority—eg an ‘AI in the Public Sector Authority’ (AIPSA)—with powers to enforce those minimum requirements across the public sector. AIPSA is necessary, as oversight of the use of AI in the public sector does not currently fall within the scope of any specific sectoral regulator and the general regulators (such as the Information Commissioner’s Office) lack procurement-specific knowledge. Moreover, units within Cabinet Office (such as the Office for AI or the Central Digital and Data Office) lack the required independence.

18. It would also be necessary to develop a clear and sustainably funded strategy to build in-house capability in the public sector, including clear policies on the minimisation of expenditure directed at the engagement of external consultants and the development of guidance on how to ensure the capture and retention of the knowledge developed within outsourced projects (including, but not only, through detailed technical documentation).

19. Until sufficient in-house capability is built to ensure adequate understanding and ability to manage digital procurement governance requirements independently, the current reactive approach should be abandoned, and AIPSA should have to approve all projects to develop, procure and deploy AI in the public sector to ensure that they meet the required legislative safeguards in terms of data governance, impact assessment, etc. This approach could progressively be relaxed through eg block exemption mechanisms, once there is sufficiently detailed understanding and guidance on specific AI use cases and/or in relation to public sector entities that could demonstrate sufficient in-house capability, eg through a mechanism of independent certification.

20. The new legislation and statutory guidance would need to be self-standing, as the Procurement Bill would not provide the required governance improvements. First, the Procurement Bill pays limited to no attention to artificial intelligence and the digitalisation of procurement.[30] An amendment (46) that would have created minimum requirements on automated decision-making and data ethics was not moved at the Lords Committee stage, and it seems unlikely to be taken up again at later stages of the legislative process. Second, even if the Procurement Bill created minimum substantive requirements, it would lack adequate enforcement mechanisms, not least due to the limited powers and lack of independence of the foreseen Procurement Review Unit (to also sit within Cabinet Office).

_______________________________________
Note: all websites last accessed on 25 October 2022.

[1] Department for Digital, Culture, Media and Sport, Establishing a pro-innovation approach to regulating AI. An overview of the UK’s emerging approach (CP 728, 2022).

[2] Ada Lovelace Institute, AI Now Institute and Open Government Partnership, Algorithmic Accountability for the Public Sector (August 2021) 33.

[3] Committee on Standards in Public Life, Intelligence and Public Standards (2020) 51.

[4] Department for Digital, Culture, Media and Sport, National AI Strategy (CP 525, 2021) 47.

[5] AI Dynamic Purchasing System < https://www.crowncommercial.gov.uk/agreements/RM6200 >.

[6] Office for Artificial Intelligence, Guidelines for AI Procurement (2020) < https://www.gov.uk/government/publications/guidelines-for-ai-procurement/guidelines-for-ai-procurement >.

[7] Central Digital and Data Office, Data Ethics Framework (Guidance) (2020) < https://www.gov.uk/government/publications/data-ethics-framework >.

[8] Central Digital and Data Office, A guide to using artificial intelligence in the public sector (2019) < https://www.gov.uk/government/collections/a-guide-to-using-artificial-intelligence-in-the-public-sector >.

[9] See eg < https://datahazards.com/index.html >.

[10] Ada Lovelace Institute, Algorithmic impact assessment: a case study in healthcare (2022) < https://www.adalovelaceinstitute.org/report/algorithmic-impact-assessment-case-study-healthcare/ >.

[11] A Sanchez-Graells, ‘Algorithmic Transparency: Some Thoughts On UK's First Four Published Disclosures and the Standards’ Usability’ (2022) < https://www.howtocrackanut.com/blog/2022/7/11/algorithmic-transparency-some-thoughts-on-uk-first-disclosures-and-usability >.

[12] A Sanchez-Graells, ‘“Experimental” WEF/UK Guidelines for AI Procurement: Some Comments’ (2019) < https://www.howtocrackanut.com/blog/2019/9/25/wef-guidelines-for-ai-procurement-and-uk-pilot-some-comments >.

[13] See eg Public Accounts Committee, Challenges in implementing digital change (HC 2021-22, 637).

[14] S Klovig Skelton, ‘Public sector aims to close digital skills gap with private sector’ (Computer Weekly, 4 Oct 2022) < https://www.computerweekly.com/news/252525692/Public-sector-aims-to-close-digital-skills-gap-with-private-sector >.

[15] It is a dynamic purchasing system, or a list of pre-screened potential vendors public buyers can use to carry out their own simplified mini-competitions for the award of AI-related contracts.

[16] Above (n 5).

[17] This contrasts with eg the EU project to develop standard contractual clauses for the procurement of AI by public organisations. See < https://living-in.eu/groups/solutions/ai-procurement >.

[18] Centre for Data Ethics and Innovation, Review into bias in algorithmic decision-making (2020) < https://www.gov.uk/government/publications/cdei-publishes-review-into-bias-in-algorithmic-decision-making/main-report-cdei-review-into-bias-in-algorithmic-decision-making >.

[19] V Weghmann and K Sankey, Hollowed out: The growing impact of consultancies in public administrations (2022) < https://www.epsu.org/sites/default/files/article/files/EPSU%20Report%20Outsourcing%20state_EN.pdf >.

[20] A Sanchez-Graells, ‘Identifying Emerging Risks in Digital Procurement Governance’ in idem, Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming) < https://ssrn.com/abstract=4254931 >.

[21] M E Nielsen and C Østergaard Madsen, ‘Stakeholder influence on technical debt management in the public sector: An embedded case study’ (2022) 39 Government Information Quarterly 101706.

[22] See eg Kevin C Desouza, ‘Artificial Intelligence in the Public Sector: A Maturity Model’ (2021) IBM Centre for the Business of Government < https://www.businessofgovernment.org/report/artificial-intelligence-public-sector-maturity-model >.

[23] A Clarke and S Boots, A Guide to Reforming Information Technology Procurement in the Government of Canada (2022) < https://govcanadacontracts.ca/it-procurement-guide/ >.

[24] < https://ted.europa.eu/udl?uri=TED:NOTICE:600328-2019:HTML:EN:HTML&tabId=1&tabLang=en >.

[25] < https://ted.europa.eu/udl?uri=TED:NOTICE:373610-2020:HTML:EN:HTML&tabId=1&tabLang=en >.

[26] See S Boots, ‘“Charbonneau Loops” and government IT contracting’ (2022) < https://sboots.ca/2022/10/12/charbonneau-loops-and-government-it-contracting/ >.

[27] Central Digital and Data Office, Algorithmic Transparency Standard (2022) < https://www.gov.uk/government/collections/algorithmic-transparency-standard >.

[28] Eg in the context of financial markets, there have been notorious ongoing problems with ensuring adequate quality in corporate and investor disclosures.

[29] < https://artificialintelligenceact.eu/ >.

[30] P Telles, ‘The lack of automation ideas in the UK Gov Green Paper on procurement reform’ (2021) < http://www.telles.eu/blog/2021/1/13/the-lack-of-automation-ideas-in-the-uk-gov-green-paper-on-procurement-reform >.

Wishful legal analysis as a trade strategy? A rebuttal to the Minister for International Trade

In the context of the Parliamentary scrutiny of the procurement chapters of the UK’s Free Trade Agreements with Australia and New Zealand, I submitted several pieces of written evidence, which I then gathered together and reformulated in A Sanchez-Graells, ‘The Growing Thicket of Multi-Layered Procurement Liberalisation between WTO GPA Parties, as Evidenced in Post-Brexit UK’ (2022) 49(3) Legal Issues of Economic Integration 247–268. I was also invited to submit oral evidence to the Public Bills Comittee for the Trade (Australia and New Zealand) Bill.

In my research, I raised some legal issues on the way the UK-AUS and UK-NZ procurement chapters would interact with the World Trade Agreement Government Procurement Agreement (GPA)—to which UK, AUS and NZ are members—and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)—to which the UK seeks accession and both AUS and NZ are members. I also raised issues with the rules on remedies in particular, both in relation to UK-AUS and the CPTPP.

I have now become aware of a letter from the Minister for International Trade, where the UK Government simply dismisses my legal analysis in an unconvicing manner. In this post, I try to rebut their position—although their lack of arguments makes this rather difficult—and stress some of the misunderstandings that the letter evidences. The letter seems to me to reflect a worrying strategy of ‘wishful legal analysis’ that does not bode well for post-Brexit UK trade realignment.

Interaction between the GPA, FTAs and the CPTPP

In my analysis and submissions, I stressed how deviations in the UK’s FTAs from the substantive obligations set in the GPA generate legal uncertainty and potential problems in ‘dual regulation’ situations, where one of the contracting parties (eg the UK) would be under the impossibility of complying at the same time with the obligations resulting from the GPA with tenderers from GPA countries and those arising from the FTAs with AUS or NZ with their tenderers—without either breaching GPA obligations or, what is more likely, ignoring the deviation in the FTAs to ensure GPA compliance. It would also generate issues where compliance with the more demanding standards in the FTAs would be automatically propagated to the benefit of economic operators from other jurisdictions. I also raised how the deviations can generate legal uncertainty and make it more difficult for UK tenderers to ascertain their legal position in AUS and NZ. And I also raised how this situation can get further complicated if the UK accesses CPTPP.

My concerns were discussed in Committee and the Minister had the following to say:

The [GPA] and the [CPTPP] are plurilateral agreements between twenty-one and eleven parties respectively, including in each case Australia and New Zealand. As recognised in Committee, the [GPA] in particular establishes a global baseline for international procurement. Nonetheless, neither prevents its members from entering into bilateral free trade agreements to sit alongside the [GPA] and [CPTPP] while at the same time going further in terms of the procurement commitments between members.

These Agreements with Australia and New Zealand do just that, going beyond both the [GPA] and the [CPTPP] baselines. … Although the texts of the Agreements with Australia and New Zealand are sometimes laid out differently to the way they are in the Agreement on Government Procurement, they in no way dilute or reduce the global baseline established by the [GPA]. (emphases added).

There are two points to note, here. The first one is that the fact that the GPA and the CPTPP allow for bilateral agreements between their parties does not clarify how the overlapping treaties would operate, which is exactly what I analysed. Of note, under the 1969 Vienna Convention on the Law of Treaties (Art 30), when States conclude successive treaties relating to the same subject matter, the most recent treary prevails, and the provisions of the earlier treaty/ies only apply to the extent that they are not incompatible with those of the later treaty.

This is crucial here, especially as the Minister indicates that the UK-AUS and UK-NZ go beyond not only the GPA, but also the CPTPP. This would mean that entering into CPTPP after UK-AUS and UK-NZ—as the UK is currently in train of doing—could negate some of the aspects that go beyond CPTPP in both those FTAs. Moreover, the simple assertion that the FTAs do not dilute the GPA baseline is unconvincing, as detailed analysis shows that there are significant problems with eg the interpretation of the national treatment under the different treaties.

Secondly, the explanation provided does not resolve the practical problems arising from ‘dual regulation’ that I have identified and leaves the question open as to how the obligations under the FTAs will be interpreted and complied with in triangular situations involving tenderers not from AUS or NZ. Either the UK will apply the more demanding obligations—which will then benefit all GPA parties, not only AUS and NZ—or will stick to the GPA baseline in breach of the FTAs. There is no recognition of this issue in the letter.

The Minister also indicated that:

There was also suggestion in Committee that it would be difficult for suppliers in the United Kingdom to navigate the Agreements with Australia and New Zealand, as well as the [CPTPP] in the future. I would like to reassure the Committee that when bidding for United Kingdom procurements, the only system that British suppliers need to concern themselves with is United Kingdom’s procurement regulations. (emphasis added).

The Minister has either not understood the situation, or is seeking to obscure the analysis here. The concerns about legal uncertainty do not relate to UK businesses tendering for contracts in the UK, but to UK businesses tendering for contracts in AUS or NZ—which are the ones that would be seeking to benefit from the trade liberalisation pursued by those FTAs. Nothing in the Minister’s letter addresses this issue.

Domestic review rights under the Australian procurement chapter

One of the specific deviations from the GPA baseline that I identified in my research concerns the exclusion of access to remedies on grounds of public interest. While the GPA only allows excluding interim measures on such grounds, the AUS-UK FTA and CPTPP seem to allow for public interest to also bar access to remedies such as compensation—and, if this does not limit access to remedies as I submit, at least it does cause legal uncertainty in that respect.

My submission is met with the following response by the Minister [the mentioned annex is reproduced at the end of this post]:

The Committee also considered the evidence raised by Professor Sánchez-Graells regarding domestic review procedures … The Government respectfully disagrees with the analysis presented at that session that a provision in the government procurement chapter of the [UK-AUS FTA] ‘allows for the exclusion of legal remedies completely on the basis of public interest’.

The public interest exclusion only applies to temporary measures put in place to ensure aggrieved suppliers may continue to participate in a procurement.

The Government also respectfully disagrees with the suggestion in the witness evidence that this public interest exclusion is not similarly reflected in the [GPA] or the [UK-NZ FTA]. The Government acknowledges that the specific position of the exclusion differs between these agreements and is closer to the approach adopted in the [CPTPP]. Nonetheless, the Government do not consider this alters the legal effect or gives rise to legal uncertainty. For the benefit of the Committee, the relevant provisions from each of the [FTAs], the [GPA] and the [CPTPP] are set out in an annex to this letter.

The Minister’s explanations are not supported by any arguments. There is no reasoning to explain why the order of the clauses and subclauses in the relevant provisions does not alter their legal interpretation or effects. There is also no justification whatsoever for the opinion that textual differences do not give rise to legal uncertainty. The Government seems to think that it can simply wish the legal issues away.

The table included in the annex to the letter (below) is revealing of the precise issue that raises legal uncertainty and, potentially, a restriction on access to remedies other than interim measures beyond the GPA (and thus, in breach thereof). Why would treaties that seem to replicate the same rules draft them differently? How can any legal interpreter be of the opinion that the positioning of the exception clause does not have an effect on the interpretation of its scope of application? Is the fact that these agreements post-date the GPA and still deviate from it not of legal relevance?

Of course, there are arguments that could be made to counter my analysis. They could eg focus on the use of different (undefined) terms in different sub-clauses (such as ‘measures’ and ‘corrective action’). They could also focus on any preparatory works to the treaties (especially the CPTPP and UK-AUS FTA, which I have not yet been able to locate). They could even be more creative and attempt functional or customary interpretation arguments. But the letter contains no arguments at all.

Conclusion

It is a sad state of affairs where detailed legal analysis—whether correct or not—is dismissed without offering any arguments to the contrary and simply seeking to leverage the ‘authority’ of a Minister or Department. If this is the generalised approach to assessing the legal implications of the trade agreements negotiated (at speed) by the UK post-Brexit, it does not bode well for the legal certainty required to promote international investments and commercial activities.

The reassurances in the letter are void of any weight, in my view. I can only hope that the Committee is not persuaded by the empty explanations contained in the letter either.



A tribute fit for a king -- some personal reflections after Steen Treumer's Mindeskrift

On 2 December 2022, the Faculty of Law at the University of Copenhagen hosted the conference ‘Into the Northern Light — In memory of Steen Treumer’ to celebrate his life and academic legacy on what would have been his 57th birthday. The conference was co-organised by Carina Risvig Hamer and Marta Andhov, who put together a tribute fit for a king. It was an exceptional event. Not only for the academic content of the presentations and the further papers in the tribute book (which you can buy here), but also because it provided an opportunity to learn more about Steen and his approach to academia. I have since been mulling over lots of things I heard on the day. This is a rather personal reflection on what knowing more about Steen’s life means for my aspirations as a senior academic (if you are interested, here are some earlier thoughts).

It is easy to idolize the academics that have been influential in your academic path to knowledge. And it is sometimes a bad idea to ‘meet your idols’, for great ideas are not always formualted or held by great people. However, in Steen’s case, it was not only transformative to know him, but also deeply inspirational. What most struck me at the conference is not only that all the stories and anecdotes that were shared rang true with my own experience of collaborating with Steen. But also that there was so much more exceptional in the person than in the academic, and that his personality and private life were an extension of his academic persona.

Steen incarnated exceptional virtues as an academic role model. He was extremely clever, dedicated and curious. This led him to pioneer research and produce a wealth of knowledge that was ahead of the curve and that had clear practical relevance and influence. It led him to have high standards and to always seek to engage in detailed discussions of complicated and controversial topics. It was said he was competitive and always keen on winning the argument. However, he was always approachable, accessible, respectful and never punched down. He was compassionate and kind. He was measured and knew how to be forceful without being aggressive. He was patient and listened twice as much as he spoke (for he never forgot that he had two ears and one mouth, as was stressed in the conference). He sought collaborations and nurtured relationships. He always played the long game. He was an enabler of others and took pride in that. He was extremely resilient and down to earth, and could control what others would have experienced as overwhelming emotions without losing hope or letting them derail his projects, even in the face of the greatest adversity. And this is not an exhaustive list of his virtues.

Sitting there, witnessing the love for Steen and the sadness for his unjustifiedly early departure, and reflecting on all this, I realized that I am now roughly of the same age Steen had when I first met him in 2009. And I hold a roughly comparable academic position. However, I am so far from having developed the skills and the approach he already had back then that I feel rather inadequate in many aspects of my role. I won’t list my shortcomings (too long a laundry list, best dealt with in private), but the one I keep thinking about is my limited humility (or rather, my egotism and pride) and my conflation of forceful or passionate arguing with aggressive attitudes. I am increasingly aware that over the years I have probably offended more than a fellow academic (at conferences, in this blog) and that some of my views could have been presented more kindly without detracting from the academic judgement underlying them. For that, I can only offer an unreserved apology. And to commit to try my best to change attitude, be more humble and, dare I say, try to be a little more like Steen.

If I have any chance of success, it is because of the role model Steen offered (which aligns with the core values and attitudes of other role models I still benefit from) and the unwavering support I receive from many colleagues, but especially the core of my academic collaborators and friends at the European Procurement Law Group: Roberto Caranta, Kirsi-Maria Halonen, Carina Risvig Hamer, and Pedro Telles. Seeing them again, after 3 or 4 years apart, made me far happier than I could have anticipated. And this reminded me both of the joys of belonging to a community and the duty to foster the right ways of engagement for such a community to thrive. I won’t forget this again.

New CJEU case law against excessive disclosure: quid de open data? (C‑54/21, and joined C‑37/20 and C‑601/20)

In the last few days, the Court of Justice of the European Union (CJEU) has delivered two judgments imposing significant limitations on the systematic, unlimited disclosure of procurement information with commercial value, such as the identity of experts and subcontractors engaged by tenderers for public contracts; and beneficial ownership information. In imposing a nuanced approach to the disclosure of such information, the CJEU may have torpedoed ‘full transparency’ approaches to procurement and beneficial ownership open data.

Indeed, these are two classes of information at the core of current open data efforts, and they are relevant for (digital) procurement governance—in particular in relation to the prevention of corruption and collusion, which automated screening requires establishing relationships and assessing patterns of interaction reliant on such data [for discussion, see A Sanchez-Graells, ‘Procurement Corruption and Artificial Intelligence: Between the Potential of Enabling Data Architectures and the Constraints of Due Process Requirements’ in S Williams & J Tillipman (eds), Routledge Handbook of Public Procurement Corruption (forthcoming)]. The judgments can thus have important implications.

In Antea Polska, the CJEU held that EU procurement rules prevent national legislation mandating all information sent by the tenderers to the contracting authorities to be published in its entirety or communicated to the other tenderers, with the sole exception of trade secrets. The CJEU reiterated that the scope of non-disclosable information is much broader and requires a case-by-case analysis by the contracting authority, in particular with a view to avoiding the release of information that could be used to distort competition. Disclosure of information needs to strike an adequate balance between meeting good administration duties to enable the right to the effective review of procurement decisions, on the one hand, and the protection of information with commercial value or with potential competition implications, on the other.

In a related fashion, in Luxembourg Business Registers, the CJEU declared invalid the provision of the Anti-Money Laundering Directive whereby Member States had to ensure that the information on the beneficial ownership of corporate and other legal entities incorporated within their territory was accessible in all cases to any member of the general public—without the need to demonstrate having a legitimate interest in accessing it. The CJEU considered that the disclosure of the information to undefined members of the public created an excessive interference with the fundamental rights to respect for private life and to the protection of personal data.

In this blog post, I analyse these two cases and reflect on their implications for the management of (big) open data for procurement governance purposes, in particular from an anti-corruption perspective and in relation to the EU law data governance obligations incumbent on public buyers.

There is more than trade secrets to procurement confidentiality

In Antea Polska and Others (C-54/21, EU:C:2022:888), among other questions, the CJEU was asked whether Directive 2014/24/EU precludes national legislation on public procurement which required that, with the sole exception of trade secrets, information sent by the tenderers to the contracting authorities be published in its entirety or communicated to the other tenderers, and a practice on the part of contracting authorities whereby requests for confidential treatment in respect of trade secrets were accepted as a matter of course.

I will concentrate on the first part of the question on full transparency solely constrained by trade secrets—and leave the ‘countervailing’ practice aside for now (though it deserves some comment because it creates a requirement for the contracting authority to assess the commercial value of procurement information in the wider context of the activities of the participating economic operators, at paras 69-85). I will also not deal with the discrepancy between the concept of ‘trade secret’ under the Trade Secrets Directive and the concept of ‘confidential information’ in Directive 2014/24 (which the CJEU clarifies, again, at paras 51-55).

The issue of full transparency of procurement information subject only to trade secret protection raises an interesting question because it concerns the compatibility with EU law of a maximalistic approach to procurement transparency that is not peculiar to Poland (where the case originated) but shared by other Member States with a permissive tradition of access to public documents [for in-depth country-specific analyses and comparative considerations, see the contributions to K-M Halonen, R Caranta & A Sanchez-Graells, Transparency in EU Procurements. Disclosure Within Public Procurement and During Contract Execution (Edward Elgar 2019)].

The question concerns the interpretation of multiple provisions of Directive 2014/24/EU and, in particular, Art 21(1) on confidentiality and Arts 50(4) and 55(3) on the withholding of information [see my comments to Art 21 and 55 in R Caranta & A Sanchez-Graells, European Public Procurement. Commentary on Directive 2014/24/EU (Edward Elgar 2021)]. All of them are of course to be interpreted in line with the general principle of competition in Art 18(1) [see A Sanchez-Graells, Public Procurement and the EU Competition Rules (2nd edn, hart 2015) 444-445].

In addressing the question, the CJEU built on its recent judgment in Klaipėdos regiono atliekų tvarkymo centras (C‑927/19, EU:C:2021:700), and reiterated its general approach to the protection of confidential information in procurement procedures:

‘… the principal objective of the EU rules on public procurement is to ensure undistorted competition … to achieve that objective, it is important that the contracting authorities do not release information relating to public procurement procedures which could be used to distort competition, whether in an ongoing procurement procedure or in subsequent procedures. Since public procurement procedures are founded on a relationship of trust between the contracting authorities and participating economic operators, those operators must be able to communicate any relevant information to the contracting authorities in such a procedure, without fear that the authorities will communicate to third parties items of information whose disclosure could be damaging to those operators’ (C-54/21, para 49, reference omitted, emphasis added).

The CJEU linked this interpretation to the prohibition for contracting authorities to disclose information forwarded to it by economic operators which they have designated as confidential [Art 21(1) Dir 2014/24] and stressed that this had to be reconciled with the requirements of effective judicial protection and, in particular, the general principle of good administration, from which the obligation to state reasons stems because ‘in the absence of sufficient information enabling it to ascertain whether the decision of the contracting authority to award the contract is vitiated by errors or unlawfulness, an unsuccessful tenderer will not, in practice, be able to rely on its right .. to an effective review’ (C-54/21, para 50).

The Court also stressed that the Directive allows Member States to modulate the scope of the protection of confidential information in accordance with their national legislation, in particular legislation concerning access to information [Art 21(1) Dir 2014/24, C-54/21, para 56]. In that regard, however, the CJEU went on to stress that

‘… if the effectiveness of EU law is not to be undermined, the Member States, when exercising the discretion conferred on them by Article 21(1) of that directive, must refrain from introducing regimes … which undermine the balancing exercise [with the right to an effective review] or which alter the regime relating to the publicising of awarded contracts and the rules relating to information to candidates and tenderers set out in Article 50 and 55 of that directive … any regime relating to confidentiality must, as Article 21(1) of Directive 2014/24 expressly states, be without prejudice to the abovementioned regime and to those rules laid down in Articles 50 and 55 of that directive’ (C-54/21, para 58-59).

Focusing on Art 50(4) and Art 55(3) of Directive 2014/24/EU, the CJEU stressed that these provisions empower contracting authorities to withhold from general publication and from disclosure to other candidates and tenderers ‘certain information, where its release would impede law enforcement, would otherwise be contrary to the public interest or would prejudice the legitimate commercial interests of an economic operator or might prejudice fair competition’ (para 61 and, almost identically, para 60). This led the Court to the conclusion that

‘National legislation which requires publicising of any information which has been communicated to the contracting authority by all tenderers, including the successful tenderer, with the sole exception of information covered by the concept of trade secrets, is liable to prevent the contracting authority, contrary to what Articles 50(4) and 55(3) of Directive 2014/24 permit, from deciding not to disclose certain information pursuant to interests or objectives mentioned in those provisions, where that information does not fall within that concept of a trade secret.

Consequently, Article 21(1) of Directive 2014/24, read in conjunction with Articles 50 and 55 of that directive … precludes such a regime where it does not contain an adequate set of rules allowing contracting authorities, in circumstances where Articles 50 and 55 apply, exceptionally to refuse to disclose information which, while not covered by the concept of trade secrets, must remain inaccessible pursuant to an interest or objective referred to in Articles 50 and 55’ (paras 62-63).

In my view, this is the correct interpretation and an important application of the rules seeking to minimise the risk of distortions of competition due to excessive procurement transparency, on which I have been writing for a long time [see also K-M Halonen, ‘Disclosure rules in EU public procurement: balancing between competition and transparency’ (2016) 16(4) Journal of Public Procurement 528].

The Antea Polska judgment stresses the importance of developing a nuanced approach to the management, restricted disclosure and broader publication of information submitted to the contracting authority in a procurement procedure. Notably, this will create particular complications in the context of the design and rollout of procurement open data, especially in the context of the new eForms (see here, and below).

Transparency for what? Who really cares about beneficial ownership?

In Luxembourg Business Registers (joined cases C‑37/20 and C‑601/20, EU:C:2022:912, FR only—see EN press release on which I rely to avoid extensive own translations from French) the CJEU was asked to rule on the compatibility with the Charter of Fundamental Rights—and in particular Articles 7 (respect for private and family life) and 8 (protection of personal data)—of Article 30(5)(c) of the consolidated version of the Anti-Money Laundering Directive (AML Directive), which required Member States to ensure that information on the beneficial ownership of corporate and other legal entities incorporated within their territory is accessible in all cases to any member of the general public. In particular, members of the general public had to ‘be permitted to access at least the name, the month and year of birth and the country of residence and nationality of the beneficial owner as well as the nature and extent of the beneficial interest held.’

The CJEU has found that the general public’s access to information on beneficial ownership constitutes a serious interference with the fundamental rights to respect for private life and to the protection of personal data, which is exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated.

While the CJEU recognised that the AML Directive pursues an objective of general interest and that the general public’s access to information on beneficial ownership is appropriate for contributing to the attainment of that objective, the interference with individual fundamental rights is neither limited to what is strictly necessary nor proportionate to the objective pursued.

The Court paid special attention to the fact that the rules requiring unrestricted public access to the information result from a modification of the previous regime in the original AML Directive, which required, in addition to access by the competent authorities and certain entities, for access by any person or organisation capable of demonstrating a legitimate interest. The Court considered that the suppression of the requirement to demonstrate a legitimate interest in accessing the information did not generate sufficient benefits from the perspective of combating money laundering and terrorist financing to offset the significantly more serious interference with fundamental rights that open publication of the beneficial ownership data entails.

Here, the Court referred to its judgment in Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601), where it carried out a functional comparison of the anti-corruption effects of a permissioned system of institutional access and control of relevant disclosures, versus public access to that information. The Court was clear that

‘… the publication online of the majority of the personal data contained in the declaration of private interests of any head of an establishment receiving public funds … does not meet the requirements of a proper balance. In comparison with an obligation to declare coupled with a check of the declaration’s content by the Chief Ethics Commission … such publication amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter, without that increased interference being capable of being offset by any benefits which might result from publication of all those data for the purpose of preventing conflicts of interest and combating corruption’ (C-184/20, para 112).

In Luxembourg Business Registers, the CJEU also held that the optional provisions in Art 30 AML Directive that allowed Member States to make information on beneficial ownership available on condition of online registration and to provide, in exceptional circumstances, for an exemption from access to that information by the general public, were not, in themselves, capable of demonstrating either a proper balance between competing interests, or the existence of sufficient safeguards.

The implication of the Luxembourg Business Registers is that a different approach to facilitating access to beneficial ownership data is required, and that an element of case-by-case assessment (or at least of an assessment based on categories of organisations and individuals seeking access) will need to be brought back into the system. In other words, permissioned access to beneficial ownership data seems unavoidable.

Implications for open data and data governance

These recent CJEU judgments seem to me to clearly establish the general principle that unlimited transparency does not equate public interest, as there is also an interest in preserving the (relative) confidentiality of some information and data and an adequate, difficult balance needs to be struck. The interests in competition with transparency can be either individual (fundamental rights, or commercial value) or collective (avoidance of distortions of competition). Detailed and comprehensive assessment on a case-by-case basis is required.

As I advocated long ago, and recently reiterated in relation to the growing set of data governance obligations incumbent on public buyers, under EU law,

‘It is thus simply not possible to create a system that makes all procurement data open. Data governance requires the careful management of a system of multi-tiered access to different types of information at different times, by different stakeholders and under different conditions. While the need to balance procurement transparency and the protection of data subject to the rights of others and competition-sensitive data is not a new governance challenge, the digital management of this information creates heightened risks to the extent that the implementation of data management solutions is tendentially ‘open access’ (and could eg reverse presumptions of confidentiality), as well as in relation to system integrity risks (ie cybersecurity)’ (at 10, references omitted).

The CJEU judgments have (re)confirmed that unlimited ‘open access’ is not a viable strategy under EU law. It is perhaps clearer than ever that the capture, structuring, retention, and disclosure of governance-relevant procurement and related data (eg beneficial ownership) needs to be decoupled from its proactive publication. This requires a reconsideration of the open data model and, in particular, a careful assessment of the implementation of the new eForms that only just entered into force.

Governing the Assessment and Taking of Risks in Digital Procurement Governance

In a previous blog post, I explored the main governance risks and legal obligations arising from the adoption of digital technologies, which revolve around data governance, algorithmic transparency, technological dependency, technical debt, cybersecurity threats, the risks stemming from the long-term erosion of the skills base in the public sector, and difficult trade-offs due to the uncertainty surrounding immature and still changing technologies within an also evolving regulatory framework. To address such risks and ensure compliance with the relevant governance obligations, I stressed the need to embed a comprehensive mechanism of risk assessment in the process of technological adoption.

In a new draft chapter (num 9) for my book project, I analyse how to embed risk assessments in the initial stages of decision-making processes leading to the adoption of digital solutions for procurement governance, and how to ensure that they are iterated throughout the lifecycle of use of digital technologies. To do so, I critically review the model of AI risk regulation that is emerging in the EU and the UK, which is based on self-regulation and self-assessment. I consider its shortcomings and how to strengthen the model, including the possibility of subjecting the process of technological adoption to external checks. The analysis converges with a broader proposal for institutionalised regulatory checks on the adoption of digital technologies by the public sector that I will develop more fully in another part of the book.

This post provides a summary of my main findings, on which I will welcome any comments: a.sanchez-graells@bristol.ac.uk. The full draft chapter is free to download: A Sanchez-Graells, ‘Governing the Assessment and Taking of Risks in Digital Procurement Governance’ to be included in A Sanchez-Graells, Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming), Available at SSRN: https://ssrn.com/abstract=4282882.

AI Risk Regulation

The emerging (global) model of AI regulation is risk-based—as opposed to a strict precautionary approach. This implies an assumption that ‘a technology will be adopted despite its harms’. This primarily means accepting that technological solutions may (or will) generate (some) negative impacts on public and private interests, even if it is not known when or how those harms will arise, or how extensive they will be. AI are unique, as they are ‘long-term, low probability, systemic, and high impact’, and ‘AI both poses “aggregate risks” across systems and low probability but “catastrophic risks to society”’ [for discussion, see Margot E Kaminski, ‘Regulating the risks of AI’ (2023) 103 Boston University Law Review, forthcoming]

This should thus trigger careful consideration of the ultimate implications of AI risk regulation, and advocates in favour of taking a robust regulatory approach—including to the governance of the risk regulation mechanisms put in place, which may well require external controls, potentially by an independent authority. By contrast, the emerging model of AI risk regulation in the context of procurement digitalisation in the EU and the UK leaves the adoption of digital technologies by public buyers largely unregulated and only subject to voluntary measures, or to open-ended obligations in areas without clear impact assessment standards (which reduces the prospect of effective mandatory enforcement).

Governance of Procurement Digitalisation in the EU

Despite the emergence of a quickly expanding set of EU digital law instruments imposing a patchwork of governance obligations on public buyers, whether or not they adopt digital technologies (see here), the primary decision whether to adopt digital technologies is not subject to any specific constraints, and the substantive obligations that follow from the diverse EU law instruments tend to refer to open-ended standards that require advanced technical capabilities to operationalise them. This would not be altered by the proposed EU AI Act.

Procurement-related AI uses are classified as minimal risk under the EU AI Act, which leaves them subject only to voluntary self-regulation via codes of conduct—yet to be developed. Such codes of conduct should encourage voluntary compliance with the requirements applicable to high-risk AI uses—such as risk management systems, data and data governance requirements, technical documentation, record-keeping, transparency, or accuracy, robustness and cybersecurity requirements—‘on the basis of technical specifications and solutions that are appropriate means of ensuring compliance with such requirements in light of the intended purpose of the systems.’ This seems to introduce a further element of proportionality or ‘adaptability’ requirement that could well water down the requirements applicable to minimal risk AI uses.

Importantly, while it is possible for Member States to draw such codes of conduct, the EU AI Act would pre-empt Member States from going further and mandating compliance with specific obligations (eg by imposing a blanket extension of the governance requirements designed for high-risk AI uses) across their public administrations. The emergent EU model is thus clearly limited to the development of voluntary codes of conduct and their likely content, while yet unknown, seems unlikely to impose the same standards applicable to the adoption of high-risk AI uses.

Governance of Procurement Digitalisation in the UK

Despite its deliberate light-touch approach to AI regulation and actively seeking to deviate from the EU, the UK is relatively advanced in the formulation of voluntary standards to govern procurement digitalisation. Indeed, the UK has adopted guidance for the use of AI in the public sector, and for AI procurement, and is currently piloting an algorithmic transparency standard (see here). The UK has also adopted additional guidance in the Digital, Data and Technology Playbook and the Technology Code of Practice. Remarkably, despite acknowledging the need for risk assessments—and even linking their conduct to spend approvals required for the acquisition of digital technologies by central government organisations—none of these instruments provides clear standards on how to assess (and mitigate) risks related to the adoption of digital technologies.

Thus, despite the proliferation of guidance documents, the substantive assessment of governance risks in digital procurement remains insufficiently addressed and left to undefined risk assessment standards and practices. The only exception concerns cyber security assessments, given the consolidated approach and guidance of the National Cyber Security Centre. This lack of precision in the substantive requirements applicable to data and algorithmic impact assessments clearly constrains the likely effectiveness of the UK’s approach to embedding technology-related impact assessments in the process of adoption of digital technologies for procurement governance (and, more generally, for public governance). In the absence of clear standards, data and algorithmic impact assessments will lead to inconsistent approaches and varying levels of robustness. The absence of standards will also increase the need to access specialist expertise to design and carry out the assessments. Developing such standards and creating an effective institutional mechanism to ensure compliance therewith thus remain a challenge.

The Need for Strengthened Digital Procurement Governance

Both in the EU and the UK, the emerging model of AI risk regulation leaves digital procurement governance to compliance with voluntary measures such as (future) codes of conduct or transparency standards or impose open-ended obligations in areas without clear standards (which reduces the prospect of effective mandatory enforcement). This follows general trends of AI risk regulation and evidences the emergence of a (sub)model highly dependent on self-regulation and self-assessment. This approach is rather problematic.

Self-Regulation: Outsourcing Impact Assessment Regulation to the Private Sector

The absence of mandatory standards for data and algorithmic impact assessments, as well as the embedded flexibility in the standards for cyber security, are bound to outsource the setting of the substantive requirements for those impact assessments to private vendors offering solutions for digital procurement governance. With limited public sector digital capability preventing a detailed specification of the applicable requirements, it is likely that these will be limited to a general obligation for tenderers to provide an impact assessment plan, perhaps by reference to emerging (international private) standards. This would imply the outsourcing of standard setting for risk assessments to private standard-setting organisations and, in the absence of those standards, to the tenderers themselves. This generates a clear and problematic risk of regulatory capture. Moreover, this process of outsourcing or excessively reliance on private agents to commercially determine impact assessments requirements is not sufficiently exposed to scrutiny and contestation.

Self-Assessment: Inadequacy of Mechanisms for Contestability and Accountability

Public buyers will rarely develop the relevant technological solutions but rather acquire them from technological providers. In that case, the duty to carry out the self-assessment will (or should be) cascaded down to the technology provider through contractual obligations. This would place the technology provider as ‘first party’ and the public buyer as ‘second party’ in relation to assuring compliance with the applicable obligations. In a setting of limited public sector digital capability, and in part as a result of a lack of clear standards providing an applicable benchmark (as above), the self-assessment of compliance with risk management requirements will either be de facto outsourced to private vendors (through a lack of challenge of their practices), or carried out by public buyers with limited capabilities (eg during the oversight of contract implementation). Even where public buyers have the required digital capabilities to carry out a more thorough analysis, they lack independence. ‘Second party’ assurance models unavoidably raise questions about their integrity due to the conflicting interests of the assurance provider who wants to use the system (ie the public buyer).

This ‘second party’ assurance model does not include adequate challenge mechanisms despite efforts to disclose (parts of) the relevant self-assessments. Such disclosures are constrained by general problems with ‘comply or explain’ information-based governance mechanisms, with the emerging model showing design features that have proven problematic in other contexts (such as corporate governance and financial market regulation). Moreover, there is no clear mechanism to contest the decisions to adopt digital technologies revealed by the algorithmic disclosures. In many cases, shortcomings in the risk assessments and the related minimisation and mitigation measures will only become observable after the materialisation of the underlying harms. For example, the effects of the adoption of a defective digital solution for decision-making support (eg a recommender system) will only emerge in relation to challengeable decisions in subsequent procurement procedures that rely on such solution. At that point, undoing the effects of the use of the tool may be impossible or excessively costly. In this context, challenges based on procedure-specific harms, such as the possibility to challenge discrete procurement decisions under the general rules on procurement remedies, are inadequate. Not least, because there can be negative systemic harms that are very hard to capture in the challenge to discrete decisions, or for which no agent with active standing has adequate incentives. To avoid potential harms more effectively, ex ante external controls are needed instead.

Creating External Checks on Procurement Digitalisation

It is thus necessary to consider the creation of external ex ante controls applicable to these decisions, to ensure an adequate embedding of effective risk assessments to inform (and constrain) them. Two models are worth considering: certification schemes and independent oversight.

Certification or Conformity Assessments

While not applicable to procurement uses, the model of conformity assessment in the proposed EU AI Act offers a useful blueprint. The main potential shortcoming of conformity assessment systems is that they largely rely on self-assessments by the technology vendors, and thus on first party assurance. Third-party certification (or algorithmic audits) is possible, but voluntary. Whether there would be sufficient (market) incentives to generate a broad (voluntary) use of third-party conformity assessments remains to be seen. While it could be hoped that public buyers could impose the use of certification mechanisms as a condition for participation in tender procedures, this is a less than guaranteed governance strategy given the EU procurement rules’ functional approach to the use of labels and certificates—which systematically require public buyers to accept alternative means of proof of compliance. This thus seems to offer limited potential for (voluntary) certification schemes in this specific context.

Relatedly, the conformity assessment system foreseen in the EU AI Act is also weakened by its reliance on vague concepts with non-obvious translation into verifiable criteria in the context of a third-party assurance audit. This can generate significant limitations in the conformity assessment process. This difficulty is intended to be resolved through the development of harmonised standards by European standardisation organisations and, where those do not exist, through the approval by the European Commission of common specifications. However, such harmonised standards will largely create the same risks of commercial regulatory capture mentioned above.

Overall, the possibility of relying on ‘third-party’ certification schemes offers limited advantages over the self-regulatory approach.

Independent External Oversight

Moving beyond the governance limitations of voluntary third-party certification mechanisms and creating effective external checks on the adoption of digital technologies for procurement governance would require external oversight. An option would be to make the envisaged third-party conformity assessments mandatory, but that would perpetuate the risks of regulatory capture and the outsourcing of the assurance system to private parties. A different, preferable option would be to assign the approval of the decisions to adopt digital technologies and the verification of the relevant risks assessments to a centralised authority also tasked with setting the applicable requirements therefor. The regulator would thus be placed as gatekeeper of the process of transition to digital procurement governance, instead of the atomised imposition of this role on public buyers. This would be reflective of the general features of the system of external controls proposed in the US State of Washington’s Bill SB 5116 (for discussion, see here).

The main goal would be to introduce an element of external verification of the assessment of potential AI harms and the related taking of risks in the adoption of digital technologies. It is submitted that there is a need for the regulator to be independent, so that the system fully encapsulates the advantages of third-party assurance mechanisms. It is also submitted that the data protection regulator may not be best placed to take on the role as its expertise—even if advanced in some aspects of data-intensive digital technologies—primarily relates to issues concerning individual rights and their enforcement. The more diffuse collective interests at stake in the process of transition to a new model of public digital governance (not only in procurement) would require a different set of analyses. While reforming data protection regulators to become AI mega-regulators could be an option, that is not necessarily desirable and it seems that an easier to implement, incremental approach would involve the creation of a new independent authority to control the adoption of AI in the public sector, including in the specific context of procurement digitalisation.

Conclusion

An analysis of emerging regulatory approaches in the EU and the UK shows that the adoption of digital technologies by public buyers is largely unregulated and only subjected to voluntary measures, or to open-ended obligations in areas without clear standards (which reduces the prospect of effective mandatory enforcement). The emerging model of AI risk regulation in the EU and UK follows more general trends and points at the consolidation of a (sub)model of risk-based digital procurement governance that strongly relies on self-regulation and self-assessment.

However, given its limited digital capabilities, the public sector is not best placed to control or influence the process of self-regulation, which results in the outsourcing of crucial regulatory tasks to technology vendors and the consequent risk of regulatory capture and suboptimal design of commercially determined governance mechanisms. These risks are compounded by the emerging ‘second party assurance’ model, as self-assessments by technology vendors would not be adequately scrutinised by public buyers, either due to a lack of digital capabilities or the unavoidable structural conflicts of interest of assurance providers with an interest in the use of the technology, or both. This ‘second party’ assurance model does not include adequate challenge mechanisms despite efforts to disclose (parts of) the relevant self-assessments. Such disclosures are constrained by general problems with ‘comply or explain’ information-based governance mechanisms, with the emerging model showing design features that have proven problematic in other contexts (such as corporate governance and financial market regulation). Moreover, there is no clear mechanism to contest the decisions revealed by the disclosures, including in the context of (delayed) specific uses of the technological solutions.

The analysis also shows how a model of third-party assurance or certification would be affected by the same issues of outsourcing of regulatory decisions to private parties, and ultimately would largely replicate the shortcomings of the self-regulatory and self-assessed model. A certification model would thus only generate a marginal improvement over the emerging model—especially given the functional approach to the use of certification and labels in procurement.

Moving past these shortcomings requires assigning the approval of decisions whether to adopt digital technologies and the verification of the related impact assessments to an independent authority: the ‘AI in the Public Sector Authority’ (AIPSA). I will fully develop a proposal for such authority in coming months.

UK REGULATION AFTER BREXIT REVISITED -- PUBLIC PROCUREMENT

Negotiating the Future’ and ‘UK in a Changing Europe’ have published a second edition of their interesting report on ‘UK Regulation after Brexit - Revisited’. I had contributed a procurement chapter to the first edition (which has recently been cited in this interesting report for the European Committee of the Regions on the impact on regions and cities of the new trade and economic relations between EU-UK). So I was invited to update the analysis, paying special attention to the (slow) progress of reform of the UK procurement rulebook with the Procurement Bill.

The procurement analysis is below, but I would recommend reading the report in full, as it gives a rather comprehensive picture of how regulation is moving in the UK. For more targeted analysis on regulatory divergence with the EU, this other UK in a Changing Europe ‘Divergence Tracker’ (v5.0) will be of interest.

Public procurement

Public procurement regulation is the set of rules and policies that controls the award of public contracts for works, supplies, and services. Its main goal is to ensure probity and value for money in the spending of public funds – to prevent corruption, collusion, and wastage of taxpayers’ money. It does so by establishing procedural requirements leading to the award of a public contract, and by constraining discretion through requirements of equal treatment, competition, and proportionality. From a trade perspective, procurement law prevents favouritism and protectionism of domestic businesses by facilitating international competition.

In the UK, procurement rules have long been considered an excessive encumbrance on the discretion and flexibility of the public sector, as well as on its ability to deploy ambitious policies with social value to buy British products made by British workers. The EU origin of UK domestic rules, which ‘copied out’ EU Directives before Brexit, has long been blamed for perceived rigidity and constraint in the allocation of public contracts, even though a ‘WTO regime’ would look very similar.

Capitalising on that perception during the Brexit process, public procurement was ear-marked for reform. Boris Johnson promised a ‘bonfire of procurement red tape to give small firms a bigger slice of Government contracts’. The Johnson Government proposed to significantly rewrite and simplify the procurement rulebook, and to adopt an ambitious ‘Buy British’ policy, which would reserve some public contracts to British firms. However, although one of the flagship areas for regulatory reform, not much has changed in practical terms. Reforms are perhaps on the horizon in 2023 or 2024, but the extent to which they will result in material divergence from the pre-Brexit EU regulatory baseline remains to be seen.

Post-Brexit changes so far, plus ça change…

To avoid a regulatory cliff edge and speed up its realignment under international trade law, the UK sought independent membership of the World Trade Organisation Government Procurement Agreement (GPA) from 1 January 2021 on terms that replicate and give continuity to its previously indirect membership as an EU Member State. The UK’s current individual obligations under the GPA are the same as before Brexit. Moreover, to maintain market access, the EU-UK Trade and Cooperation Agreement (TCA) replicates obligations under EU law that go beyond the GPA in substantive and procedural elements (‘GPA+’), with only the exception of some contracts for healthcare services. The Free Trade Agreements (FTAs) with Australia and New Zealand, and the envisioned accession of the UK to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) foresee further GPA+ market access obligations and increasingly complicated constraints related to trade.

These commitments prevent the adoption of an expansive ‘Buy British’ policy and could in fact restrict it in some industries, although healthcare is explicitly excluded from procurement-related trade negotiations. Despite misleading claims to the contrary in UK governments reports, such as the January 2022 Benefits of Brexit report, which gives the impression that Brexit ‘enabled goods and services contracts below £138,760 (central government), £213,477 (sub-central authorities) and £5.3 million (construction throughout the public sector) to be reserved for UK suppliers’ (art 8), official procurement guidance makes clear that the situation remains unchanged. Contracts above the values quoted above – those covered by the GPA, the TCA, and Free Trade Agreements – remain open to international competition. In other words, the government has not achieved its stated Brexit aspiration of reserving ‘a bigger slice’ of procurement to domestic businesses.

A similar picture emerges in relation to procedural requirements under procurement law. While the UK Government declared that its aim was to ‘rewrite the rulebook’ (as discussed below), the pre-Brexit ‘copy out’ of EU procurement rules remains in effect as retained EU law. Brexit required some marginal technical adjustments, such as a change in the digital platform where contract opportunities are advertised and where high value contract opportunities are published in the Find a Tender portal rather than the EU’s official journal, or the substitution of the European Single Procurement Document (ESPD) with a near-identical Single Procurement Document (SPD). The main practical change following Brexit is the UK being disconnected from the e-Certis database. The lack of direct access to documentary evidence makes it more difficult and costly for businesses and public sector entities to complete pre-award checks, especially in cases of cross-border EU-UK tendering. However, TCA provisions seek to minimise these documentary requirements (Art 280) and could mitigate the practical implications of the UK no longer being part of the e-Certis system.

With Brexit, the Minister for the Cabinet Office assumed the powers and functions relating to compliance with procurement rules. Even if the bar was already quite low before Brexit, since virtually no infringement procedures had been opened against the UK for procurement breaches, this change is likely to result in a weakening of enforcement due to the lack of separation between Cabinet Office and other central government departments. The shortcomings of current oversight mechanisms are reflected in the proposed reforms discussed below, which include a proposal to create a dedicated Procurement Review Unit.

Future change

The government has been promoting the reform of the UK’s procurement rulebook. Its key elements were included in the 2020 Green Paper Transforming Public Procurement. The aim was ‘to speed up and simplify [UK] procurement processes, place value for money at their heart, and unleash opportunities for small businesses, charities and social enterprises to innovate in public service delivery’, through greater procedural flexibility, commercial discretion, data transparency, centralisation of a debarment mechanism, and regulatory space for non-economic considerations. The Green Paper envisaged the creation of a new Procurement Review Unit with oversight powers, as well as measures to facilitate the judicial review of procurement decisions. Despite the rhetoric, the proposals did not mark a significant departure from the current rules. They were ‘EU law+’, at best. However, a deregulatory approach that introduces more discretion and less procedural limitations carries potential for significantly complicating procurement practice by reducing procedural standardisation and increasing tendering costs.

The 2021’s government response to the consultation mostly confirmed the approach in the Green Paper and, on 11 May 2022, the Procurement Bill was introduced in the House of Lords, the day after the Queen’s Speech. The Procurement Bill is hardly an exemplar of legislative drafting and it was soon clear that it would need very significant amending. As of 1 September 2022, the Bill had reached its committee stage in the Lords. Five hundred amendments have been put forward with over three hundred of those originating from the government itself. The amendments affect the ‘transformative’ elements of the Bill, and sometimes there are competing amendments over the same clause that would result in different outcomes. It is difficult to gauge whether the government’s proposals will result in a legislative text that materially deviates from the current rules. It is also unclear to what extent the new Procurement Review Unit will have effective oversight powers, or enforcement powers.

The Procurement Bill, moreover, contains only the bare bones of a future regime. Secondary legislation and volumes of statutory guidance will be adopted and developed once the final legislation is in place. Given the uncertainty, the government has committed to provide at least six months’ notice of the new system. It is therefore unlikely that the new rules will be in place before mid-2023. The roll-out of the new rules will require a major training exercise, but most of the government’s training programme is directed towards the public sector. Business can expect to shoulder significant costs associated with the introduction of the new rules.

These legislative changes will not apply UK-wide. Scotland has decided to keep its own separate (EU-derived) procurement rules in place. Divergence between the rules in Scotland and those that apply in the rest of the UK is governed by the 2022 revised Common Framework for Public Procurement. The Common Framework allows for policy divergence, and has already resulted in different national procurement strategies for England, Wales and Scotland, as well as keeping in place a pre-existing policy for Northern Ireland. It is too early to judge, but different policy approaches may in the medium term fragment the UK internal market for public contracts, especially non-central government procurement.

Conclusion

The process of UK procurement reform may be the ‘perfect Brexit story’. Perceived pre-Brexit problems and dissatisfaction were largely a result of long-lasting underinvestment in public sector capacity and training and constraints that mostly derive from international treaties rather than EU law. As an EU member state, the UK could have decided to transpose EU rules other than copying them, thereby building a more comprehensive set of procurement rules that could address some of the shortcomings in the EU framework. It could have funded a better public sector training programme, implemented open procurement data standards and developed analytical dashboards, or centralised debarment decisions. It decided not to opt for any of these measures but blamed the EU for the issues that arose from that decision.

When Brexit rhetoric had to be translated into legal change, reality proved rather stubborn. International trade commitments were simply rolled over, thereby reducing any prospect of a ‘Buy British’ policy. Moreover, the ongoing reform of procurement law is likely to end up introducing more complexity, while only deviating marginally from EU standards in practice. Despite all the effort expended and resource invested, a Brexit dividend in public procurement remains elusive.

'Britannia II' abandoned. A true Brexit procurement story?

© 10 Downing Street/PA.

In May 2021, the Johnson government was ‘riding high’ after ‘getting Brexit done’ a few months back. Very much in that mood, they announced a project for a new national flagship to promote British businesses around the world. The official press release stressed that the ship would ‘be the first of its kind constructed in the UK, creating jobs and reinvigorating the shipbuilding industry’.

The news got a mixed reception, not least because of the expected cost, potentially well above £200 mn (and later on estimated at £250 mn plus £30 mn contingency). However, the possibility for it to be commissioned in the UK and for the project to act as a boost for the industry was (reluctantly) embraced by the opposition too.

Quite how it would be (legally) ensured that the ship would be constructed in the UK and that the project generated jobs to reinvigorate the UK shipbuilding industry was unclear, as the UK had already bound itself to the WTO Government Procurement Agreement (GPA). The UK’s GPA schedules of coverage clearly include tenders for ships, boats and floating structures except warships (annex 4). The UK government however planned to sidestep its international commitments by invoking a national security exemption to restrict competition to UK design and build.

The UK government was indeed trying to pass the flagship off as a defence procurement, as the Defence Secretary confirmed that the ‘capital cost of building the National Flagship will fall to the defence budget as part of the Government's wider commitment to the UK shipbuilding industry‘, and the project was led by a ‘National Flagship Taskforce’ set up within the Ministry of Defence (see eg the March 2022 National Shipbuilding Strategy, at 23). At the time, the Minister for Defence Procurement sought to justify this: ‘Under WTO there is a security exemption. The security of the vessel is incredibly key to how we think about it. Given the nature of what it will be doing, it is important that there are security ramifications around that, which is something we take very seriously. There are legitimate reasons, under WTO, why we can direct this to be a UK build, which it will be’ (Q209).

Legally, this is rather risible.

The security exemption does not relate to procurement objects that will need securing once acquired, but rather to procurement objects to be used for security purposes, or procurement objects that are crucial to security interests (eg critical infrastructure). There was no (public) evidence that the ship would meet those requirements. On the contrary, the declared (primary) role for the ship was ‘to promote British businesses around the world’, in particular by hosting trade events. This is not a defence and security use, even if the boat would of course require protecting. The Commons Defence Committee also stressed that it received ‘no evidence of the advantage to the Royal Navy of acquiring the National Flagship‘ (“We’re going to need a bigger Navy”, at [20]).

A trade dispute might well have been in the making…

Anyway. The project has now been abandoned by the Sunak government, despite the £2.5m of taxpayers’ money already spent on the “vanity project”. The trade dispute, if there was to be one, has been averted. But the ‘Britannia II’ story should serve as a reminder of why Brexit continues to be problematic in the field of procurement regulation — with some of it still permeating the proposals in the Procurement Bill and the National Procurement Policy Statement.

Other than the waste of public funds in yet another unnecessary project rather reminiscent of the ‘lost’ British Empire, the story clearly revolves around an uncashable Brexit dividend: protectionism through procurement. This was a clear goal of the reformist agenda in Brexiteer governments, but one that became simply (legally) unattainable with the UK’s accession to the GPA. And the space for a ‘mini’ Buy British procurement policy keeps reducing under the growing thicket of international trade agreements the UK is seeking to put in place.

The story also reminds us of the disregard for international law and international trade commitments of recent UK Governments, which one can only hope will now be systematically revisited and complied with by the current administration.

Registration open: TECH FIXES FOR PROCUREMENT PROBLEMS?

As previously announced, on 15 December, I will have the chance to discuss my ongoing research on procurement digitalisation with a stellar panel: Eliza Niewiadomska (EBRD), Jessica Tillipman (GW Law), and Sope Williams (Stellenbosch).

The webinar will provide an opportunity to take a hard look at the promise of tech fixes for procurement problems, focusing on key issues such as:

  • The ‘true’ potential of digital technologies in procurement.

  • The challenges arising from putting key enablers in place, such as an adequate big data architecture and access to digital skills in short supply.

  • The challenges arising from current regulatory frameworks and constraints not applicable to the private sector.

  • New challenges posed by data governance and cybersecurity risks.

The webinar will be held on December 15, 2022 at 9:00 am EST / 2:00 pm GMT / 3:00 pm CET-SAST. Full details and registration at: https://blogs.gwu.edu/law-govpro/tech-fixes-for-procurement-problems/.

Unpacking the logic behind the magic in the use of AI for anticorruption screening (re Pastor Sanz, 2022)

‘Network of public contracts, contracting bodies, and awarded companies in Spain’ in 2020 and 2021; Pastor Sanz (2022: 7).

[Note: please don’t be put off by talk of complex algorithms. The main point is precisely that we need to look past them in this area of digital governance!].

I have read a new working paper on the use of ‘blackbox algorithms’ as anti-corruption screens for public procurement: I Pastor Sanz, ‘A New Approach to Detecting Irregular Behavior in the Network Structure of Public Contracts’. The paper aims to detect corrupt practices by exploiting network relationships among participants in public contracts. The paper implements complex algorithms to support graphical analysis to cluster public contracts with the aim of identifying those at risk of corruption. The approach in the paper would create ‘risk maps’ to eg prioritise the investigation of suspected corrupt awards. Such an approach could be seen to provide a magical* solution to the very complex issue of corruption monitoring in procurement (or more generally). In this post, I unpack what is behind that magic and critically assess whether it follows a sound logic on the workings of corruption (which it really doesn’t).

The paper is technically very complex and I have to admit to not entirely understanding the specific workings of the graphical analysis algorithms. I think most people with an interest in anti-corruption in procurement would also struggle to understand it and, even data scientists (and even the author of the paper) would be unable to fully understand the reasons why any given contract award is flagged as potentially corrupt by the model, or to provide an adequate explanation. In itself, this lack of explainability would be a major obstacle to the deployment of the solution ‘in the real world’ [for discussion, see A Sanchez-Graells, ‘Procurement Corruption and Artificial Intelligence: Between the Potential of Enabling Data Architectures and the Constraints of Due Process Requirements’]. However, perhaps more interestingly, the difficulty in understanding the model creates a significant additional governance risk in itself: intellectual debt.

Intellectual debt as a fast-growing governance risk

Indeed, this type of very complex algorithmic approach creates a significant risk of intellectual debt. As clearly put by Zittrain,

‘Machine learning at its best gives us answers as succinct and impenetrable as those of a Magic 8-Ball – except they appear to be consistently right. When we accept those answers without independently trying to ascertain the theories that might animate them, we accrue intellectual debt’ (J Zittrain, ‘Intellectual Debt. With Great Power Comes Great Ignorance’, 178).

The point here is that, before relying on AI, we need to understand its workings and, more importantly, the underlying theories. In the case of AI for anti-corruption purposes, we should pay particular attention to the way corruption is conceptualised and embedded in the model.

Feeding the machine a corruption logic

In the paper, the model is developed and trained to translate ‘all the public contracts awarded in Spain in the years 2020 and 2021 into a bi-dimensional map with five different groups. These groups summarize the position of a contract in the network and their interactions with their awarded companies and public contracting bodies’ (at 14). Then, the crucial point from the perspective of a corruption logic comes in:

‘To determine the different profiles of the created groups in terms of corruption risk, news about bad practices or corruption scandals in public procurements in the same period (years 2020 and 2021) has been used as a reference. The news collection process has been manual and the 10 most important general information newspapers in Spain in terms of readership have been analyzed. Collected news about irregularities in public procurements identifies suspicions or ongoing investigations about one public contracting body and an awarded company. In these cases, all the contracts granted by the Public Administration to this company have been identified in the sample and flagged as “doubtful” contracts. The rest of the contracts, which means contracts without apparent irregularities or not uncovered yet, have been flagged as “normal” contracts. A total of 765 contracts are categorized as “doubtful”, representing 0.36% of total contracts … contracts belong to only 25 different companies, where only one company collects 508 granted contracts classified as “doubtful”’ (at 14-15, references omitted and emphasis added).

A sound logic?

This reflects a rather cavalier attitude to the absence of reliable corruption data and to difficulties in labelling datasets for that purpose [for discussion, again, see A Sanchez-Graells, ‘Procurement Corruption and Artificial Intelligence: Between the Potential of Enabling Data Architectures and the Constraints of Due Process Requirements’].

Beyond the data issue, this approach also reflects a questionable understanding of the mechanics of corruption. Even without getting into much detail, or trying to be exhaustive, it seems that this is a rather peculiar approach, perhaps rooted in a rather simplistic intuition of how tenderer-led corruption (such as bribery) could work. It seems to me to have some rather obvious shortcomings.

First, it treats companies as either entirely corrupt or not at all corrupt, whereas it seems plausible that corrupt companies will not necessarily always engage in corruption for every contract. Second, it treats the public buyer as a passive agent that ‘suffers’ the corruption and never seeks, or facilitates it. There does not seem to be any consideration to the idea that a public buyer that has been embroiled in a scandal with a given tenderer may also be suspicious of corruption more generally, and worth looking into. Third, in both cases, it treats institutions as monolithic. This is particularly problematic when it comes to treating the ‘public administration’ as a single entity, specially in an institutional context of multi-level territorial governance such as the Spanish one—with eg potentially very different propensities to corruption in different regions and in relation to different (local/not) players. Fourth, the approach is also monolithic in failing to incorporate the fact that there can be corrupt individuals within organisations and that the participation of different decision-makers in different procedures can be relevant. This can be particularly important in big, diversified companies, where a corrupt branch may have no influence on the behaviour of other branches (or even keep its corruption secret from other branches for rather obvious reasons).

If AI had been used to establish this approach to the identification of potentially corrupt procurement awards, the discussion would need to go on to scrutinise how a model was constructed to generate this hypothesis or insight (or the related dataset). However, in the paper, this approach to ‘conceptualising’ or ‘labelling corruption’ is not supported by machine learning at all, but rather depends on the manual analysis and categorisation of news pieces that are unavoidably unreliable in terms of establishing the existence of corruption, as eg the generation of the ‘scandals’ and the related news reporting is itself affected by a myriad of issues. At best, the approach would be suitable to identify the types of contracts or procurement agents most likely to attract corruption allegations and to have those reported in the media. And perhaps not even that. Of course, the labelling of ‘normal’ for contracts not having attracted such media attention is also problematic.

Final thoughts

All of this shows that we need to scrutinise ‘new approaches’ to the algorithmic detection of corruption (or any other function in procurement governance and more generally) rather carefully. This not only relates to the algorithms and the related assumptions of how socio-technical processes work, but also about the broader institutional and information setting in which they are developed (for related discussion, see here). Of course, this is in part a call for more collaboration between ‘technologists’ (such as data scientist or machine learning engineers) and domain experts. But it is also a call for all scholars and policy-makers to engage in critical assessment of logic or assumptions that can be buried in technical analysis or explanations and, as such, difficult to access. Only robust scrutiny of these issues can avoid incurring massive intellectual debt and, perhaps what could be worse, pinning our hopes of improved digital procurement governance on faulty tools.

_____________

* The reference to magic in the title and the introduction relates to Zittrain’s Magic-8 ball metaphor, but also his reference to the earlier observation by Arthur C. Clarke that any sufficiently advanced technology is indistinguishable from magic.

A hot potato? CJEU faces questions on rules applicable to cross-border procurement litigation (C-480/22)

The Court of Justice has received a very interesting preliminary reference from the Austrian Supreme Administrative Court (Verwaltungsgerichtshof) concerning international conflict of laws issues relating to cross-border public procurement involving contracting entities from different Member States (Case C-480/22, EVN Business Service and Others, hereafter the ‘EVN II’ case). The preliminary reference covers issues of judicial competence and applicable procedural law to cross-border challenges of procurement decisions.

Interestingly, the case concerns a negative conflict of jurisdiction, where neither the Bulgarian nor the (first instance) Austrian courts consider themselves competent. The case thus seems to be a bit of a hot potato—although the referring (higher) Austrian court seems interested in nipping the issue in the bud, presumably to avoid a situation of deprivation of procurement remedies that would ultimately violate EU procurement rules and general requirements of access to justice under the Charter of Fundamental Rights (though this is not explicit in the preliminary reference).

The root of the problem is that the conflict of laws dimension of the administrative review of procurement decisions involving contracting authorities from different Member States is not explicitly addressed in the 2014 Procurement Directives. Although the case concerns the interpretation of Article 57 of Directive 2014/25/EU, it is of direct relevance to the interpretation of Article 39 of Directive 2014/24/EU, as the wording of provisions is near identical (with the exception of references to contracting entities rather than contracting authorities in Art 57 Dir 2014/25/UE, and the suppression of specific public sector rules on awards under framework contracts that are not relevant to this case).

I have been interested in the regulatory gaps left by Art 39 Dir 2014/24/EU for a while. In this post, I address the first two questions posed to the CJEU, as the proposed answers would make it unnecessary to answer the third question. My analysis is based on my earlier writings on the topic: A Sanchez-Graells, ‘The Emergence of Trans-EU Collaborative Procurement: A “Living Lab” for European Public Law’ (2020) 29(1) PPLR 16-41 (hereafter Sanchez-Graells, ‘Living Lab’)); and idem, ‘Article 39 - Procurement involving contracting authorities from different Member States’ in R Caranta and A Sanchez-Graells (eds), European Public Procurement. Commentary on Directive 2014/24/EU (Edward Elgar 2021) 436-447 (hereafter Sanchez-Graells, ‘Art 39’).

The ‘EVN II’ case

Based on the facts of the preliminary reference, the legal dispute originates in a ‘public house’ environment within the Austrian EVN group. The Land of Lower Austria owns 51% of EVN AG, which in turn indirectly wholly owns both (i) EVN Business Service GmbH (‘EBS GmbH’), an Austrian central purchasing body (CPB), and (ii) Elektrorazpredelenie YUG EAD (‘EY EAD’), a Bulgarian utilities company. EBS GmbH had the task of procuring services on behalf of and for the account of EY EAD through a framework agreement on the performance of electrical installation works and related construction and dismantling works divided into 36 lots, the place of performance being located in Bulgaria.

Notably, in the invitation to tender, the Landesverwaltungsgericht Niederösterreich (Regional Administrative Court, Lower Austria) was named as the competent body for appeal proceedings/review procedures. Austrian law is stated as the law applicable to the ‘procurement procedure and all claims arising therefrom’, and Bulgarian law as the law applicable to ‘the performance of the contract’.

Two Bulgarian companies unsuccessfully submitted tenders for several lots and subsequently sought to challenge the relevant award decisions. However, those claims were dismissed by the Austrian Regional Administrative Court on grounds of lack of competence. The Court argued that a decision on whether a Bulgarian undertaking may conclude a contract with a contracting entity located in Bulgaria, which is to be performed in Bulgaria and executed in accordance with Bulgarian law, would interfere massively with Bulgaria’s sovereignty, thereby giving rise to tension with the territoriality principle under international law. Moreover, the Court argued that it is not apparent from the Austrian Federal Law on public procurement which procedural law is to be applied to the review procedure.

The case thus raises both an issue of the competence for judicial review and the applicable procedural law. The conflict of jurisdiction is negative because the Bulgarian Supreme Administrative Court confirmed the lack of competence of the Bulgarian procurement supervisory authority.

An avoidable gap in the 2014 Directives

The issue of cross-border use of CPB services is regulated by Art 57(3) Dir 2014/25/EU, which in identical terms to Art 39(3) Dir 2014/24/EU, establishes that ‘The provision of centralised purchasing activities by a central purchasing body located in another Member State shall be conducted in accordance with the national provisions of the Member State where the central purchasing body is located.’

The main contention in the case is whether Article 57(3) of Directive 2014/25 must be interpreted as covering not only the procurement procedure itself, but also the rules governing the review procedure. The argument put forward by the Bulgarian challengers is that if the CPB is required to apply Austrian law from a substantive point of view, the appeal proceedings before the Austrian review bodies must also be conducted in accordance with Austrian procedural law.

As mentioned above, conflict of laws issues are not regulated in the 2014 Procurement Directives, despite explicit rules having been included by the European Commission in the 2011 proposal for a new utilities procurement directive (COM(2011) 895 final, Art 52) and the 2011 proposal for a new public sector procurement directive (COM(2011) 896 final, Art 38). With identical wording, the proposed rule was that

Several contracting [authorities/entities] may purchase works, supplies and/or services from or through a central purchasing body located in another Member State. In that case, the procurement procedure shall be conducted in accordance with the national provisions of the Member State where the central purchasing body is located [Art 52(2)/Art 38(2) of the respective proposals].

Decisions on the award of public contracts in cross-border public procurement shall be subject to the ordinary review mechanisms available under the national law applicable [Art 52(8)/Art 38(8) of the respective proposals].

The 2011 proposals would thus have resolved the conflict of laws in favour of the jurisdiction where the CPB is based. Reference to subjection ‘to the ordinary review mechanisms available under the national law applicable’ would also have encompassed the issue of applicable procedural law. The 2011 proposals also included explicit rules on the mutual recognition and collaboration in the cross-border execution of procurement review decisions (for discussion, see Sanchez-Graells, ‘Living Lab’, 25-26).

However, the 2014 Directives omit such rules. While there are indications in the recitals that the ‘new rules on cross-border joint procurementshould determine the conditions for cross-border utilisation of central purchasing bodies and designate the applicable public procurement legislation, including the applicable legislation on remedies’ (rec (82) Dir 2014/25/EU and, identically, rec (73) Dir 2014/24/EU), this is not reflected in the provisions of the Directives. While the position in the recitals could be seen as interpretive guide to the effect that the system of conflict of laws rules implicit in the Directives is unitary and the location of the CPB is determinative of the jurisdiction and applicable law for the review of its procurement decisions, this is not necessarily a definitive argument as the CJEU has made clear that recitals may be insufficient to create rules [see C-215/88, Casa Fleischhandel v BALM, EU:C:1989:331, para 31; Sanchez-Graells, ‘Art 39’, para 39.26. For discussion, see S Treumer and E Werlauff, ‘The leverage principle: Secondary Community law as a lever for the development of primary Community law’ (2003) 28(1) European Law Review 124-133].

Questions before the CJEU — and proposed answers

Given the lack of explicit solution in the 2014 Procurement Directives, the CJEU now faces two relevant questions in the EVN II case. The first question concerns the scope of the rules on the provision of cross-border CPB services, which is slightly complicated by the ‘public house’ background of the case. The second question concerns whether the rules subjecting such procurement to the law of the CPB extend to both the legislation applicable to review procedures and the competence of the review body.

Question 1 - contracting authorities/entities from different Member States

In the EVN II case, the CJEU is first asked to establish whether Art 57(3) Dir 2014/25/EU (and, implicitly Art 39(3) Dir 2014/24/EU) should be interpreted as meaning that the provision of centralised purchasing activities by a CPB located in another Member State exists where the contracting entity – irrespective of the question as to the attribution of the control exercised over that contracting entity – is located in a Member State other than that of the CPB. The issue of attribution of control arises from the fact that, in the case at hand, the ‘client’ Bulgarian contracting entity is financially controlled by an Austrian regional authority—which, incidentally, also controls the CPB providing the centralised purchasing services. This raises the question whether the client entity is ‘truly’ foreign, or whether it needs to be reclassified as Austrian on the basis of the financial control.

While I see the logic of the question in terms of the formal applicability of the Directive, from a functional perspective, the question does not make much sense and an answer other than yes would create significant complications.

The question does not make much sense because the aim of the rule in Art 57(3) does not gravitate on the first part of the article: ‘The provision of centralised purchasing activities by a central purchasing body located in another Member State shall be conducted in accordance with the national provisions of the Member State where the central purchasing body is located.’ Rather, the relevance of the rule is in the extension of the law of the CPB to ‘(a) the award of a contract under a dynamic purchasing system; [and] (b) the conduct of a reopening of competition under a framework agreement’ by the ‘client’ (foreign) contracting authority or entity. The purpose of Art 57(3) Dir 2014/25/EU is thus the avoidance of potentially conflicting rules in the creation of cross-border CPB procurement vehicles and in the call-offs from within those vehicles (Sanchez-Graells, ‘Art 39’, paras 39.13-39.15).

Functionally, then, the logic of the entirety of Art 57(3) (and Art 39(3)) rests on the avoidance of a risk of conflicting procurement rules applicable to the cross-border use of CPB services, presumably for the benefit of participating economic operators, as well as in search of broader consistency of the substantive legal framework. Either such a risk exists, because the ‘client’ contracting entity or authority would otherwise be subjected to a different procurement legislation than that applicable to the CPB, or it doesn’t. That is in my view the crucial functional aspect.

If this approach is correct, the issue of (potential) Austrian control over the Bulgarian contracting entity is irrelevant, as the crucial issue is whether it is generally subjected to Bulgarian utilities procurement law or not when conducting covered procurement. There is no information in the preliminary reference, but I would assume it is. Primarily because of the formal criteria determining subjection to the domestic implementation of the EU Directives, which tends to be (implicitly) based on the place of location of the relevant entity or authority.

More fundamentally, if this approach is correct, the impingement on Bulgarian sovereignty feared by the Austrian first instance court is a result of EU procurement law. There is no question that the 2014 Directives generate the legal effect that contracting authorities of a given Member State (A) are bound to comply with the procurement legislation of a different Member State (B) when they resort to the services of that State (B) CPB and then implement their own call-off procedures, potentially leading to the award of a contract to an undertaking in their own Member State (A). This potentially puts the legislation of State B in the position of determining whether an undertaking of State A may conclude a contract with a contracting entity located in State A, which is to be performed in State A and executed in accordance with the law of State A. It is thus not easily tenable under EU law that this represents a massive interference with State A’s sovereignty—unless one is willing to challenge the EU’s legal competence for the adoption of the 2014 Directives (see Sanchez-Graells, ‘Living Lab’, 31-33).

A further functional consideration is that the cross-border provision of CPB services does not need to be limited to a two-country setting. If the CPB of country B is eg creating a framework agreement that can be used by contracting authorities and entities from countries A, C, D, and E, the applicability of Art 57(3) Dir 2014/25/EU (and Art 39(3) Dir 2014/24/EU) could not vary for entities from those different countries, or from within a country, depending on a case-by-case analysis of the location of the entities controlling the ‘client’ authorities and entities. In other words, Art 57(3) Dir 2014/25/EU (and Art 39(3) Dir 2014/24/EU) cannot reasonably be of variable application within a single procurement.

Taking the facts of the EVN II case, imagine that in addition to EY EAD, other Bulgarian utilities were also able to draw from the (same lots of the) framework agreement put in place by EBS GmbH. How could it be that Art 57(3) controlled the procurement for the ‘clearly’ Bulgarian utilities, whereas it may not be applicable for the Bulgarian utility controlled by an Austrian authority?

In my view, all of this provides convincing argumentation for the CJEU to answer the first question by clarifying that, from a functional perspective, the need to create a unitary legal regime applicable to procurement tenders led by CPBs where there is a risk of conflicting substantive procurement rules requires interpreting Art 57(3) Dir 2014/25/EU (and Art 39(3) Dir 2014/24/EU) as applicable where the location of ‘client’ contracting authorities or entities is in one or more Member States other than that where the CPB is itself located.

Question 2 - presumption of jurisdiction and applicable law

The second question put to the CJEU builds on the applicability of Art 57(3) Dir 2014/25/EU and asks whether its ‘conflict-of-law rule … according to which the “provision of centralised purchasing activities” by a [CPB] located in another Member State is to be conducted in accordance with the national provisions of the Member State where the [CPB] is located, also cover[s] both the legislation applicable to review procedures and the competence of the review body’. Other than on the basis of the interpretive guide included in the recitals of Dir 2014/25/EU (and Dir 2014/24/EU) as above, I think there are good reasons to answer this question in the affirmative.

The first line of arguments is systematic and considers the treatment of conflict of laws situations within Art 57 Dir 2014/25/EU (and 39 Dir 2014/24/EU; see Sanchez-Graells, ‘Living Lab’, 21-24). In that regard, while there is a hard conflict of laws rule in Art 57(3) (and 39(3)) that selects the law of the CPB to the entirety of the procurement procedure, including ‘foreign’ call-offs, the situation is very different in the remainder of the provision. Indeed, when it comes to occasional cross-border joint procurement, in the absence of a binding international agreement, the choice of the applicable substantive procurement legislation is left to the agreement of the participating contracting authorities or entities (Art 57(4) Dir 2014/25/EU, and Art 39(4) Dir 2014/24/EU). Similarly, where the cross-border procurement is carried out through a joint entity, including European Groupings of territorial cooperation, the participating contracting authorities have a choice between the law of the Member State where the joint entity has its registered office, or that of the Member State where the joint entity is carrying out its activities (Art 57(5) Dir 2014/25/EU, and Art 39(5) Dir 2014/24/EU). This indicates that the choice of law rule applicable to the cross-border provision of CPB services leaves much less space (indeed, no space) to the application of a substantive procurement law other than that of the CPB. An extension of this argument supports answering the question in the affirmative and extending the choice of law rule to both the legislation applicable to review procedures and the competence of the review body.

A second line of argument concerns the effectiveness of the available procurement remedies. Such effectiveness would, on the one hand, be increased by a reduced judicial burden of considering foreign procurement law where the location of the CPB determines jurisdiction and procedural applicable law, which can also be expected to be coordinated with substantive procurement law. On the other hand, answering the question in the affirmative would require economic operators to challenge decisions concerning potential contracts with a domestic contracting authority or entity in a foreign court. However, given that the substantive rules are those of the foreign jurisdiction and that they were expected to tender (or tendered) in that jurisdiction, the effect may be relatively limited where the CPB decisions are being challenged—as compared to a challenge of the call-off decision carried out by their domestic contracting authority or entity, but subject to foreign procurement law. In my view, the last set of circumstances is very unlikely, as the applicability of the ‘foreign’ law of the CPB generates a very strong incentive for the CPBs to also carry out the call-off phase on behalf of the client authority or entity (Sanchez-Graells, ‘Art 39’, 39.14).

Overall, in my view, the CJEU should answer the second question by clarifying that the reference to the national provisions of the Member State where the CPB is located in Art Art 57(3) Dir 2014/25/EU (and 39(3) Dir 2014/24/EU, also covers both the legislation applicable to review procedures and the competence of the review body.

Some further thoughts

Beyond the specific issues before the CJEU, the EVN II case raises broader concerns around the flexible contractualised approach (not to say the absence of an approach) to conflict of laws issues in the 2014 Procurement Directives—which leave significant leeway to participating contracting authorities and entities to craft the applicable legal regime.

While the situation can be relatively easy to sort out with an expansive interpretation of Art 57(3) Dir 2014/25/EU and Art 39(3) Dir 2014/24/EU in the relatively simple case of the cross-border provision of CPB services (as above), these issues will be much more complex in other types of procurement involving contracting authorities from (multiple) different Member States. The approach followed by the first instance Austrian court in EVN II seems to me reflective of more generalised judicial approaches and attitudes towards unregulated conflict of laws situations where they can be reluctant to simply abide by whatever is published in the relevant procurement notices—as was the case in EVN II, where the invitation to tender was explicit about allocation of jurisdiction and selection of applicable procedural law and, that notwithstanding, the first instance court found issues on both grounds.

This can potentially be a major blow to the ‘contractualised’ approach underpinning the 2014 Procurement Directives, especially where situations arise that require domestic courts of a Member State to make decisions imposing liability on contracting authorities of another Member State, and the subsequent need to enforce that decision. The issue of the conflict of laws dimension of the administrative review of procurement decisions involving contracting authorities from different Member States will thus not be entirely addressed by the Judgement of the CJEU in EVN II, although the CJEU could hint at potential solutions, depending on how much it decided to rely on the 2011 proposals as a steppingstone towards an expansive interpretation of the current provisions—which is by no means guaranteed, as the suppression of explicit rules could as easily be interpreted as a presumption or as a rejection of those rules by the CJEU.

It seems clearer than ever that the procurement remedies Directives need to be reformed to create a workable and transparent system of conflict of laws dimension of the administrative review of procurement decisions involving contracting authorities from different Member States, as well as explicit rules on cross-border enforcement of those decisions (Sanchez-Graells, ‘Living Lab’, 39-40).

Save the date: 15 Dec, Tech fixes for procurement problems?

If you are interested in procurement digitalisation, please save the date for an online workshop on ‘Tech fixes for procurement problems?’ on 15 December 2022, 2pm GMT. I will have the chance to discuss my ongoing research (scroll down for a few samples) with a stellar panel: Eliza Niewiadomska (EBRD), Jessica Tillipman (GW Law), and Sope Williams (Stellenbosch). We will also have plenty time for a conversation with participants. Do not let other commitments get on the way of joining the discussion!

More details and registration coming soon. For any questions, please email me: a.sanchez-graells@bristol.ac.uk.

Emerging risks in digital procurement governance

In a previous blog post, I drew a technology-informed feasibility boundary to assess the realistic potential of digital technologies in the specific context of procurement governance. I suggested that the potential benefits from the adoption of digital technologies within that feasibility boundary had to be assessed against new governance risks and requirements for their mitigation.

In a new draft chapter (num 8) for my book project, I now explore the main governance risks and legal obligations arising from the adoption of digital technologies, which revolve around data governance, algorithmic transparency, technological dependency, technical debt, cybersecurity threats, the risks stemming from the long-term erosion of the skills base in the public sector, and difficult trade-offs due to the uncertainty surrounding immature and still changing technologies within an also evolving regulatory framework.

The analysis is not carried out in a vacuum, but in relation to the increasingly complex framework of EU digital law, including: the Open Data Directive; the Data Governance Act; the proposed Data Act; the NIS 2 Directive on cybersecurity measures, including its interaction with the Cybersecurity Act, and the proposed Directive on the resilience of critical entities and Cyber Resilience Act; as well as some aspects of the proposed EU AI Act.

This post provides a summary of my main findings, on which I will welcome any comments: a.sanchez-graells@bristol.ac.uk. The full draft chapter is free to download: A Sanchez-Graells, ‘Identifying Emerging Risks in Digital Procurement Governance’ to be included in A Sanchez-Graells, Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming). Available at SSRN: https://ssrn.com/abstract=4254931.

current and Imminent digital governance obligations for public buyers

Public buyers already shoulder, and will very soon face further digital governance obligations, even if they do not directly engage with digital technologies. These concern both data governance and cybersecurity obligations.

Data governance obligations

The Open Data Directive imposes an obligation to facilitate access to and re-use of procurement data for commercial or non-commercial purposes, and generates the starting position that data held by public buyers needs to be made accessible. Access is however excluded in relation to data subject to third-party rights, such as data protected by intellectual property rights (IPR), or data subject to commercial confidentiality (including business, professional, or company secrets). Moreover, in order to ensure compliance with the EU procurement rules, access should also be excluded to data subject to procurement-related confidentiality (Art 21 Dir 2014/24/EU), and data which disclosure should be withheld because the release of such information would impede law enforcement or would otherwise be contrary to the public interest … or might prejudice fair competition between economic operators (Art 55 Dir 2014/24/EU). Compliance with the Open Data Directive can thus not result in a system where all procurement data becomes accessible.

The Open Data Directive also falls short of requiring that access is facilitated through open data, as public buyers are under no active obligation to digitalise their information and can simply allow access to the information they hold ‘in any pre-existing format or language’. However, this will change with the entry into force of the rules on eForms (see here). eForms will require public buyers to hold (some) procurement information in digital format. This will trigger the obligation under the Open Data Directive to make that information available for re-use ‘by electronic means, in formats that are open, machine-readable, accessible, findable and re-usable, together with their metadata’. Moreover, procurement data that is not captured by the eForms but in other ways (eg within the relevant e-procurement platform) will also be subject to this regime and, where making that information available for re-use by electronic means involves no ‘disproportionate effort, going beyond a simple operation’, it is plausible that the obligation of publication by electronic means will extend to such data too. This will potentially significantly expand the scope of open procurement data obligations, but it will be important to ensure that it does not result in excessive disclosure of third-party data or competition-sensitive data.

Some public buyers may want to go further in facilitating (controlled) access to procurement data not susceptible of publication as open data. In that case, they will have to comply with the requirements of the Data Governance Act (and the Data Act, if adopted). In this case, they will need to ensure that, despite authorising access to the data, ‘the protected nature of data is preserved’. In the case of commercially confidential information, including trade secrets or content protected by IPR, this can require ensuring that the data has been ‘modified, aggregated or treated by any other method of disclosure control’. Where ‘anonymising’ information is not possible, access can only be given with permission of the third-party, and in compliance with the applicable IPR, if any. The Data Governance Act explicitly imposes liability on the public buyer if it breaches the duty not to disclose third-party data, and it also explicitly requires that data access complies with EU competition law.

This shows that public buyers have an inescapable data governance role that generates tensions in the design of open procurement data mechanisms. It is simply not possible to create a system that makes all procurement data open. Data governance requires the careful management of a system of multi-tiered access to different types of information at different times, by different stakeholders and under different conditions (as I already proposed a few years ago, see here). While the need to balance procurement transparency and the protection of data subject to the rights of others and competition-sensitive data is not a new governance challenge, the digital management of this information creates heightened risks to the extent that the implementation of data management solutions is tendentially open access. Moreover, the assessment of the potential competition impact of data disclosure can be a moving target. The risk of distortions of competition is heightened by the possibility that the availability of data allows for the deployment of technology-supported forms of collusive behaviour (as well as corrupt behaviour).

Cybersecurity obligations

Most public buyers will face increased cybersecurity obligations once the NIS 2 Directive enters into force. The core substantive obligation will be a mandate to ‘take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services’. This will require a detailed assessment of what is proportionate to the cybersecurity exposure of a public buyer.

In that analysis, the public buyer will be able to take into account ‘the state of the art and, where applicable, relevant European and international standards, as well as the cost of implementation’, and in ‘assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, its size, the likelihood of occurrence of incidents and their severity, including their societal and economic impact’.

Public buyers may not have the ability to carry out such an assessment with internal capabilities, which immediately creates a risk of outsourcing of the cybersecurity risk assessment, as well as other measures to comply with the related substantive obligations. This can generate further organisational dependency on outside capability, which can itself be a cybersecurity risk. As discussed below, imminent cybersecurity obligations heighten the need to close the current gaps in digital capability.

Increased governance obligations for public buyers ‘going digital’

Public buyers that are ‘going digital’ and experimenting with or deploying digital solutions face increased digital governance obligations. Given the proportionality of the cybersecurity requirements under the NIS 2 Directive (above), public buyers that use digital technologies can expect to face more stringent substantive obligations. Moreover, the adoption of digital solutions generates new or increased risks of technological dependency, of two main types. The first type refers to vendor lock-in and interoperability, and primarily concerns the increasing need to develop advanced strategies to manage IPR, algorithmic transparency, and technical debt—which could largely be side-stepped by an ‘open source by default’ approach. The second concerns the erosion of the skills base of the public buyer as technology replaces the current workforce, which generates intellectual debt and operational dependency.

Open Source by Default?

The problem of technological lock-in is well understood, even if generally inadequately or insufficiently managed. However, the deployment of Artificial Intelligence (AI), and Machine Learning (ML) in particular, raise the additional issue of managing algorithmic transparency in the context of technological dependency. This generates specific challenges in relation with the administration of public contracts and the obligation to create competition in their (re)tendering. Without access to the algorithm’s source code, it is nigh impossible to ensure a level playing field in the tender of related services, as well as in the re-tendering of the original contract for the specific ML or AI solution. This was recognised by the CJEU in a software procurement case (see here), which implies that, under EU law, public buyers are under an obligation to ensure that they have access and dissemination rights over the source code. This goes beyond emerging standards on algorithmic transparency, such as the UK’s, or what would be required if the EU AI Act was applicable, as reflected in the draft contract clauses for AI procurement. This creates a significant governance risk that requires explicit and careful consideration by public buyers, and which points at the need of embedding algorithmic transparency requirements as a pillar of technological governance related to the digitalisation of procurement.

Moreover, the development of digital technologies also creates a new wave of lock-in risks, as digital solutions are hardly off-the-shelf and can require a high level of customisation or co-creation between the technology provider and the public buyer. This creates the need for careful consideration of the governance of IPR allocation—with some of the guidance seeking to promote leaving IPR rights with the vendor needing careful reconsideration. A nuanced approach is required, as well as coordination with other legal regimes (eg State aid) where IPR is left with the contractor. Following some recent initiatives by the European Commission, an ‘open source by default’ approach would be suitable, as there can be high value derived from using and reusing common solutions, not only in terms of interoperability and a reduction of total development costs—but also in terms of enabling the emergence of communities of practice that can contribute to the ongoing improvement of the solutions on the basis of pooled resources, which can in turn mitigate some of the problems arising from limited access to digital skills.

Finally, it should be stressed that most of these technologies are still emergent or immature, which generates additional governance risks. The adoption of such emergent technologies generates technical debt. Technical debt is not solely a financial issue, but a structural barrier to digitalisation. Technical debt risks stress the importance of the adoption of the open source by default approach mentioned above, as open source can facilitate the progressive collective repayment of technical debt in relation to widely adopted solutions.

(Absolute) technological dependency

As mentioned, a second source of technological dependency concerns the erosion of the skills base of the public buyer as technology replaces the current workforce. This is different from dependence on a given technology (as above), and concerns dependence on any technological solution to carry out functions previously undertaken by human operators. This can generate two specific risks: intellectual debt and operational dependency.

In this context, intellectual debt refers to the loss of institutional knowledge and memory resulting from eg the participation in the development and deployment of the technological solutions by agents no longer involved with the technology (eg external providers). There can be many forms of intellectual debt risk, and some can be mitigated or excluded through eg detailed technical documentation. Other forms of intellectual debt risk, however, are more difficult to mitigate. For example, situations where reliance on a technological solution (eg robotic process automation, RPA) erases institutional knowledge of the reason why a specific process is carried out, as well as how that process is carried out (eg why a specific source of information is checked for the purposes of integrity screening and how that is done). Mitigating against this requires keeping additional capability and institutional knowledge (and memory) to be able to explain in full detail what specific function the technology is carrying out, why, how that is done, and how that would be done in the absence of the technology (if it could be done at all). To put it plainly, it requires keeping the ability to ‘do it by hand’—or at the very least to be able to explain how that would be done.

Where it would be impossible or unfeasible to carry out the digitised task without using technology, digitalisation creates absolute operational dependency. Mitigating against such operational dependency requires an assessment of ‘system critical’ technological deployments without which it is not possible to carry out the relevant procurement function and, most likely, to deploy measures to ensure system resilience (including redundancy if appropriate) and system integrity (eg in relation to cybersecurity, as above). It is however important to acknowledge that there will always be limits to ensuring system resilience and integrity, which should raise questions about the desirability of generating situations of absolute operational dependency. While this may be less relevant in the context of procurement governance than in other contexts, it can still be an important consideration to factor into decision-making as technological practice can fuel a bias towards (further) technological practice that can then help support unquestioned technological expansion. In other words, it will be important to consider what are the limits of absolute technological delegation.

The crucial need to boost in-house digital skills in the public sector

The importance of digital capabilities to manage technological governance risks emerges a as running theme. The specific governance risks identified in relation to data and systems integrity, including cybersecurity risks, as well as the need to engage in sophisticated management of data and IPR, show that skills shortages are problematic in the ongoing use and maintenance of digital solutions, as their implementation does not diminish, but rather expands the scope of technology-related governance challenges.

There is an added difficulty in the fact that the likelihood of materialisation of those data, systems integrity, and cybersecurity risks grows with reduced digital capabilities, as the organisation using digital solutions may be unable to identify and mitigate them. It is not only that the technology carries risks that are either known knowns or known unknowns (as above), but also that the organisation may experience them as unknown unknowns due to its limited digital capability. Limited digital skills compound those governance risks.

There is a further risk that digitalisation and the related increase in digital capability requirements can embed an element of (unacknowledged) organisational exposure that mirrors the potential benefits of the technologies. While technology adoption can augment the organisation’s capability (eg by reducing administrative burdens through automation), this also makes the entire organisation dependent on its (disproportionately small) digital capabilities. This makes the organisation particularly vulnerable to the loss of limited capabilities. From a governance perspective, this places sustainable access to digital skills as a crucial element of the critical vulnerabilities and resilience assessment that should accompany all decisions to deploy a digital technology solution.

A plausible approach would be to seek to mitigate the risk of insufficient access to in-house skills through eg the creation of additional, standby or redundant contracted capability, but this would come with its own costs and governance challenges. Moreover, the added complication is that the digital skills gap that exposes the organisation to these risks in the first place, can also fuel a dynamic of further reliance on outside capabilities (from consultancy firms) beyond the development and adoption of those digital solutions. This has the potential to exacerbate the long-term erosion of the skills base in the public sector. Digitalisation heightens the need for the public sector to build up its expertise and skills, as the only way of slowing down or reducing the widening digital skills gap and ensuring organisational resilience and a sustainable digital transition.

Conclusion

Public buyers already face significant digital governance obligations, and those and the underlying risks can only increase (potentially, very significantly) with further progress in the path of procurement digitalisation. Ultimately, to ensure adequate digital procurement governance, it is not only necessary to take a realistic look at the potential of the technology and the required enabling factors (see here), but also to embed a comprehensive mechanism of risk assessment in the process of technological adoption, which requires enhanced public sector digital capabilities, as stressed here. Such an approach can mitigate against the policy irresistibility that surrounds these technologies (see here) and contribute to a gradual and sustainable process of procurement digitalisation. The ways in which such risk assessment should be carried out require further exploration, including consideration of whether to subject the adoption of digital technologies for procurement governance to external checks (see here). This will be the object of forthcoming analysis.