Responsibly Buying Artificial Intelligence: A ‘Regulatory Hallucination’ -- draft paper for comment

© Matt Lowe/LinkedIn.

Following yesterday’s Current Legal Problems Lecture, I have uploaded the current full draft of the paper on SSRN. I would be very grateful for any comments in the next few weeks, as I plan to do a final revision and to submit it for peer-review in early 2024. Thanks in advance for those who take the time. As always, you can reach me at a.sanchez-graells@bristol.ac.uk.

The abstract of the paper is as follows:

Here, I focus on the UK’s approach to regulating public sector procurement and use of artificial intelligence (AI) in the context of the broader ‘pro-innovation’ approach to AI regulation. Borrowing from the description of AI ‘hallucinations’ as plausible but incorrect answers given with high confidence by AI systems, I argue that UK policymaking is trapped in a ‘regulatory hallucination.’ Despite having embraced the plausible ‘pro-innovation’ regulatory approach with high confidence, that is the incorrect answer to the challenge of regulating AI procurement and use by the public sector. I conceptualise the current strategy as one of ‘regulation by contract’ and identify two of its underpinning presumptions that make its deployment in the digital context particularly challenging. I show how neither the presumption of superiority of the public buyer over the public contractor, nor the related presumption that the public buyer is the rule-maker and the public contractor is the rule-taker, necessarily hold in this context. Public buyer superiority is undermined by the two-sided gatekeeping required to simultaneously discipline the behaviour of the public sector AI user and the tech provider. The public buyer’s rule-making role is also undermined by its reliance on industry-led standards, as well as by the tech provider’s upper hand in setting contractual benchmarks and controlling the ensuing self-assessments. In view of the ineffectiveness of regulating public sector AI use by contract, I then sketch an alternative strategy to boost the effectiveness of the goals of AI regulation and the protection of individual rights and collective interests through the creation of an independent authority.

Sanchez-Graells, Albert, ‘Responsibly Buying Artificial Intelligence: A “Regulatory Hallucination”’ (November 24, 2023). Current Legal Problems 2023-24, Available at SSRN: https://ssrn.com/abstract=4643273.

External oversight and mandatory requirements for public sector digital technology adoption

© Mateo Mulder-Graells (2023).

I thought the time would never come, but the last piece of my book project puzzle is now more or less in place. After finding that procurement is not the right regulatory actor and does not have the best tools of ‘digital regulation by contract’, in this last draft chapter, I explore how to discharge procurement of the assigned digital regulation role to increase the likelihood of effective enforcement of desirable goals of public sector digital regulation.

I argue that this should be done through two inter-related regulatory interventions consisting of developing (1) a regulator tasked with the external oversight of the adoption of digital technologies by the public sector, as well as (2) a suite of mandatory requirements binding both public entities seeking to adopt digital technologies and technology providers, and both in relation to the digital technologies to be adopted by the public sector and the applicable governance framework.

Detailed analysis of these issues would require much more extensive treatment than this draft chapter can offer. The modest goal here is simply to stress the key attributes and functions that each of these two regulatory interventions should have to make a positive contribution to governing the transition towards a new model of public digital governance. In this blog post, I summarise the main arguments.

As ever, I would be most grateful for feedback: a.sanchez-graells@bristol.ac.uk. Especially as I will now turn my attention to seeing how the different pieces of the puzzle fit together, while I edit the manuscript for submission before end of July 2023.

Institutional deficit and risk of capture

In the absence of an alternative institutional architecture (or while it is put in place), procurement is expected to develop a regulatory gatekeeping role in relation to the adoption of digital technologies by the public sector, which is in turn expected to have norm-setting and market-shaping effects across the economy. This could be seen as a way of bypassing or postponing decisions on regulatory architecture.

However, earlier analysis has shown that the procurement function is not the right institution to which to assign a digital regulation role, as it cannot effectively discharge such a duty. This highlights the existence of an institutional deficit in the process of public sector digitalisation, as well as in relation to digital technology regulation more broadly. An alternative approach to institutional design is required, and it can be delivered through the creation of a notional ‘AI in Public Sector Authority’ (AIPSA).

Earlier analysis has also shown that there are pervasive risks of regulatory capture and commercial determination of the process of public sector digitalisation stemming from reliance on standards and benchmarks created by technology vendors or by bodies heavily influenced by the tech industry. AIPSA could safeguard against such risk through controls over the process of standard adoption. AIPSA could also guard against excessive experimentation with digital technologies by creating robust controls to counteract their policy irresistibility.

Overcoming the institutional deficit through AIPSA

The adoption of digital technologies in the process of public sector digitalisation creates regulatory challenges that require external oversight, as procurement is unable to effectively regulate this process. A particularly relevant issue concerns whether such oversight should be entrusted to a new regulator (broad approach), or whether it would suffice to assign new regulatory tasks to existing regulators (narrow approach).

I submit that the narrow approach is inadequate because it perpetuates regulatory fragmentation and can lead to undesirable spillovers or knock-on effects, whether the new regulatory tasks are assigned to data protection authorities, (quasi)regulators with a ‘sufficiently close’ regulatory remit in relation with information and communications technologies (ICT) (such as eg the Agency for Digital Italy (AgID), or the Dutch Advisory Council on IT assessment (AcICT)), or newly created centres of expertise in algorithmic regulation (eg the French PEReN). Such ‘organic’ or ‘incremental’ approach to institutional development could overshadow important design considerations, as well embed biases due to the institutional drivers of the existing (quasi)regulators.

To avoid these issues, I advocate a broader or more joined up approach in the proposal for AIPSA. AIPSA would be an independent authority with the statutory function of promoting overarching goals of digital regulation, and specifically tasked with regulating the adoption and use of digital technologies by the public sector, whether through in-house development or procurement from technology providers. AIPSA would also absorb regulatory functions in cognate areas, such as the governance of public sector data, and integrate work in areas such as cyber security. It would also serve a coordinating function with the data protection authority.

In the draft chapter, I stress three fundamental aspects of AIPSA’s institutional design: regulatory coherence, independence and expertise. Independence and expertise would be the two most crucial factors. AIPSA would need to be designed in a way that ensured both political and industry independence, with the issue of political independence having particular salience and requiring countervailing accountability mechanisms. Relatedly, the importance of digital capabilities to effectively exercise a digital regulation role cannot be overemphasised. It is not only important in relation to the active aspects of the regulatory role—such as control of standard setting or permissioning or licencing of digital technology use (below)—but also in relation to the passive aspects of the regulatory role and, in particular, in relation to reactive engagement with industry. High levels of digital capability would be essential to allow AIPSA to effectively scrutinise claims from those that sought to influence its operation and decision-making, as well as reduce AIPSA’s dependence on industry-provided information.

safeguard against regulatory capture and policy irresistibility

Regulating the adoption of digital technologies in the process of public sector digitalisation requires establishing the substantive requirements that such technology needs to meet, as well as the governance requirements need to ensure its proper use. AIPSA’s role in setting mandatory requirements for public sector digitalisation would be twofold.

First, through an approval or certification mechanism, it would control the process of standardisation to neutralise risks of regulatory capture and commercial determination. Where no standards were susceptible of approval or certification, AIPSA would develop them.

Second, through a permissioning or licencing process, AIPSA would ensure that decisions on the adoption of digital technologies by the public sector are not driven by ‘policy irresistibility’, that they are supported by clear governance structures and draw on sufficient resources, and that adherence to the goals of digital regulation is sustained throughout the implementation and use of digital technologies by the public sector and subject to proactive transparency requirements.

The draft chapter provides more details on both issues.

If not AIPSA … then clearly not procurement

There can be many objections to the proposals developed in this draft chapter, which would still require further development. However, most of the objections would likely also apply to the use of procurement as a tool of digital regulation. The functions expected of AIPSA closely match those expected of the procurement function under the approach to ‘digital regulation by contract’. Challenges to AIPSA’s ability to discharge such functions would be applicable to any public buyer seeking to achieve the same goals. Similarly, challenges to the independence or need for accountability of AIPSA would be similarly applicable to atomised decision-making by public buyers.

While the proposal is necessarily imperfect, I submit that it would improve upon the emerging status quo and that, in discharging procurement of the digital regulation role, it would make a positive contribution to the governance of the transition to a new model of digital public governance.

The draft chapter is available via SSRN: Albert Sanchez-Graells, ‘Discharging procurement of the digital regulation role: external oversight and mandatory requirements for public sector digital technology adoption’.

Two roles of procurement in public sector digitalisation: gatekeeping and experimentation

In a new draft chapter for my monograph, I explore how, within the broader process of public sector digitalisation, and embroiled in the general ‘race for AI’ and ‘race for AI regulation’, public procurement has two roles. In this post, I summarise the main arguments (all sources, included for quoted materials, are available in the draft chapter).

This chapter frames the analysis in the rest of the book and will be fundamental in the review of the other drafts, so comments would be most welcome (a.sanchez-graells@bristol.ac.uk).

Public sector digitalisation is accelerating in a regulatory vacuum

Around the world, the public sector is quickly adopting digital technologies in virtually every area of its activity, including the delivery of public services. States are not solely seeking to digitalise their public sector and public services with a view to enhance their operation (internal goal), but are also increasingly willing to use the public sector and the construction of public infrastructure as sources of funding and spaces for digital experimentation, to promote broader technological development and boost national industries in a new wave of (digital) industrial policy (external goal). For example, the European Commission clearly seeks to make the ‘public sector a trailblazer for using AI’. This mirrors similar strategic efforts around the globe. The process of public sector digitalisation is thus embroiled in the broader race for AI.

Despite the fact that such dynamic of public sector digitalisation raises significant regulatory risks and challenges, well-known problems in managing uncertainty in technology regulation—ie the Collingridge dilemma or pacing problem (‘cannot effectively regulate early on, so will probably regulate too late’)—and different normative positions, interact with industrial policy considerations to create regulatory hesitation and side-line anticipatory approaches. This creates a regulatory gap —or rather a laissez faire environment—whereby the public sector is allowed to experiment with the adoption of digital technologies without clear checks and balances. The current strategy is by and large one of ‘experiment first, regulate later’. And while there is little to no regulation, there is significant experimentation and digital technology adoption by the public sector.

Despite the emergence of a ‘race for AI regulation’, there are very few attempts to regulate AI use in the public sector—with the EU’s proposed EU AI Act offering a (partial) exception—and general mechanisms (such as judicial review) are proving slow to adapt. The regulatory gap is thus likely to remain, at least partially, in the foreseeable future—not least, as the effective functioning of new rules such as the EU AI Act will not be immediate.

Procurement emerges as a regulatory gatekeeper to plug that gap

In this context, proposals have started to emerge to use public procurement as a tool of digital regulation. Or, in other words, to use the acquisition of digital technologies by the public sector as a gateway to the ‘regulation by contract’ of their use and governance. Think tanks, NGOs, and academics alike have stressed that the ‘rules governing the acquisition of algorithmic systems by governments and public agencies are an important point of intervention in ensuring their accountable use’, and that procurement ‘is a central policy tool governments can deploy to catalyse innovation and influence the development of solutions aligned with government policy and society’s underlying values’. Public procurement is thus increasingly expected to play a crucial gatekeeping role in the adoption of digital technologies for public governance and the delivery of public services.

Procurement is thus seen as a mechanism of ‘regulation by contract’ whereby the public buyer can impose requirements seeking to achieve broad goals of digital regulation, such as transparency, trustworthiness, or explainability, or to operationalise more general ‘AI ethics’ frameworks. In more detail, the Council of Europe has recommended using procurement to: (i) embed requirements of data governance to avoid violations of human rights norms and discrimination stemming from faulty datasets used in the design, development, or ongoing deployment of algorithmic systems; (ii) ‘ensure that algorithmic design, development and ongoing deployment processes incorporate safety, privacy, data protection and security safeguards by design’; (iii) require ‘public, consultative and independent evaluations of the lawfulness and legitimacy of the goal that the [procured algorithmic] system intends to achieve or optimise, and its possible effects in respect of human rights’; (iv) require the conduct of human rights impact assessments; or (v) promote transparency of the ‘use, design and basic processing criteria and methods of algorithmic systems’.

Given the absence of generally applicable mandatory requirements in the development and use of digital technologies by the public sector in relation to some or all of the stated regulatory goals, the gatekeeping role of procurement in digital ‘regulation by contract’ would mostly involve the creation of such self-standing obligations—or at least the enforcement of emerging non-binding norms, such as those developed by (voluntary) standardisation bodies or, more generally, by the technology industry. In addition to creating risks of regulatory capture and commercial determination, this approach may overshadow the difficulties in using procurement for the delivery of the expected regulatory goals. A closer look at some selected putative goals of digital regulation by contract sheds light on the issue.

Procurement is not at all suited to deliver incommensurable goals of digital regulation

Some of the putative goals of digital regulation by contract are incommensurable. This is the case in particular of ‘trustworthiness’ or ‘responsibility’ in AI use in the public sector. Trustworthiness or responsibility in the adoption of AI can have several meanings, and defining what is ‘trustworthy AI’ or ‘responsible AI’ is in itself contested. This creates a risk of imprecision or generality, which could turn ‘trustworthiness’ or ‘responsibility’ into mere buzzwords—as well as exacerbate the problem of AI ethics-washing. As the EU approach to ‘trustworthy AI’ evidences, the overarching goals need to be broken down to be made operational. In the EU case, ‘trustworthiness’ is intended to cover three requirements for lawful, ethical, and robust AI. And each of them break down into more detailed or operationalizable requirements.

In turn, some of the goals into which ‘trustworthiness’ or ‘responsibility’ breaks down are also incommensurable. This is notably the case of ‘explainability’ or interpretability. There is no such thing as ‘the explanation’ that is required in relation to an algorithmic system, as explanations are (technically and legally) meant to serve different purposes and consequently, the design of the explainability of an AI deployment needs to take into account factors such as the timing of the explanation, its (primary) audience, the level of granularity (eg general or model level, group-based, or individual explanations), or the level of risk generated by the use of the technical solution. Moreover, there are different (and emerging) approaches to AI explainability, and their suitability may well be contingent upon the specific intended use or function of the explanation. And there are attributes or properties influencing the interpretability of a model (eg clarity) for which there are no evaluation metrics (yet?). Similar issues arise with other putative goals, such as the implementation of a principle of AI minimisation in the public sector.

Given the way procurement works, it is ill-suited for the delivery of incommensurable goals of digital regulation.

Procurement is not well suited to deliver other goals of digital regulation

There are other goals of digital regulation by contract that are seemingly better suited to delivery through procurement, such as those relating to ‘technical’ characteristics such as neutrality, interoperability, openness, or cyber security, or in relation to procurement-adjacent algorithmic transparency. However, the operationalisation of such requirements in a procurement context will be dependent on a range of considerations, such as judgements on the need to keep information confidential, judgements on the state of the art or what constitutes a proportionate and economically justified requirement, the generation of systemic effects that are hard to evaluate within the limits of a procurement procedure, or trade-offs between competing considerations. The extent to which procurement will be able to operationalise the desired goals of digital regulation will depend on its institutional embeddedness and on the suitability of procurement tools to impose specific regulatory approaches. Additional analysis conducted elsewhere (see here and here) suggests that, also in relation to these regulatory goals, the emerging approach to AI ‘regulation by contract’ cannot work well.

Procurement digitalisation offers a valuable case study

The theoretical analysis of the use of procurement as a tool of digital ‘regulation by contract’ (above) can be enriched and further developed with an in-depth case study of its practical operation in a discrete area of public sector digitalisation. To that effect, it is important to identify an area of public sector digitalisation which is primarily or solely left to ‘regulation by contract’ through procurement—to isolate it from the interaction with other tools of digital regulation (such as data protection, or sectoral regulation). It is also important for the chosen area to demonstrate a sufficient level of experimentation with digitalisation, so that the analysis is not a mere concretisation of theoretical arguments but rather grounded on empirical insights.

Public procurement is itself an area of public sector activity susceptible to digitalisation. The adoption of digital tools is seen as a potential source of improvement and efficiency in the expenditure of public funds through procurement, especially through the adoption of digital technology solutions developed in the context of supply chain management and other business operations in the private sector (or ‘ProcureTech’), but also through the adoption of digital tools tailored to the specific goals of procurement regulation, such as the prevention of corruption or collusion. There is emerging evidence of experimentation in procurement digitalisation, which is shedding light on regulatory risks and challenges.

In view of its strategic importance and the current pace of procurement digitalisation, it is submitted that procurement is an appropriate site of public sector experimentation in which to explore the shortcomings of the approach to AI ‘regulation by contract’. Procurement is an adequate case study because, being a ‘back-office’ function, it does not concern (likely) high-risk uses of AI or other digital technologies, and it is an area where data protection regulation is unlikely to provide a comprehensive regulatory framework (eg for decision automation) because the primary interactions are between public buyers and corporate institutions.

Procurement therefore currently represents an unregulated digitalisation space in which to test and further explore the effectiveness of the ‘regulation by contract’ approach to governing the transition to a new model of digital public governance.

* * * * * *

The full draft is available on SSRN as: Albert Sanchez-Graells, ‘The two roles of procurement in the transition towards digital public governance: procurement as regulatory gatekeeper and as site for public sector experimentation’ (March 10, 2023): https://ssrn.com/abstract=4384037.

Procurement tools for AI regulation by contract. Not the sharpest in the shed

I continue exploring the use of public procurement as a tool of digital regulation (or ‘AI regulation by contract’ as shorthand)—ie as a mechanism to promote transparency, explainability, cyber security, ethical and legal compliance leading to trustworthiness, etc in the adoption of digital technologies by the public sector.

After analysing procurement as a regulatory actor, a new draft chapter for my book project focuses on the procedural and substantive procurement tools that could be used for AI regulation by contract, to assess their suitability for the task.

The chapter considers whether procurement could effectively operationalise digital regulation goals without simply transferring regulatory decisions to economic operators. The chapter stresses how the need to prevent a transfer or delegation (ie a privatisation) of regulatory decisions as a result of the operation of the procurement rules is crucial, as technology providers are the primary target in proposals to use procurement for digital regulation by contract. In this post, I summarise the main arguments and insights in the chapter. As always, any feedback will be most warmly received: a.sanchez-graells@bristol.ac.uk.

Background

A first general consideration is that using procurement as a tool of digital regulation requires high levels of digital and commercial skills to understand the technologies being procured and the processes influencing technological design and deployment (as objects of regulation), and the procurement rules themselves (as regulatory tools). Gaps in those capabilities will jeopardise the effectiveness of using procurement as a tool of AI regulation by contract, beyond the limitations and constraints deriving from the relevant legal framework. However, to assess the (abstract) potential of procurement as a regulatory tool, it is worth distinguishing between practical and legal challenges, and to focus on legal challenges that would be present at all levels of public buyer capability.

A second general consideration is that this use of procurement could be seen as either a tool of ‘command and control’ regulation, or a tool of responsive regulation. In that regard, while there can be some space for a ‘command and control’ use of procurement as a tool of digital regulation, in the absence of clear (rules-based) regulatory benchmarks and legally-established mandatory requirements, the responsive approach to the use of procurement as a tool to enforce self-regulatory mechanisms seems likely to be predominant —in the sense that procurement requirements are likely to focus on the tenderers’ commitment to sets of practices and processes seeking to deliver (to the largest possible extent) the relevant regulatory attributes by reference to (technical) standards.

For example, it is hard to imagine the imposition of an absolute requirement for a digital solution to be ‘digitally secure’. It is rather more plausible for the tender and contract to seek to bind the technology provider to practices and procedures seeking to ensure high levels of cyber security (by reference to some relevant metrics, where they are available), as well as protocols and mechanisms to anticipate and react to any (potential) security breaches. The same applies to other desirable regulatory attributes in the procured digital technologies, such as transparency or explainability—which will most likely be describable (or described) by reference to technical standards and procedures—or to general principles, such as ethical or trustworthy AI, also requiring proceduralised implementation. In this context, procurement could be seen as a tool to promote co-regulation or (responsible) self-regulation both at tenderer and industry level, eg in relation to the development of ethical or trustworthy AI.

Against this background, it is relevant to focus on whether procurement tools could effectively operationalise digital regulation goals without simply transferring regulatory decisions to economic operators—ie operating as an effective tool of (responsive) meta-regulation. The analysis below takes a cradle-to-grave approach and focuses on the tools available at the phases of tender preparation and design, tender execution, and contract design and implementation. The analysis is based on EU procurement law, but the functional insights are broadly transferable to other systems.

Tender preparation and design

A public buyer seeking to use procurement as a tool of digital regulation faces an unavoidable information asymmetry. To try to reduce it, the public buyer can engage in a preliminary market consultation to obtain information on eg different technologies or implementation possibilities, or to ‘market-test’ the level of regulatory demand that could be met by existing technology providers. However, safeguards to prevent the use of preliminary market consultations to advantage specific technology providers through eg disclosure of exchanged information, as well as the level of effort required to participate in (detailed) market consultations, raise questions as to their utility to extract information in markets where secrecy is valued (as is notoriously the case of digital technology markets—see discussions on algorithmic secrecy) and where economic operators may be disinclined (or not have the resources) to provide ‘free consultancy’. Moreover, in this setting and given the absence of clear standards or industry practices, there is a heightened risk of capture in the interaction between the public buyer and potential technology providers, with preliminary market consultations not being geared for broader public consultation facilitating the participation of non-market agents (eg NGOs or research institutions). Overall, then, preliminary market consultations may do little to reduce the public buyer’s information asymmetry, while creating significant risks of capture leading to impermissible (discriminatory) procurement practices. They are thus unlikely to operate as an adequate tool to support regulation by contract.

Relatedly, a public buyer facing uncertainty as to the existing off-the-shelf offering and the level of adaptation, innovation or co-production required to otherwise achieve the performance sought in the digital technology procurement, faces a difficult choice of procurement procedure. This is a sort of chicken and egg problem, as the less information the public buyer has, the more difficult it is to choose an adequate procedure, but the choice of the procedure has implications on the information that the public buyer can extract. While the theoretical expectation could be that the public buyer would opt for a competitive dialogue or innovation partnership, as procedures targeted at this type of procurement, evidence of EU level practice shows that public buyers have a strong preference for competitive procedures with negotiations. The use of this procedure exposes the public buyer to direct risks of commercial capture (especially where the technology provider has more resources or the upper hand in negotiations) and the safeguards foreseen in EU law (ie the setting of non-negotiable minimum requirements and award criteria) are unlikely to be effective, as public buyers have a strong incentive to avoid imposing excessively demanding minima to avoid the risk of cancellation and retendering if no technology provider is capable (or willing) to meet them.

In addition, the above risks of commercial capture can be exacerbated when technology providers make exclusivity claims over the technological solutions offered, which could unlock the use of a negotiated procedure without prior publication—on the basis of absence of competition due to technical reasons, or due to the need to protect seclusive rights, including intellectual property rights. While the legal tests to access this negotiated procedure are in principle strict, the public buyer can have the wrong incentives to push through while at the same time controlling some of the safeguarding mechanisms (eg transparency of the award, or level of detail in the relevant disclosure). Similar issues arise with the possibility to creatively structure remuneration under some of these contracts to keep them below regulatory thresholds (eg by ‘remunerating in data’).

In general, this shows that the phase of tender preparation and design is vulnerable to risks of regulatory capture that are particularly relevant when the public buyer is expected to develop a regulatory role in disciplining the behaviour of the industry it interacts with. This indicates that existing flexible mechanisms of market engagement can be a source of regulatory risk, rather than a useful set of regulatory tools.

Tender execution

A public buyer seeking to use procurement as a tool of digital regulation could do so through the two main decisions of tenderer selection and tender evaluation. The expectation is that these are areas where the public buyer can exercise elements of ‘command and control’, eg through tenderer exclusion decisions as well as by setting demanding qualitative selection thresholds, or through the setting of mandatory technical specifications and the use of award constraints.

Tenderer selection

The public buyer could take a dual approach. First, to exclude technology providers with a previous track record of activity falling short of the relevant regulatory goals. Second, to incentivise or recompense high levels of positive commitment to the regulatory goals. However, both approaches present challenges.

First, the use of exclusion grounds would require clearly setting out in the tender documentation which types of digital-governance activities are considered to amount to ‘grave professional misconduct, which renders [the technology provider’s] integrity questionable’, and to reserve the possibility to exclude on grounds of ‘poor past performance’ linked to digital regulation obligations. In the absence of generally accepted standards of conduct and industry practices, and in a context of technological uncertainty, making this type of determinations can be difficult. Especially if the previous instance of ‘untrustworthy’ behaviour is being litigated or could (partially) be attributed to the public buyer under the previous contract. Moreover, a public buyer cannot automatically rely on the findings of another one, as the current EU rules require each contracting authority to come to its own view on the reliability of the economic operator. This raises the burden of engaging with exclusion based on these grounds, which may put some public buyers off, especially if there are complex technical questions on the background. Such judgments may require a level of expertise and available resources exceeding those of the public buyer, which could eg justify seeking to rely on third party certification instead.

Relatedly, it will be difficult to administer such tenderer screening to systems through the creation of lists of approved contractors or third-party certification (or equivalent mechanisms, such as dynamic purchasing systems administered by a central purchasing body, or quality assurance certification). In all cases, the practical difficulty will be that the public buyer will either see its regulatory function conditioned or precluded by the (commercially determined) standards underlying third-party certification, or face a significant burden if it seeks to directly scrutinise economic operators otherwise. The regulatory burden will to some extent be unavoidable because all the above-mentioned mechanisms foresee that (in some circumstances) economic operators that do not have access to the relevant certification or are under no obligation to register in the relevant list must be given the opportunity to demonstrate that they meet the relevant (substantive) qualitative selection criteria by other (equivalent) means.

There will also be additional challenges in ensuring that the relevant vetting of economic operators is properly applied where the digital technology solution relies on a long (technical) supply chain or assemblage, without this necessarily involving any (formal) relationship or subcontracting between the technology provider to be contracted and the developers of parts of the technical assemblage. This points at the significant burden that the public buyer may have to overcome in seeking to use qualitative selection rules to ‘weed out’ technology providers which (general, or past) behaviour is not aligned with the overarching regulatory goals.

Second, a more proactive approach that sought to go beyond exclusion or third-party certification to eg promote adherence to voluntary codes of conduct, or to require technology providers to justify how they eg generally ‘contribute to the development and deployment of trustworthy digital technologies’, would also face significant difficulties. Such requirements could be seen as unjustified and/or disproportionate, leading to an infringement of EU procurement law. They could also be altogether pre-empted by future legislation, such as the proposed EU AI Act.

Tender evaluation

As mentioned above, the possibility of setting demanding technical specifications and minimum requirements for tender evaluation through award constraints in principle seem like suitable tools of digital regulation. The public buyer could focus on the technical solutions and embedding the desired regulatory attributes (eg transparency, explainability, cyber security) and regulatory checks (on data and technology governance, eg in relation to open source code or interoperability, as well as in relation to ethical assessments) in the technical specifications. Award criteria could generate (further) incentives for regulatory performance, perhaps beyond the minimum mandatory baseline. However, this is far from uncomplicated.

The primary difficulty in using technical specifications as a regulatory tool relates to the challenge of clearly specifying the desired regulatory attributes. Some or most of the desired technological attributes are difficult to observe or measure, the processes leading to their promotion are not easy to establish, the outcomes of those processes are not binary and determining whether a requirement has been met cannot be subject to strict rules, but rather to (yet to be developed) technical standards with an unavoidable degree of indefinition, which may also be susceptible of iterative application in eg agile methods, and thus difficult to evaluate at tender stage. Moreover, the desired attributes can be in conflict between themselves and/or with the main functional specifications for the digital technology deployment (eg the increasingly clear unavoidable trade-off between explainability and accuracy in some AI technologies). This issue of the definitional difficulties and the incommensurability of some or most of the regulatory goals also relates to the difficulty of establishing minimum technical requirements as an award constraint—eg to require that no contract is awarded unless the tender reaches a specific threshold in the technical evaluation in relation to all or selected requirements (eg explainability). While imposing minimum technical requirements is permitted, it is difficult to design a mechanism to quantify or objectify the evaluation of some of the desired technological attributes, which will necessarily require a complex assessment. Such assessment cannot be conducted in such a way that the public buyer has an unrestricted freedom of choice, which will require clarifying the criteria and the relevant thresholds that would justify rejecting the tender. This could become a significant sticking point.

Designing technical specifications to capture whether a digital technology is ‘ethical’ or ‘trustworthy’ seems particularly challenging. These are meta-attributes or characteristics that refer to a rather broad set of principles in the design of the technology, but also of its specific deployment, and tend to proceduralise the taking into account of relevant considerations (eg which impact will the deployment have on the population affected). Additionally, in some respects, the extent to which a technological deployment will be ethical or trustworthy is out of the hands of the technology provider (eg may depend on decisions of the entity adopting the technology, eg on how it is used), and in some aspects it depends on specific decisions and choices made during contract implementation. This could make it impossible to verify at the point of the tender whether the end result will or not meet the relevant requirements—while including requirements that cannot be effectively verified prior to award would most likely breach current legal limits.

A final relevant consideration is that technical specifications cannot be imposed in a prescriptive manner, with technology providers having to be allowed to demonstrate compliance by equivalence. This limits the potential prescriptiveness of the technical specifications that can be developed by the public buyer, at least in relation to some of the desired technological attributes, which will always be constrained by their nature of standards rather than rules (or metrics) and the duty to consider equivalent modes of compliance. This erodes the practical scope of using technical specifications as regulatory instruments.

Relatedly, the difficulties in using award criteria to pursue regulatory goals stem from difficulties in the operationalisation of qualitative criteria in practice. First, there is a set of requirements on the formulation of award criteria that seek to avoid situations of unrestricted freedom of choice for the public buyer. The requirements tend to require a high level of objectivity, including in the structuring of award criteria of a subjective nature. In that regard, in order to guarantee an objective comparison and to eliminate the risk of arbitrary treatment, recent case law has been clear that award criteria intended to measure the quality of the tenders must be accompanied by indications which allow a sufficiently concrete comparative assessment between tenders, especially where the quality carries most of the points that may be allocated for the purposes of awarding the tender.

In part, the problem stems from the absence of clear standards or benchmarks to be followed in such an assessment, as well as the need to ensure the possibility of alternative compliance (eg with labels). This can be seen, for example, in relation to explainability. It would not suffice to establish that the solutions need to be explainable or to use explainability as an award criterion without more. It would be necessary to establish sub-criteria, such as eg ‘the solution needs to ensure that an individualised explanation for every output is generated’ (ie requiring local explainability rather than general explainability of the model). This would still need to be further specified, as to what type of explanation and containing which information, etc. The difficulty is that there are multiple approaches to local explainability and that most of them are contested, as is the general approach to post hoc explanations in itself. This puts the public buyer in the position of having to solve complex technical and other principled issues in relation to this award criterion alone. In the absence of standard methodologies, this is a tall order that can well make the procedure inviable or not used (with clear parallels to eg the low uptake of life-cycle costing approaches). However, the development of such methodologies parallels the issues concerning the development of technical standards. Once more, when such standards, benchmarks or methodologies emerge, reliance on them can thus (re)introduce risks of commercial determination, depending on how they are set.

Contract design and implementation

Given the difficulties in using qualitative selection, technical specifications and award criteria to embed regulatory requirements, it is possible that they are pushed to to the design of the contract and, in particular, to their treatment as contract performance conditions, in particular to create procedural obligations seeking to maximise attainment of the relevant regulatory goals during contract implementation (eg to create specific obligations to test, audit or upgrade the technological solution in relation to specific regulatory goals, with cyber security being a relatively straightforward one), or to pass on, ‘back-to-back’, mandatory obligations where they result from legislation (eg to impose transparency obligations, along the lines of the model standard clauses for AI procurement being developed at EU level).

In addition to the difficulty inherent in designing the relevant mechanisms of contractualised governance, a relevant limitation of this approach to embedding (self-standing) regulatory requirements in contract compliance clauses is that recent case law has made clear that ‘compliance with the conditions for the performance of a contract is not to be assessed when a contract is awarded’. Therefore, at award stage, all that can be asked is for technology providers to commit to such requirements as (future) contractual obligations—which creates the risk of awarding the contract to the best liar.

More generally, the effectiveness of contract performance clauses will depend on the contractual remedies attached to them and, in relation to some of the desirable attributes of the technologies, it can well be that there are no adequate contractual remedies or that the potential damages are disproportionate to the value of the contract. There will be difficulties in their use where obligations can be difficult to specify, where negative outputs and effects are difficult to observe or can only be observed with delay, and where contractual remedies are inadequate. It should be stressed that the embedding of regulatory requirements as contract performance clauses can have the effect of converting non-compliance into (mere) money claims against the technology provider. And, additionally, that contractual termination can be complicated or require a significant delay where the technological deployment has created operational dependency that cannot be mitigated in the short or medium term. This does not seem necessarily aligned with the regulatory gatekeeping role expected of procurement, as it can be difficult to create the adequate financial incentives to promote compliance with the overarching regulatory goals in this way—by contrast with, for example, the possibility of sanctions imposed by an independent regulator.

Conclusion

The analysis has stressed those areas where the existing rules prevent the imposition of rigid regulatory requirements or demands for compliance with pre-specified standards (to the exclusion of alternative ones), and those areas where the flexibility of the rules generates heightened risks of regulatory capture and commercial determination of the regulatory standards. Overall, this shows that it is either not easy or at all possible to use procurement tools to embed regulatory requirements in the tender procedure and in public contracts, or that those tools are highly likely to end up being a conduit for the direct or indirect application of commercially determined standards and industry practices.

This supports the claim that using procurement for digital regulation purposes will either be highly ineffective or, counterintuitively, put the public buyer in a position of rule-taker rather than rule-setter and market-shaper—or perhaps both. In the absence of non-industry led standards and requirements formulated eg by an independent regulator, on which procurement tools could be leveraged, each public buyer would either have to discharge a high (and possibly excessive) regulatory burden, or be exposed to commercial capture. This provides the basis for an alternative approach. The next step in the research project will thus be to focus on such mandatory requirements as part of a broader proposal for external oversight of the adoption of digital technologies by the public sector.

Regulating public and private interactions in public sector digitalisation through procurement

As discussed in previous entries in this blog (see here, here, here, here or here), public procurement is progressively being erected as the gatekeeper of the public interest in the process of digital technology adoption by the public sector, and thus positioned as digital technology regulator—especially in the EU and UK context.

In this gatekeeping role, procurement is expected to ensure that the public sector only acquires and adopts trustworthy technologies, and that (private) technology providers adhere to adequate technical, legal, and ethical standards to ensure that this is the case. Procurement is also expected to operate as a lever for the propagation of (soft) regulatory tools, such as independently set technical standards or codes of conduct, to promote their adoption and harness market dynamics to generate effects beyond the public sector (ie market-shaping). Even further, where such standards are not readily available or independently set, the procurement function is expected to formulate specific (contractual) requirements to ensure compliance with the overarching regulatory goals identified at higher levels of policymaking. The procurement function is thus expected to leverage the design of public tenders and public contracts as tools of digital technology regulation to plug the regulatory gap resulting from the absence of binding (legal) requirements. This is a tall order.

Analysing this gatekeeping role and whether procurement can adequately perform it is the focus of the last part of my current research project. In this latest draft book chapter, I focus on an analysis of the procurement function as a regulatory actor. The following chapter will focus on an analysis of procurement rules on the design of tender procedures and some elements of contractual design as regulatory tools. Combined, the analyses will shed light on the unsuitability of procurement to carry out this gatekeeping role in the absence of minimum mandatory requirements and external oversight, which will also be explored in detail in later chapters. This draft book chapter is giving me a bit of a hard time and some of the ideas there are still slightly tentative, so I would more than ever welcome any and all feedback.

In ‘Regulating public and private interactions in public sector digitalisation through procurement: the clash between agency and gatekeeping logics’, my main argument is that the proposals to leverage procurement to regulate public sector digitalisation, which seek to use public sector market power and its gatekeeping role to enforce standards of technological regulation by embedding them in public contracts, are bound to generate significant dysfunction due to a break in regulatory logic. That regulatory logic results from an analysis of the procurement function from an agency theory and a gatekeeping theory perspective, which in my view evidence the impossibility for procurement to carry out conflicting roles. To support this claim, I explore: 1) the position of the procurement function amongst the public and private actors involved in public sector digitalisation; 2) the governance implications of the procurement function’s institutional embeddedness; and 3) the likely (in)effectiveness of public contracts in disciplining private and public behaviour, as well as behaviour that is mutually influenced or coproduced by public and private actors during the execution of public contracts.

My analysis finds that, in the regulation of public-private interactions, the regulatory logic underpinning procurement is premised on the existence of a vertical relationship between the public buyer and (potential) technology providers and an expectation of superiority of the public buyer, which is thus (expected to be) able to dictate the terms of the market interaction (through tender requirements), to operate as gatekeeper (eg by excluding potential providers that fall short of pre-specified standards), and to dictate the terms of the future contract (eg through contract performance clauses with a regulatory component). This regulatory logic hits obvious limitations when the public buyer faces potential providers with market power, an insufficient offer of (regulated) goods and services, or significant information asymmetries, which result in a potential ‘weak public buyer’ problem. Such problem has generally been tried to be addressed through procurement centralisation and upskilling of the (centralised) procurement workforce, but those measures create additional governance challenges (especially centralisation) and are unlikely to completely re-establish the balance of power required for the effective regulation by contract of public sector digitalisation, as far as the provider side is concerned.

Parking the ‘weak public buyer’ problem, my analysis then focuses on the regulation of public-public interactions between the adopting public sector entity and the procurement function. I separate them for the purposes of the analysis, to point out that at theoretical level, there is a tension between the expectations of agency and gatekeeping theories in this context. While both of them conceptualise the relationship as vertical, they operate on an opposite understanding of who holds a predominant position. Under agency theory, the public buyer is the agent and thus subject to the instructions of the public entity that will ultimately adopt the digital technology. Conversely, under gatekeeping theory, the public buyer is the (independent) guarantor of a set of goals or attributes in public sector digitalisation projects and is thus tasked with ensuring compliance therewith. This would place the public buyer in a position of (functional) superiority, in that it would (be expected to) be able to dictate (some of) the terms of the technological adoption. This conflict in regulatory logics creates a structural conflict of interest for the procurement function as both agent and gatekeeper.

The analysis then focuses on how the institutional embeddedness of procurement exacerbates this problem. Where the procurement function is embedded in the same administrative unit or entity that is seeking to adopt the technology, it is subjected to hierarchical governance and thus lacks the independence required to carry out the gatekeeping role. Similarly, where the procurement function is separate (eg in the case of centralised or collaborative procurement), in the absence of mandatory requirements (eg to use the centralised procurement vehicle), the adopting public entity retains discretion whether to subject itself to the (gatekeeper) procurement function or to carry out its own procurement. Moreover, even when it uses centralised procurement vehicles, it tends to retain discretion (eg on the terms of mini-competitions or for the negotiation of some contractual clauses), which also erodes the position of the procurement function to effectively carry out its gatekeeping role.

On the whole, the procurement function is not in a good position to discipline the behaviour of the adopting public entity and this creates another major obstacle to the effectiveness of the proposed approach to the regulation by contract of public sector digitalisation. This is exacerbated by the fact that the adopting public entity will be the principal of the regulatory contract with the (chosen) technology provider, which means that the contractual mechanisms designed to enforce regulatory goals will be left to interpretation and enforcement by those actors whose behaviour it seeks to govern.

In such decentred interactions, procurement lacks any meaningful means to challenge deviations from the contract that are in the mutual interest of both the adopting entity and the technology provider. The emerging approach to regulation by contract cannot properly function where the adopting public entity is not entirely committed to maximising the goals of digital regulation that are meant to be enforced by contract, and where the public contractor has a concurring interest in deviating from those goals by reducing the level of demand of the relevant contractual clauses. In the setting of digital technology regulation, this seems a likely common case, especially if we consider that the main regulatory goals (eg explainability, trustworthiness) are open-ended and thus the question is not whether the goals in themselves are embraced in abstracto by the adopting entity and the technology provider, but the extent to which effective (and costly or limiting) measures are put in place to maximise the realisation of such goals. In this context, (relational) contracts seem inadequate to prevent behaviour (eg shirking) that is the mutual interest of the contractual parties.

This generates what I label as a ‘two-sided gatekeeping’ challenge. This challenge encapsulates the difficulties for the procurement function to effectively influence regulatory outcomes where it needs to discipline both the behaviour of technology providers and adopting entities, and where contract implementation depends on the decentred interaction of those two agents with the procurement function as a (toothless) bystander.

Overall, then, the analysis shows that agency and gatekeeping theory point towards a disfunction in the leveraging of procurement to regulate public sector digitalisation by contract. There are two main points of tension or rupture with the regulatory logic. First, the regulatory approach cannot effectively operate in the absence of a clear set of mandatory requirements to bind the discretion of the procurement function during the tendering and contract formation phase, as well as the discretion of the adopting public entity during contract implementation phase, and which are also enforceable on the technology provider regardless of the terms of the contract. Second, the regulatory approach cannot effectively operate in the absence of an independent actor capable of enforcing those standards and monitoring continuous compliance during the lifecycle of technological adoption and use by the public sector entity. As things stand, the procurement function is affected by structural and irresolvable conflicts between its overlaid roles. Moreover, even if the procurement function was not caught by the conflicting logics and requirements of agency and gatekeeping (eg as a result of the adoption of the mandatory requirements mentioned above), it would still not be in an adequate position to monitor and discipline the behaviour of the adopting public entity—and, relatedly, of the technology provider—after the conclusion of the procurement phase.

The regulatory analysis thus points to the need to discharge the procurement function from its newest gatekeeping role, to realign it with agency theory as appropriate. This would require both the enactment of mandatory requirements and the subjection to external oversight of the process of technological adoption by the public sector. This same conclusion will be further supported by an analysis of the limitations of procurement law to effectively operate as a regulatory tool, which will be the focus of the next chapter in the book.

Interesting legislative proposal to make procurement of AI conditional on external checks

Procurement is progressively put in the position of regulating what types of artificial intelligence (AI) are deployed by the public sector (ie taking a gatekeeping function; see here and here). This implies that the procurement function should be able to verify that the intended AI (and its use/foreseeable misuse) will not cause harms—or, where harms are unavoidable, come up with a system to weigh, and if appropriate/possible manage, that risk. I am currently trying to understand the governance implications of this emerging gatekeeping role to assess whether procurement is best placed to carry it out.

In the context of this reflection, I found a very useful recent paper: M E Kaminski, ‘Regulating the Risks of AI’ (2023) 103 Boston University Law Review forthcoming. In addition to providing a useful critique of the treatment of AI harms as risk and of the implications in terms of the regulatory baggage that (different types of) risk regulation implies, Kaminski provides an overview of a very interesting legislative proposal: Washington State’s Bill SB 5116.

Bill SB 5116 is a proposal for new legislation ‘establishing guidelines for government procurement and use of automated decision systems in order to protect consumers, improve transparency, and create more market predictability'. The governance approach underpinning the Bill is interesting in two respects.

First, the Bill includes a ban on certain uses of AI in the public sector. As Kaminski summarises: ‘Sec. 4 of SB 5116 bans public agencies from engaging in (1) the use of an automated decision system that discriminates, (2) the use of an “automated final decision system” to “make a decision impacting the constitutional or legal rights… of any Washington resident” (3) the use of an “automated final decision system…to deploy or trigger any weapon;” (4) the installation in certain public places of equipment that enables AI-enabled profiling, (5) the use of AI-enabled profiling “to make decisions that produce legal effects or similarly significant effects concerning individuals’ (at 66, fn 398).

Second, the Bill subjects the procurement of the AI to approval by the director of the office of the chief information officer. As Kaminski clarifies: ‘The bill’s assessment process is thus more like a licensing scheme than many proposed impact assessments in that it envisions a central regulator serving a gatekeeping function (albeit probably not an intensive one, and not over private companies, which aren’t covered by the bill at all). In fact, the bill is more protective than the GDPR in that the state CIO must make the algorithmic accountability report public and invite public comment before approving it’ (at 66, references omitted).

What the Bill does, then, is to displace the gatekeeping role from the procurement function itself to the data protection regulator. It also sets the specific substantive criteria the regulator has to apply in deciding whether to authorise the procurement of the AI.

Without getting into the detail of the Washington Bill, this governance approach seems to have two main strengths over the current emerging model of procurement self-regulation of the gatekeeping role (in the EU).

First, it facilitates a standardisation of the substantive criteria to be applied in assessing the potential harms resulting from AI adoption in the public sector, with a concentration on the specific characteristics of decision-making in this context. Importantly, it creates a clear area of illegality. Some of it is in line with eg the prohibition of certain AI uses in the Draft EU AI Act (profiling), or in the GDPR (prohibition of solely automated individual-decision making, including profiling — although it may go beyond it). Moreover, such an approach would allow for an expansion of prohibited uses in the specific context of the public sector, which the EU AI Act mostly fails to tackle (see here). It would also allow for the specification of constraints applicable to the use of AI by the public sector, such as a heightened obligation to provide reasons (see M Fink & M Finck, ‘Reasoned A(I)dministration: Explanation Requirements in EU Law and the Automation of Public Administration‘ (2022) 47(3) European Law Review 376-392).

Second, it introduces an element of external (independent) verification of the assessment of potential AI harms. I think this is a crucial governance point because most proposals relying on the internal (self) assessment by the procurement team fail to consider the extent to which such approach ensures (a) adequate resourcing (eg specialism and experience in the type of assessment) and (b) sufficient objectivity in the assessment. On the second point, with procurement teams often being told to ‘just go and procure what is needed’, moving to a position of gatekeeper or controller could be too big an ask (depending on institutional aspects that require closer consideration). Moreover, this would be different from other aspects of gatekeeping that procurement has progressively been asked to carry out (also excessively, in my view: see here).

When the procurement function is asked to screen for eg potential contractors’ social or environmental compliance track record, it is usually at arms’ length from those being reviewed (and the rules on conflict of interest are there to strengthen that position). Conversely, when the procurement function is asked to screen for the likely impact on citizens and/or users of public services of an initiative promoted by the operational part of the organisation to which it belongs, things are much more complicated.

That is why some systems (like the US FAR) create elements of separation between the procurement team and those in charge of reviewing eg competition issues (by means of the competition advocate). This is a model reflected in the Washington Bill’s approach to requiring external (even if within the public administration) verification and approval of the AI impact assessment. If procurement is to become a properly functioning gatekeeper of the adoption of AI by the public sector, this regulatory approach (ie having an ‘AI Harms Controller’) seems promising. Definitely a model worth thinking about for a little longer.

Protecting procurement's AI gatekeeping role in domestic law, and trade agreements? -- re Irion (2022)

© r2hox / Flickr.

The increasing recognition of the role of procurement as AI gatekeeper, or even as AI (pseudo)regulator, is quickly galvanising and leading to proposals to enshrine it in domestic legislation. For example, in the Parliamentary process of the UK’s 2022 Procurement Bill, an interesting amendment has surfaced. The proposal by Lord Clement-Jones would see the introduction of the following clause:

Procurement principles: automated decision-making and data ethics

In carrying out a procurement, a contracting authority must ensure the safe, sustainable and ethical use of automated or algorithmic decision-making systems and the responsible and ethical use of data.”

The purpose of the clause would be to ensure ‘that the ethical use of automated decision-making and data is taken into account when carrying out a procurement.’ This is an interesting proposal that would put the procuring entity, even if not the future user of the AI (?), in the legally-mandated position of custodian or gatekeeper for trustworthy AI—which, of course, depending on future interpretation could be construed narrowly or expansively (e.g. on whether to limit it to automated decision-making, or extend it to decision-making support algorithmic systems?).

This would go beyond current regulatory approaches in the UK, where this gatekeeping position arises from soft law, such as the 2020 Guidelines for AI procurement. It would probably require significant additional guidance on how this role is to be operationalised, presumably through algorithmic impact assessments and/or other forms of ex ante intervention, such as the imposition of (standard) requirements in the contracts for AI procurement, or even ex ante algorithmic audits.

These requirements would be in line with influential academic proposals [e.g. M Martini, ‘Regulating Algorithms. How to Demystify the Alchemy of Code?’ in M Ebers & S Navas, Algorithms and Law (CUP 2020) 100, 115, and 120-22], as well as largely map onto voluntary compliance with EU AI Act’s requirements for high-risk AI uses (which is the approach also currently followed in the proposal for standard contractual clauses for the procurement of AI by public organisations being developed under the auspices of the European Commission).

One of the key practical considerations for a contracting authority to be able to discharge this gatekeeping role (amongst many others on expertise, time, regulatory capture, etc) is access to source code (also discussed here). Without accessing the source code, the contracting authority can barely understand the workings of the (to be procured) algorithms. Therefore, it is necessary to preserve the possibility of demanding access to source code for all purposes related to the procurement (and future re-procurement) of AI (and other software).

From this perspective, it is interesting to take a look at current developments in the protection of source code at the level of international trade regulation. An interesting paper coming out of the on-going FAccT conference addresses precisely this issue: K Irion, ‘Algorithms Off-limits? If digital trade law restricts access to source code of software then accountability will suffer’ (2022) FAccT proceedings 1561-70.

Irion’s paper provides a good overview of the global efforts to protect source code in the context of trade regulation, maps how free trade agreements are increasingly used to construct an additional layer of protection for software source code (primarily from forced technology transfer), and rightly points at risks of regulatory lock-out or pre-emption depending on the extent to which source code confidentiality is pierced for a range of public interest cases.

What is most interesting for the purposes of our discussion is that source code protection is not absolute, but explicitly deactivated in the context of public procurement in all emerging treaties (ibid, 1564-65). Generally, the treaties either do not prohibit, or have an explicit exception for, source code transfers in the context of commercially negotiated contracts—which can in principle include contracts with the public sector (although the requirement for negotiation could be a hurdle in some scenarios). More clearly, under what can be labelled as the ‘EU approach’, there is an explicit carve-out for ‘the voluntary transfer of or granting of access to source code for instance in the context of government procurement’ (see Article 8.73 EU-Japan EPA; similarly, Article 207 EU–UK TCA; and Article 9 EU-Mexico Agreement in principle). This means that the EU (and other major jurisdictions) are very clear in their (intentional?) approach to preserve the gatekeeping role of procurement by enabling contracting authorities to require access to software source code.

Conversely, the set of exceptions generally emerging in source code protection via trade regulation can be seen as insufficient to ensure high levels of algorithmic governance resulting from general rules imposing ex ante interventions. Indeed, Irion argues that ‘Legislation that mandates conformity assessments, certification schemes or standardized APIs would be inconsistent with the protection of software source code inside trade law’ (ibid, 1564). This is debatable, as a less limiting interpretation of the relevant exceptions seems possible, in particular as they concern disclosure for regulatory examination (with the devil, of course, being in the detail of what is considered a regulatory body and how ex ante interventions are regulated in a particular jurisdiction).

If this stringent understanding of the possibility to mandate regulatory compliance with this being seen as a violation of the general prohibition on source code disclosure for the purposes of its ‘tradability’ in a specific jurisdiction becomes the prevailing interpretation of the relevant FTAs, and regulatory interventions are thus constrained to ex post case-by-case investigations, it is easy to see how the procurement-related exceptions will become an (even more important) conduit for ex ante access to software source code for regulatory purposes, in particular where the AI is to be deployed in the context of public sector activity.

This is thus an interesting area of digital trade regulation to keep an eye on. And, more generally, it will be important to make sure that the AI gatekeeping role assigned to the procurement function is aligned with international obligations resulting from trade liberalisation treaties—which would require a general propagation of the ‘EU approach’ to explicitly carving out procurement-related disclosures.

'Government Cloud Procurement' as precursor of procurement gatekeeping? -- re McGillivray (2022)

I have started reading K McGillivray, Government Cloud Procurement. Contracts, Data Protection, and the Quest for Compliance (Cambridge University Press 2022), which promises to be a big addition to the literature on the procurement of digital technologies. One of the key issues the book explores at length is the central role that public contracts play in filling (some of the) regulatory gaps left by the absence of legislation addressing the challenges of cloud computing.

This got me thinking that this gap-filling function of public contracts in the cloud sphere is reflective of the broader role that procurement procedures and the ensuing public contracts are starting to develop in relation to other types of digital technology—notably, artificial intelligence (AI).

Procurement regulation will increasingly (be expected to) play a crucial gatekeeping role in the adoption of digital technologies for public governance and public service delivery. As rightly stressed: ‘The rules governing the acquisition of algorithmic systems by governments and public agencies are an important point of intervention in ensuring their accountable use’ [Ada Lovelace Institute, AI Now Institute and Open Government Partnership, Algorithmic Accountability for the Public Sector (August 2021) 33]. Ultimately, contracts and other arrangements for the development and acquisition of digital solutions are the entry point into the public sector for these innovations, and the procurement rules can be either a catalyst or a hindrance to co-production and experimentation with digital governance solutions.

The gatekeeping role of procurement underpinned eg one of the recommendations of the UK’s Committee on Standards in Public Life, in its report on Artificial Intelligence and Public Standards: ‘Government should use its purchasing power in the market to set procurement requirements that ensure that private companies developing AI solutions for the public sector appropriately address public standards. This should be achieved by ensuring provisions for ethical standards are considered early in the procurement process and explicitly written into tenders and contractual arrangements’ (2020: 51). A variation of the gatekeeping approach can concentrate on procurement practice and the embedding of specific controls as a matter of public buyer deontology [see P Oluka Nagitta et al., ‘Human-centered artificial intelligence for the public sector: The gate keeping role of the public procurement professional’ (2022) 200 Procedia Computer Science 1084-1092].

There is thus a growing recognition of the pragmatic utility of leveraging procurement mechanisms to ensure transparency and accountability in algorithmic systems, particularly considering that these systems play a crucial role in policymaking and decision-making by public agencies [DK Mulligan and KA Bamberger, ‘Procurement as policy: Administrative process for machine learning’ (2019) 34(3) Berkeley Technology L. J. 773-851]. Consequently, there is increasing interest in a reassessment of the existing procurement rules as they apply to contracts for digital technologies; as well as in the redesign of procurement to foster reliability, sustainability, and public trust in AI [see e.g. UK Government, BEIS, DCMS and Office for AI, Guidelines for AI procurement (8 June 2020); also W Naudé and N Dimitri, ‘Public Procurement and Innovation for Human-Centered Artificial Intelligence’ (2021)].

However, the challenges in effectively mobilising procurement for this gatekeeping function are yet to be properly conceptualised and understood [See e.g. P Nowicki, ‘Deus Ex Machina?: Some Remarks on Public Procurement in the Second Machine Age’ (2020) 1 EPPPL 53-60; see also K Mcbride et al, ‘Towards a Systematic Understanding on the Challenges of Procuring Artificial Intelligence in the Public Sector’ (2021)].

As I keep thinking about this (see here for earlier thoughts), I am realising that the emerging discussion or conceptualisation of public procurement (or procurement professionals) as gatekeepers of the adoption of AI by the public sector (and more broadly) can fall into the same trap of partiality as the equivalent discussion of financial gatekeepers in the corporate governance sphere years ago.

As Prof Coffee brightly pointed out [Gatekeepers: The Professions and Corporate Governance (OUP, 2006) 2-3] in the context of financial markets, there are two important dimensions of gatekeeping at play: one concerns ‘strict’ gatekeeping in terms of veto capacity (eg an audit firm can decline providing an opinion on corporate accounts, or a lawyer can decline to provide an opinion required for the closing of a specific corporate transaction). The other dimension, however, concerns a reputational aspect of gatekeeping that can generate reliance by third parties (eg an investment bank acquiring shares of a target company can lead others to also invest in that company).

In the procurement context, it seems to me that there is also a strict gatekeeping function (procurement requirements determine which technology/provider cannot get a public contract, eg to protect a specific public interest or avoid a specific public harm; or which one can provided it abides by specific contractualised requirements), as well as a reputational gatekeeping function (eg procurement of specific technologies/from specific providers can have a signalling effect that triggers further procurement by other public buyers and/or adoption by the private sector).

While in financial markets the reputational aspect is dependent on market-based issues (such as repeat transactions), in procurement settings reputation is almost a given due to a presumption of strict scrutiny of public providers (and thus the importance of ‘past performance’, or other signals such as being able to disclose that a technology or provider is used by Department X, or in some other settings ‘by appointment to HM the Queen’). This compounds the importance of procurement gatekeeping, as it not only concerns the specific decision adopted by a given public buyer, but also the broader access of technologies and providers into the public sector (and beyond).

However, a significant difference between gatekeeping in financial markets and in procurement however stems from the likely main source of potential failure of the gatekeeper. While in financial markets gatekeepers can be expected to be high-skilled but subject to structural conflicts of interest, in particular due to the way they are remunerated (which impinges on their independence), in procurement markets there is a real risk that public buyers are not only subject to potential conflicts of interest (an enduring issue in procurement regulation, and the source of incomplete attempts at the regulation of conflicts of interest and integrity in procurement), but also underprepared for the gatekeeping task.

In other words, the asymmetry of information seems to operate in reverse in both settings. While in financial markets the superior information and related skills belong to the gatekeeper (as compared to the retail, or even (passive) institutional investors), in procurement markets the information and skills disadvantage plays against the gatekeeper (public buyer) and in favour of those seeking to sell their technology.

And this is where the analysis by McGillivray is again interesting, as it highlights compliance challenges and gaps resulting from the parallel procurement-based gatekeeping of data protection law in the government cloud procurement sphere. Plenty food for thought (at least for me).

The 'NHS Food Scanner' app as a springboard to explore the regulation of public sector recommender systems

In England, the Department of Health and Social Care (DHSC) offers an increasingly wide range of public health-related apps. One of the most recently launched is the ‘Food Scanner’, which aims to provide ‘swap suggestions, which means finding healthier choices for your family is easier than ever!’.

This is part of a broader public health effort to tackle, among other issues, child obesity, and is currently supported by a strong media push aimed primarily at parents. As the parent of two young children, this clearly caught my attention.

The background for this public health intervention is clear:

Without realising it, we are all eating too much sugar, saturated fat and salt. Over time this can lead to harmful changes on the inside and increases the risk of serious diseases in the future. Childhood obesity is a growing issue with figures showing that in England, more than 1 in 4 children aged 4-to 5-years-old and more than 1 in 3 children aged 10 and 11-years-old are overweight or obese.

The Be Food Smart campaign empowers families to take control of their diet by making healthier food and drink choices. The free app works by scanning the barcode of products, revealing the total sugar, saturated fat and salt inside and providing hints and tips adults plus fun food detectives activities for kids.

No issues with that. My family and myself could do with a few healthier choices. So I downloaded the app and started playing around.

As I scanned a couple of (unavoidably) branded products from the cupboard, I realised that the swaps were not for generic, alternative, healthier products, but also for branded products (often of a different brand). While this has the practical advantage of specifying the recommended healthier alternative in an ‘actionable’ manner for the consumer, this made my competition lawyer part of the brain uneasy.

The proposed swaps were (necessarily) ranked and limited, with a ‘top 3’ immediately on display, and with a possibility to explore further swaps not too easy to spot (unless you scrolled down to the bottom). The different offered swaps also had a ‘liked’ button with a counter (still in very low numbers, probably because the app is very new), but those ‘likes’ did not seem to establish ranking (or alter it?), as lower ranked items could have higher like counts (in my limited experiment).

I struggled to make sense of how products are chosen and presented. This picked my interest, so I looked at how the swaps ‘work’.

The in-app information explained that:

How do we do this?

We look into 3 aspects of the product that you have scanned:
1) Product name; so we can try and find similar products based on the words used within the name.
2) Ingredients list; so we can try and find similar products based on the ingredients of the product you have scanned.
3) Pack size; finally we look into the size of the product you have scanned so that, if have scanned a 330ml can, we can try and show you another can-sized product rather than a 1 litre bottle.

How are they ordered?

We have a few rules as to what we show within the top 3. We reserve spaces for:
1) The same manufacturer; if you have scanned a particular brand we will do our best to try and find a healthier version of that same brand which qualifies for a good choice badge.
2) The same supermarket; if you have scanned a supermarket product we will again do our best to show you an alternative from the same store.
3) Partner products; there are certain products which team up with Change4life that we will try and show if they match the requirements of the products you have scanned.

I could see that convenience and a certain element of ‘competition neutrality’ were clearly at play, but a few issues bothered me, especially as the interaction between manufacturer/supermarket is not too clear and there is a primary but nebulous element of preferencing that I was not expecting in an app meant to provide product-based information. I could see myself spending the night awake, trying to find out how that ‘partnership’ is structured, what are the conditions for participating, if there are any financial flows to the Department and/or to partner organisations, etc.

I also realised some quirks or errors in the way information is processed and presented by the Food Scanner app, such as the exact same product (in different format) being assigned different ‘red light’ classifications (see the Kellogg’s Corn Flakes example on the side bar). At a guess, it could be that these divergences come from the fact that there is no single source for the relevant information (it would seem that ‘The nutrient data provided in the app is supplied by Brandbank and FoodSwitch’) and that there is not an entity overseeing the process and curating the data as necessary. In fact, DHSC’s terms and conditions for the Food Scanner app (at 6.10) explicitly state that ‘We do not warrant that any such information is true or accurate and we exclude all liability in respect of the accuracy, completeness, fitness for purpose or legality of that information’ . Interesting…

It is also difficult to see how different elements of the red light system (ie sugar vs saturated fat vs salt) are subject to trade-offs as eg, sometimes, a red/green/yellow product is recommended swapping with a yellow/yellow/yellow product. Working out the scoring system behind such recommendations seems difficult, as there will necessarily be a trade off between limiting (very) high levels of one of the elements against recommending products that are ‘not very healthy’ on all counts. There has to be a system behind this — in the end, there has to be an algorithm underpinning the app. But how does it work and what science informs it?

These are all questions I am definitely interested in exploring. However, I called it a night and planned to look for some help to investigate this properly (a small research project is in the making and I have recruited a fantastic research associate — keep an eye on the blog for more details). For now, I can only jot down a few thoughts on things that will be interesting to explore, to which I really have no direct answers.

The Food Scanner is clearly a publicly endorsed (and owned? developed?) recommender system. However, using a moderate research effort, it is very difficult to access useful details on how it works. There is no published algorithmic transparency template (that I could find). The in-app explanations of how the recommender system works raise more questions than they answer.

There is also no commitment by the DHSC to the information provided being ‘true or accurate’, not to mention complete. This displaces the potential liability and all the accountability for the information on display to (a) Brandbank, a commercial entity within the multinational Nielsen conglomerate, and to (b) Foodswitch, a data-technology platform developed by The George Institute for Global Health. The role of these two institutions, in particular concerning the ‘partnership’ between manufacturers and Change4life (now ‘Better Health’ and, effectively, the Office for Health Improvement & Disparities in the DHSC?), is unclear. It is also unclear whether the combination of the datasets operated by both entities is capable of providing a sufficiently comprehensive representation of the products effectively available in England and, in any case, it seems clear to me that there is a high risk (or certainty) that non mass production/consumption ‘healthy products’ are out of the equation. How this relates to broader aspects of competition, but also of public health policy, can only raise questions.

Additionally, all of this raises quite a few issues from the perspective of the trustworthiness that this type of app can command, as well as the broader competition law implications resulting from the operation of the Food Scanner.

And I am sure that more and more questions will come to mind as I spend more time obsessing about it.

Beyond the specificities of the case, it seems to me that the NHS Food Scanner app is a good springboard to explore the regulation of public sector recommender systems more generally — or, rather, some of the risks implicit in the absence of specific regulation and the difficulties in applying standard regulatory mechanisms (and, perhaps, especially competition law) in this context. Hopefully, there will be some interesting research findings to report by the summer. Stay tuned, and keep healthy!

The elusiveness of academic integrity and its value: some musings against any relaxation of standards

One of the most complicated and elusive elements in the day to day of a professional academic have to do with some form of academic integrity and, particularly, with the keeping of academic standards. This is a fundamental part of our role in two main dimensions: peer review and student assessment.

In the peer review area, this relates to editorial functions (such as the blind review of manuscripts before publication in academic journals, or the publication of book reviews) as well as to the active participation in research debates (such as conferences, seminars or, these days, twitter and blog platforms).

In student assessment, the array of activities is even broader, from marking (and second marking) of undergraduate work, to external examining in other institutions, to supervision of postgraduate students and, maybe with the highest significance, the examination of PhD theses. The indivisible connection between assessment and academic standards can hardly be overstated (
see The Quality Assurance Agency for Higher Education's position here).
 
In my view and (still limited) experience, all these processes feed into each other and the only sensible strategy for a professional academic concerned with academic integrity and the keeping of academic standards (which are the only value that universities should really protect above any other) is to try to remain actively involved in both dimensions (ie peer review and assessment) and to resist the permanent pressures to lower standards here and there. It may sound slightly self-important, but I think that professional academic need to perceive ourselfs as a gatekeepers and resist calls to open the doors too often or too easily.
 
 
It is also very important for us, as a community, to be able to communicate to society that this is the core, most fundamental function that we develop and the most significant value we add in return for the (always too limited, always too insecure) funding of our activities. Hence, when there are debates about the purpose and function of higher education institutions and their (core) employees, we should always make sure to stress that we uphold academic integrity and enforce academic standards. It may sound too vague, but this is the most important function we can possibly perform. And it is also the most distinctive.
 
Otherwise, if we fail to keep academic integrity, the ensuing dillution of academic standards will end up resulting in a scenario where academic qualifications are completely irrelevant because they no longer tell anyone how much of an expert somebody is, or how qualified to develop activities in a field that requires scientific knowledge. It will also be impossible to distinguish one university from another on the basis of any valuable merits-based metric and, in the end, academic excellency will fade away.
 
Of course, keeping academic integrity is difficult to do and usually comes (sooner or later) at a personal cost. Nobody likes to tell someone else that their work/research is not up to the applicable standard and we all tend to get upset when we hear it. Nobody likes rejection or failure. However, professional academics need to be able to swallow that bitter pill every now and then, and make sure that standards are kept despite colleagues, peers or students getting upset or frustrated. Hopefully, their (academic) maturity will make those feelings go away and the objectiveness of the academic assessment will be recognised sooner or later.
 
In this time of the year, with so many assessments going on and so many pressures coming from rakings based on student satisfaction as yesterday's Guardian 2015 University Guide tables, it is worth reminding ourselves of the value and long-term relevance of what we do. We cannot always please everyone if that means that academic integrity is jeopardised. And, most importantly, we must not do it. If we sacrifice academic standards in the altar of satisfaction, the importance and long-term viability of higher education institutions will be doomed. Clearly, a bitter pill to swallow.