Implementation Challenges for the Procurement Act 2023

January 12, 2024

I have put together a consolidated overview of the primary challenges for the implementation of the Procurement Act 2023, to be included as a country report in a forthcoming issue of the European Procurement & Public Private Partnership Law Review.

It brings together developments discussed in the blog over the last year or so, including the transparency ambition, the innovation ambition, and the training offer linked to the Transforming Public Procurement project.

In case of interest, it can be downloaded from SSRN: https://ssrn.com/abstract=4692660.

It contains nothing new, though, so assiduous readers may want to skip this one!

Responsibly Buying Artificial Intelligence: A ‘Regulatory Hallucination’ -- draft paper for comment

November 24, 2023

Following yesterday’s Current Legal Problems Lecture, I have uploaded the current full draft of the paper on SSRN. I would be very grateful for any comments in the next few weeks, as I plan to do a final revision and to submit it for peer-review in early 2024. Thanks in advance for those who take the time. As always, you can reach me at a.sanchez-graells@bristol.ac.uk.

The abstract of the paper is as follows:

Here, I focus on the UK’s approach to regulating public sector procurement and use of artificial intelligence (AI) in the context of the broader ‘pro-innovation’ approach to AI regulation. Borrowing from the description of AI ‘hallucinations’ as plausible but incorrect answers given with high confidence by AI systems, I argue that UK policymaking is trapped in a ‘regulatory hallucination.’ Despite having embraced the plausible ‘pro-innovation’ regulatory approach with high confidence, that is the incorrect answer to the challenge of regulating AI procurement and use by the public sector. I conceptualise the current strategy as one of ‘regulation by contract’ and identify two of its underpinning presumptions that make its deployment in the digital context particularly challenging. I show how neither the presumption of superiority of the public buyer over the public contractor, nor the related presumption that the public buyer is the rule-maker and the public contractor is the rule-taker, necessarily hold in this context. Public buyer superiority is undermined by the two-sided gatekeeping required to simultaneously discipline the behaviour of the public sector AI user and the tech provider. The public buyer’s rule-making role is also undermined by its reliance on industry-led standards, as well as by the tech provider’s upper hand in setting contractual benchmarks and controlling the ensuing self-assessments. In view of the ineffectiveness of regulating public sector AI use by contract, I then sketch an alternative strategy to boost the effectiveness of the goals of AI regulation and the protection of individual rights and collective interests through the creation of an independent authority.

Sanchez-Graells, Albert, ‘Responsibly Buying Artificial Intelligence: A “Regulatory Hallucination”’ (November 24, 2023). Current Legal Problems 2023-24, Available at SSRN: https://ssrn.com/abstract=4643273.

External oversight and mandatory requirements for public sector digital technology adoption

April 11, 2023

I thought the time would never come, but the last piece of my book project puzzle is now more or less in place. After finding that procurement is not the right regulatory actor and does not have the best tools of ‘digital regulation by contract’, in this last draft chapter, I explore how to discharge procurement of the assigned digital regulation role to increase the likelihood of effective enforcement of desirable goals of public sector digital regulation.

I argue that this should be done through two inter-related regulatory interventions consisting of developing (1) a regulator tasked with the external oversight of the adoption of digital technologies by the public sector, as well as (2) a suite of mandatory requirements binding both public entities seeking to adopt digital technologies and technology providers, and both in relation to the digital technologies to be adopted by the public sector and the applicable governance framework.

Detailed analysis of these issues would require much more extensive treatment than this draft chapter can offer. The modest goal here is simply to stress the key attributes and functions that each of these two regulatory interventions should have to make a positive contribution to governing the transition towards a new model of public digital governance. In this blog post, I summarise the main arguments.

As ever, I would be most grateful for feedback: a.sanchez-graells@bristol.ac.uk. Especially as I will now turn my attention to seeing how the different pieces of the puzzle fit together, while I edit the manuscript for submission before end of July 2023.

Institutional deficit and risk of capture

In the absence of an alternative institutional architecture (or while it is put in place), procurement is expected to develop a regulatory gatekeeping role in relation to the adoption of digital technologies by the public sector, which is in turn expected to have norm-setting and market-shaping effects across the economy. This could be seen as a way of bypassing or postponing decisions on regulatory architecture.

However, earlier analysis has shown that the procurement function is not the right institution to which to assign a digital regulation role, as it cannot effectively discharge such a duty. This highlights the existence of an institutional deficit in the process of public sector digitalisation, as well as in relation to digital technology regulation more broadly. An alternative approach to institutional design is required, and it can be delivered through the creation of a notional ‘AI in Public Sector Authority’ (AIPSA).

Earlier analysis has also shown that there are pervasive risks of regulatory capture and commercial determination of the process of public sector digitalisation stemming from reliance on standards and benchmarks created by technology vendors or by bodies heavily influenced by the tech industry. AIPSA could safeguard against such risk through controls over the process of standard adoption. AIPSA could also guard against excessive experimentation with digital technologies by creating robust controls to counteract their policy irresistibility.

Overcoming the institutional deficit through AIPSA

The adoption of digital technologies in the process of public sector digitalisation creates regulatory challenges that require external oversight, as procurement is unable to effectively regulate this process. A particularly relevant issue concerns whether such oversight should be entrusted to a new regulator (broad approach), or whether it would suffice to assign new regulatory tasks to existing regulators (narrow approach).

I submit that the narrow approach is inadequate because it perpetuates regulatory fragmentation and can lead to undesirable spillovers or knock-on effects, whether the new regulatory tasks are assigned to data protection authorities, (quasi)regulators with a ‘sufficiently close’ regulatory remit in relation with information and communications technologies (ICT) (such as eg the Agency for Digital Italy (AgID), or the Dutch Advisory Council on IT assessment (AcICT)), or newly created centres of expertise in algorithmic regulation (eg the French PEReN). Such ‘organic’ or ‘incremental’ approach to institutional development could overshadow important design considerations, as well embed biases due to the institutional drivers of the existing (quasi)regulators.

To avoid these issues, I advocate a broader or more joined up approach in the proposal for AIPSA. AIPSA would be an independent authority with the statutory function of promoting overarching goals of digital regulation, and specifically tasked with regulating the adoption and use of digital technologies by the public sector, whether through in-house development or procurement from technology providers. AIPSA would also absorb regulatory functions in cognate areas, such as the governance of public sector data, and integrate work in areas such as cyber security. It would also serve a coordinating function with the data protection authority.

In the draft chapter, I stress three fundamental aspects of AIPSA’s institutional design: regulatory coherence, independence and expertise. Independence and expertise would be the two most crucial factors. AIPSA would need to be designed in a way that ensured both political and industry independence, with the issue of political independence having particular salience and requiring countervailing accountability mechanisms. Relatedly, the importance of digital capabilities to effectively exercise a digital regulation role cannot be overemphasised. It is not only important in relation to the active aspects of the regulatory role—such as control of standard setting or permissioning or licencing of digital technology use (below)—but also in relation to the passive aspects of the regulatory role and, in particular, in relation to reactive engagement with industry. High levels of digital capability would be essential to allow AIPSA to effectively scrutinise claims from those that sought to influence its operation and decision-making, as well as reduce AIPSA’s dependence on industry-provided information.

safeguard against regulatory capture and policy irresistibility

Regulating the adoption of digital technologies in the process of public sector digitalisation requires establishing the substantive requirements that such technology needs to meet, as well as the governance requirements need to ensure its proper use. AIPSA’s role in setting mandatory requirements for public sector digitalisation would be twofold.

First, through an approval or certification mechanism, it would control the process of standardisation to neutralise risks of regulatory capture and commercial determination. Where no standards were susceptible of approval or certification, AIPSA would develop them.

Second, through a permissioning or licencing process, AIPSA would ensure that decisions on the adoption of digital technologies by the public sector are not driven by ‘policy irresistibility’, that they are supported by clear governance structures and draw on sufficient resources, and that adherence to the goals of digital regulation is sustained throughout the implementation and use of digital technologies by the public sector and subject to proactive transparency requirements.

The draft chapter provides more details on both issues.

If not AIPSA … then clearly not procurement

There can be many objections to the proposals developed in this draft chapter, which would still require further development. However, most of the objections would likely also apply to the use of procurement as a tool of digital regulation. The functions expected of AIPSA closely match those expected of the procurement function under the approach to ‘digital regulation by contract’. Challenges to AIPSA’s ability to discharge such functions would be applicable to any public buyer seeking to achieve the same goals. Similarly, challenges to the independence or need for accountability of AIPSA would be similarly applicable to atomised decision-making by public buyers.

While the proposal is necessarily imperfect, I submit that it would improve upon the emerging status quo and that, in discharging procurement of the digital regulation role, it would make a positive contribution to the governance of the transition to a new model of digital public governance.

The draft chapter is available via SSRN: Albert Sanchez-Graells, ‘Discharging procurement of the digital regulation role: external oversight and mandatory requirements for public sector digital technology adoption’.

Two roles of procurement in public sector digitalisation: gatekeeping and experimentation

March 10, 2023

In a new draft chapter for my monograph, I explore how, within the broader process of public sector digitalisation, and embroiled in the general ‘race for AI’ and ‘race for AI regulation’, public procurement has two roles. In this post, I summarise the main arguments (all sources, included for quoted materials, are available in the draft chapter).

This chapter frames the analysis in the rest of the book and will be fundamental in the review of the other drafts, so comments would be most welcome (a.sanchez-graells@bristol.ac.uk).

Public sector digitalisation is accelerating in a regulatory vacuum

Around the world, the public sector is quickly adopting digital technologies in virtually every area of its activity, including the delivery of public services. States are not solely seeking to digitalise their public sector and public services with a view to enhance their operation (internal goal), but are also increasingly willing to use the public sector and the construction of public infrastructure as sources of funding and spaces for digital experimentation, to promote broader technological development and boost national industries in a new wave of (digital) industrial policy (external goal). For example, the European Commission clearly seeks to make the ‘public sector a trailblazer for using AI’. This mirrors similar strategic efforts around the globe. The process of public sector digitalisation is thus embroiled in the broader race for AI.

Despite the fact that such dynamic of public sector digitalisation raises significant regulatory risks and challenges, well-known problems in managing uncertainty in technology regulation—ie the Collingridge dilemma or pacing problem (‘cannot effectively regulate early on, so will probably regulate too late’)—and different normative positions, interact with industrial policy considerations to create regulatory hesitation and side-line anticipatory approaches. This creates a regulatory gap —or rather a laissez faire environment—whereby the public sector is allowed to experiment with the adoption of digital technologies without clear checks and balances. The current strategy is by and large one of ‘experiment first, regulate later’. And while there is little to no regulation, there is significant experimentation and digital technology adoption by the public sector.

Despite the emergence of a ‘race for AI regulation’, there are very few attempts to regulate AI use in the public sector—with the EU’s proposed EU AI Act offering a (partial) exception—and general mechanisms (such as judicial review) are proving slow to adapt. The regulatory gap is thus likely to remain, at least partially, in the foreseeable future—not least, as the effective functioning of new rules such as the EU AI Act will not be immediate.

Procurement emerges as a regulatory gatekeeper to plug that gap

In this context, proposals have started to emerge to use public procurement as a tool of digital regulation. Or, in other words, to use the acquisition of digital technologies by the public sector as a gateway to the ‘regulation by contract’ of their use and governance. Think tanks, NGOs, and academics alike have stressed that the ‘rules governing the acquisition of algorithmic systems by governments and public agencies are an important point of intervention in ensuring their accountable use’, and that procurement ‘is a central policy tool governments can deploy to catalyse innovation and influence the development of solutions aligned with government policy and society’s underlying values’. Public procurement is thus increasingly expected to play a crucial gatekeeping role in the adoption of digital technologies for public governance and the delivery of public services.

Procurement is thus seen as a mechanism of ‘regulation by contract’ whereby the public buyer can impose requirements seeking to achieve broad goals of digital regulation, such as transparency, trustworthiness, or explainability, or to operationalise more general ‘AI ethics’ frameworks. In more detail, the Council of Europe has recommended using procurement to: (i) embed requirements of data governance to avoid violations of human rights norms and discrimination stemming from faulty datasets used in the design, development, or ongoing deployment of algorithmic systems; (ii) ‘ensure that algorithmic design, development and ongoing deployment processes incorporate safety, privacy, data protection and security safeguards by design’; (iii) require ‘public, consultative and independent evaluations of the lawfulness and legitimacy of the goal that the [procured algorithmic] system intends to achieve or optimise, and its possible effects in respect of human rights’; (iv) require the conduct of human rights impact assessments; or (v) promote transparency of the ‘use, design and basic processing criteria and methods of algorithmic systems’.

Given the absence of generally applicable mandatory requirements in the development and use of digital technologies by the public sector in relation to some or all of the stated regulatory goals, the gatekeeping role of procurement in digital ‘regulation by contract’ would mostly involve the creation of such self-standing obligations—or at least the enforcement of emerging non-binding norms, such as those developed by (voluntary) standardisation bodies or, more generally, by the technology industry. In addition to creating risks of regulatory capture and commercial determination, this approach may overshadow the difficulties in using procurement for the delivery of the expected regulatory goals. A closer look at some selected putative goals of digital regulation by contract sheds light on the issue.

Procurement is not at all suited to deliver incommensurable goals of digital regulation

Some of the putative goals of digital regulation by contract are incommensurable. This is the case in particular of ‘trustworthiness’ or ‘responsibility’ in AI use in the public sector. Trustworthiness or responsibility in the adoption of AI can have several meanings, and defining what is ‘trustworthy AI’ or ‘responsible AI’ is in itself contested. This creates a risk of imprecision or generality, which could turn ‘trustworthiness’ or ‘responsibility’ into mere buzzwords—as well as exacerbate the problem of AI ethics-washing. As the EU approach to ‘trustworthy AI’ evidences, the overarching goals need to be broken down to be made operational. In the EU case, ‘trustworthiness’ is intended to cover three requirements for lawful, ethical, and robust AI. And each of them break down into more detailed or operationalizable requirements.

In turn, some of the goals into which ‘trustworthiness’ or ‘responsibility’ breaks down are also incommensurable. This is notably the case of ‘explainability’ or interpretability. There is no such thing as ‘the explanation’ that is required in relation to an algorithmic system, as explanations are (technically and legally) meant to serve different purposes and consequently, the design of the explainability of an AI deployment needs to take into account factors such as the timing of the explanation, its (primary) audience, the level of granularity (eg general or model level, group-based, or individual explanations), or the level of risk generated by the use of the technical solution. Moreover, there are different (and emerging) approaches to AI explainability, and their suitability may well be contingent upon the specific intended use or function of the explanation. And there are attributes or properties influencing the interpretability of a model (eg clarity) for which there are no evaluation metrics (yet?). Similar issues arise with other putative goals, such as the implementation of a principle of AI minimisation in the public sector.

Given the way procurement works, it is ill-suited for the delivery of incommensurable goals of digital regulation.

Procurement is not well suited to deliver other goals of digital regulation

There are other goals of digital regulation by contract that are seemingly better suited to delivery through procurement, such as those relating to ‘technical’ characteristics such as neutrality, interoperability, openness, or cyber security, or in relation to procurement-adjacent algorithmic transparency. However, the operationalisation of such requirements in a procurement context will be dependent on a range of considerations, such as judgements on the need to keep information confidential, judgements on the state of the art or what constitutes a proportionate and economically justified requirement, the generation of systemic effects that are hard to evaluate within the limits of a procurement procedure, or trade-offs between competing considerations. The extent to which procurement will be able to operationalise the desired goals of digital regulation will depend on its institutional embeddedness and on the suitability of procurement tools to impose specific regulatory approaches. Additional analysis conducted elsewhere (see here and here) suggests that, also in relation to these regulatory goals, the emerging approach to AI ‘regulation by contract’ cannot work well.

Procurement digitalisation offers a valuable case study

The theoretical analysis of the use of procurement as a tool of digital ‘regulation by contract’ (above) can be enriched and further developed with an in-depth case study of its practical operation in a discrete area of public sector digitalisation. To that effect, it is important to identify an area of public sector digitalisation which is primarily or solely left to ‘regulation by contract’ through procurement—to isolate it from the interaction with other tools of digital regulation (such as data protection, or sectoral regulation). It is also important for the chosen area to demonstrate a sufficient level of experimentation with digitalisation, so that the analysis is not a mere concretisation of theoretical arguments but rather grounded on empirical insights.

Public procurement is itself an area of public sector activity susceptible to digitalisation. The adoption of digital tools is seen as a potential source of improvement and efficiency in the expenditure of public funds through procurement, especially through the adoption of digital technology solutions developed in the context of supply chain management and other business operations in the private sector (or ‘ProcureTech’), but also through the adoption of digital tools tailored to the specific goals of procurement regulation, such as the prevention of corruption or collusion. There is emerging evidence of experimentation in procurement digitalisation, which is shedding light on regulatory risks and challenges.

In view of its strategic importance and the current pace of procurement digitalisation, it is submitted that procurement is an appropriate site of public sector experimentation in which to explore the shortcomings of the approach to AI ‘regulation by contract’. Procurement is an adequate case study because, being a ‘back-office’ function, it does not concern (likely) high-risk uses of AI or other digital technologies, and it is an area where data protection regulation is unlikely to provide a comprehensive regulatory framework (eg for decision automation) because the primary interactions are between public buyers and corporate institutions.

Procurement therefore currently represents an unregulated digitalisation space in which to test and further explore the effectiveness of the ‘regulation by contract’ approach to governing the transition to a new model of digital public governance.

* * * * * *

The full draft is available on SSRN as: Albert Sanchez-Graells, ‘The two roles of procurement in the transition towards digital public governance: procurement as regulatory gatekeeper and as site for public sector experimentation’ (March 10, 2023): https://ssrn.com/abstract=4384037.

Procurement centralisation, digital technologies and competition (new working paper)

March 2, 2023

I have just uploaded on SSRN the new working paper ‘Competition Implications of Procurement Digitalisation and the Procurement of Digital Technologies by Central Purchasing Bodies’, which I will present at the conference on “Centralization and new trends" to be held at the University of Copenhagen on 25-26 April 2023 (there is still time to register!).

The paper builds on my ongoing research on digital technologies and procurement governance, and focuses on the interaction between the strategic goals of procurement centralisation and digitalisation set by the European Commission in its 2017 public procurement strategy.

The paper identifies different ways in which current trends of procurement digitalisation and the challenges in procuring digital technologies push for further procurement centralisation. This is in particular to facilitate the extraction of insights from big data held by central purchasing bodies (CPBs); build public sector digital capabilities; and boost procurement’s regulatory gatekeeping potential. The paper then explores the competition implications of this technology-driven push for further procurement centralisation, in both ‘standard’ and digital markets.

The paper concludes by stressing the need to bring CPBs within the remit of competition law (which I had already advocated eg here), the opportunity to consider allocating CPB data management to a separate competent body under the Data Governance Act, and the related need to develop an effective system of mandatory requirements and external oversight of public sector digitalisation processes, specially to constrain CPBs’ (unbridled) digital regulatory power.

The full working paper reference is: A Sanchez-Graells, Albert, ‘Competition Implications of Procurement Digitalisation and the Procurement of Digital Technologies by Central Purchasing Bodies’ (March 2, 2023), Available at SSRN: https://ssrn.com/abstract=4376037. As always, any feedback most welcome: a.sanchez-graells@bristol.ac.uk.

Procurement tools for AI regulation by contract. Not the sharpest in the shed

February 24, 2023

I continue exploring the use of public procurement as a tool of digital regulation (or ‘AI regulation by contract’ as shorthand)—ie as a mechanism to promote transparency, explainability, cyber security, ethical and legal compliance leading to trustworthiness, etc in the adoption of digital technologies by the public sector.

After analysing procurement as a regulatory actor, a new draft chapter for my book project focuses on the procedural and substantive procurement tools that could be used for AI regulation by contract, to assess their suitability for the task.

The chapter considers whether procurement could effectively operationalise digital regulation goals without simply transferring regulatory decisions to economic operators. The chapter stresses how the need to prevent a transfer or delegation (ie a privatisation) of regulatory decisions as a result of the operation of the procurement rules is crucial, as technology providers are the primary target in proposals to use procurement for digital regulation by contract. In this post, I summarise the main arguments and insights in the chapter. As always, any feedback will be most warmly received: a.sanchez-graells@bristol.ac.uk.

Background

A first general consideration is that using procurement as a tool of digital regulation requires high levels of digital and commercial skills to understand the technologies being procured and the processes influencing technological design and deployment (as objects of regulation), and the procurement rules themselves (as regulatory tools). Gaps in those capabilities will jeopardise the effectiveness of using procurement as a tool of AI regulation by contract, beyond the limitations and constraints deriving from the relevant legal framework. However, to assess the (abstract) potential of procurement as a regulatory tool, it is worth distinguishing between practical and legal challenges, and to focus on legal challenges that would be present at all levels of public buyer capability.

A second general consideration is that this use of procurement could be seen as either a tool of ‘command and control’ regulation, or a tool of responsive regulation. In that regard, while there can be some space for a ‘command and control’ use of procurement as a tool of digital regulation, in the absence of clear (rules-based) regulatory benchmarks and legally-established mandatory requirements, the responsive approach to the use of procurement as a tool to enforce self-regulatory mechanisms seems likely to be predominant —in the sense that procurement requirements are likely to focus on the tenderers’ commitment to sets of practices and processes seeking to deliver (to the largest possible extent) the relevant regulatory attributes by reference to (technical) standards.

For example, it is hard to imagine the imposition of an absolute requirement for a digital solution to be ‘digitally secure’. It is rather more plausible for the tender and contract to seek to bind the technology provider to practices and procedures seeking to ensure high levels of cyber security (by reference to some relevant metrics, where they are available), as well as protocols and mechanisms to anticipate and react to any (potential) security breaches. The same applies to other desirable regulatory attributes in the procured digital technologies, such as transparency or explainability—which will most likely be describable (or described) by reference to technical standards and procedures—or to general principles, such as ethical or trustworthy AI, also requiring proceduralised implementation. In this context, procurement could be seen as a tool to promote co-regulation or (responsible) self-regulation both at tenderer and industry level, eg in relation to the development of ethical or trustworthy AI.

Against this background, it is relevant to focus on whether procurement tools could effectively operationalise digital regulation goals without simply transferring regulatory decisions to economic operators—ie operating as an effective tool of (responsive) meta-regulation. The analysis below takes a cradle-to-grave approach and focuses on the tools available at the phases of tender preparation and design, tender execution, and contract design and implementation. The analysis is based on EU procurement law, but the functional insights are broadly transferable to other systems.

Tender preparation and design

A public buyer seeking to use procurement as a tool of digital regulation faces an unavoidable information asymmetry. To try to reduce it, the public buyer can engage in a preliminary market consultation to obtain information on eg different technologies or implementation possibilities, or to ‘market-test’ the level of regulatory demand that could be met by existing technology providers. However, safeguards to prevent the use of preliminary market consultations to advantage specific technology providers through eg disclosure of exchanged information, as well as the level of effort required to participate in (detailed) market consultations, raise questions as to their utility to extract information in markets where secrecy is valued (as is notoriously the case of digital technology markets—see discussions on algorithmic secrecy) and where economic operators may be disinclined (or not have the resources) to provide ‘free consultancy’. Moreover, in this setting and given the absence of clear standards or industry practices, there is a heightened risk of capture in the interaction between the public buyer and potential technology providers, with preliminary market consultations not being geared for broader public consultation facilitating the participation of non-market agents (eg NGOs or research institutions). Overall, then, preliminary market consultations may do little to reduce the public buyer’s information asymmetry, while creating significant risks of capture leading to impermissible (discriminatory) procurement practices. They are thus unlikely to operate as an adequate tool to support regulation by contract.

Relatedly, a public buyer facing uncertainty as to the existing off-the-shelf offering and the level of adaptation, innovation or co-production required to otherwise achieve the performance sought in the digital technology procurement, faces a difficult choice of procurement procedure. This is a sort of chicken and egg problem, as the less information the public buyer has, the more difficult it is to choose an adequate procedure, but the choice of the procedure has implications on the information that the public buyer can extract. While the theoretical expectation could be that the public buyer would opt for a competitive dialogue or innovation partnership, as procedures targeted at this type of procurement, evidence of EU level practice shows that public buyers have a strong preference for competitive procedures with negotiations. The use of this procedure exposes the public buyer to direct risks of commercial capture (especially where the technology provider has more resources or the upper hand in negotiations) and the safeguards foreseen in EU law (ie the setting of non-negotiable minimum requirements and award criteria) are unlikely to be effective, as public buyers have a strong incentive to avoid imposing excessively demanding minima to avoid the risk of cancellation and retendering if no technology provider is capable (or willing) to meet them.

In addition, the above risks of commercial capture can be exacerbated when technology providers make exclusivity claims over the technological solutions offered, which could unlock the use of a negotiated procedure without prior publication—on the basis of absence of competition due to technical reasons, or due to the need to protect seclusive rights, including intellectual property rights. While the legal tests to access this negotiated procedure are in principle strict, the public buyer can have the wrong incentives to push through while at the same time controlling some of the safeguarding mechanisms (eg transparency of the award, or level of detail in the relevant disclosure). Similar issues arise with the possibility to creatively structure remuneration under some of these contracts to keep them below regulatory thresholds (eg by ‘remunerating in data’).

In general, this shows that the phase of tender preparation and design is vulnerable to risks of regulatory capture that are particularly relevant when the public buyer is expected to develop a regulatory role in disciplining the behaviour of the industry it interacts with. This indicates that existing flexible mechanisms of market engagement can be a source of regulatory risk, rather than a useful set of regulatory tools.

Tender execution

A public buyer seeking to use procurement as a tool of digital regulation could do so through the two main decisions of tenderer selection and tender evaluation. The expectation is that these are areas where the public buyer can exercise elements of ‘command and control’, eg through tenderer exclusion decisions as well as by setting demanding qualitative selection thresholds, or through the setting of mandatory technical specifications and the use of award constraints.

Tenderer selection

The public buyer could take a dual approach. First, to exclude technology providers with a previous track record of activity falling short of the relevant regulatory goals. Second, to incentivise or recompense high levels of positive commitment to the regulatory goals. However, both approaches present challenges.

First, the use of exclusion grounds would require clearly setting out in the tender documentation which types of digital-governance activities are considered to amount to ‘grave professional misconduct, which renders [the technology provider’s] integrity questionable’, and to reserve the possibility to exclude on grounds of ‘poor past performance’ linked to digital regulation obligations. In the absence of generally accepted standards of conduct and industry practices, and in a context of technological uncertainty, making this type of determinations can be difficult. Especially if the previous instance of ‘untrustworthy’ behaviour is being litigated or could (partially) be attributed to the public buyer under the previous contract. Moreover, a public buyer cannot automatically rely on the findings of another one, as the current EU rules require each contracting authority to come to its own view on the reliability of the economic operator. This raises the burden of engaging with exclusion based on these grounds, which may put some public buyers off, especially if there are complex technical questions on the background. Such judgments may require a level of expertise and available resources exceeding those of the public buyer, which could eg justify seeking to rely on third party certification instead.

Relatedly, it will be difficult to administer such tenderer screening to systems through the creation of lists of approved contractors or third-party certification (or equivalent mechanisms, such as dynamic purchasing systems administered by a central purchasing body, or quality assurance certification). In all cases, the practical difficulty will be that the public buyer will either see its regulatory function conditioned or precluded by the (commercially determined) standards underlying third-party certification, or face a significant burden if it seeks to directly scrutinise economic operators otherwise. The regulatory burden will to some extent be unavoidable because all the above-mentioned mechanisms foresee that (in some circumstances) economic operators that do not have access to the relevant certification or are under no obligation to register in the relevant list must be given the opportunity to demonstrate that they meet the relevant (substantive) qualitative selection criteria by other (equivalent) means.

There will also be additional challenges in ensuring that the relevant vetting of economic operators is properly applied where the digital technology solution relies on a long (technical) supply chain or assemblage, without this necessarily involving any (formal) relationship or subcontracting between the technology provider to be contracted and the developers of parts of the technical assemblage. This points at the significant burden that the public buyer may have to overcome in seeking to use qualitative selection rules to ‘weed out’ technology providers which (general, or past) behaviour is not aligned with the overarching regulatory goals.

Second, a more proactive approach that sought to go beyond exclusion or third-party certification to eg promote adherence to voluntary codes of conduct, or to require technology providers to justify how they eg generally ‘contribute to the development and deployment of trustworthy digital technologies’, would also face significant difficulties. Such requirements could be seen as unjustified and/or disproportionate, leading to an infringement of EU procurement law. They could also be altogether pre-empted by future legislation, such as the proposed EU AI Act.

Tender evaluation

As mentioned above, the possibility of setting demanding technical specifications and minimum requirements for tender evaluation through award constraints in principle seem like suitable tools of digital regulation. The public buyer could focus on the technical solutions and embedding the desired regulatory attributes (eg transparency, explainability, cyber security) and regulatory checks (on data and technology governance, eg in relation to open source code or interoperability, as well as in relation to ethical assessments) in the technical specifications. Award criteria could generate (further) incentives for regulatory performance, perhaps beyond the minimum mandatory baseline. However, this is far from uncomplicated.

The primary difficulty in using technical specifications as a regulatory tool relates to the challenge of clearly specifying the desired regulatory attributes. Some or most of the desired technological attributes are difficult to observe or measure, the processes leading to their promotion are not easy to establish, the outcomes of those processes are not binary and determining whether a requirement has been met cannot be subject to strict rules, but rather to (yet to be developed) technical standards with an unavoidable degree of indefinition, which may also be susceptible of iterative application in eg agile methods, and thus difficult to evaluate at tender stage. Moreover, the desired attributes can be in conflict between themselves and/or with the main functional specifications for the digital technology deployment (eg the increasingly clear unavoidable trade-off between explainability and accuracy in some AI technologies). This issue of the definitional difficulties and the incommensurability of some or most of the regulatory goals also relates to the difficulty of establishing minimum technical requirements as an award constraint—eg to require that no contract is awarded unless the tender reaches a specific threshold in the technical evaluation in relation to all or selected requirements (eg explainability). While imposing minimum technical requirements is permitted, it is difficult to design a mechanism to quantify or objectify the evaluation of some of the desired technological attributes, which will necessarily require a complex assessment. Such assessment cannot be conducted in such a way that the public buyer has an unrestricted freedom of choice, which will require clarifying the criteria and the relevant thresholds that would justify rejecting the tender. This could become a significant sticking point.

Designing technical specifications to capture whether a digital technology is ‘ethical’ or ‘trustworthy’ seems particularly challenging. These are meta-attributes or characteristics that refer to a rather broad set of principles in the design of the technology, but also of its specific deployment, and tend to proceduralise the taking into account of relevant considerations (eg which impact will the deployment have on the population affected). Additionally, in some respects, the extent to which a technological deployment will be ethical or trustworthy is out of the hands of the technology provider (eg may depend on decisions of the entity adopting the technology, eg on how it is used), and in some aspects it depends on specific decisions and choices made during contract implementation. This could make it impossible to verify at the point of the tender whether the end result will or not meet the relevant requirements—while including requirements that cannot be effectively verified prior to award would most likely breach current legal limits.

A final relevant consideration is that technical specifications cannot be imposed in a prescriptive manner, with technology providers having to be allowed to demonstrate compliance by equivalence. This limits the potential prescriptiveness of the technical specifications that can be developed by the public buyer, at least in relation to some of the desired technological attributes, which will always be constrained by their nature of standards rather than rules (or metrics) and the duty to consider equivalent modes of compliance. This erodes the practical scope of using technical specifications as regulatory instruments.

Relatedly, the difficulties in using award criteria to pursue regulatory goals stem from difficulties in the operationalisation of qualitative criteria in practice. First, there is a set of requirements on the formulation of award criteria that seek to avoid situations of unrestricted freedom of choice for the public buyer. The requirements tend to require a high level of objectivity, including in the structuring of award criteria of a subjective nature. In that regard, in order to guarantee an objective comparison and to eliminate the risk of arbitrary treatment, recent case law has been clear that award criteria intended to measure the quality of the tenders must be accompanied by indications which allow a sufficiently concrete comparative assessment between tenders, especially where the quality carries most of the points that may be allocated for the purposes of awarding the tender.

In part, the problem stems from the absence of clear standards or benchmarks to be followed in such an assessment, as well as the need to ensure the possibility of alternative compliance (eg with labels). This can be seen, for example, in relation to explainability. It would not suffice to establish that the solutions need to be explainable or to use explainability as an award criterion without more. It would be necessary to establish sub-criteria, such as eg ‘the solution needs to ensure that an individualised explanation for every output is generated’ (ie requiring local explainability rather than general explainability of the model). This would still need to be further specified, as to what type of explanation and containing which information, etc. The difficulty is that there are multiple approaches to local explainability and that most of them are contested, as is the general approach to post hoc explanations in itself. This puts the public buyer in the position of having to solve complex technical and other principled issues in relation to this award criterion alone. In the absence of standard methodologies, this is a tall order that can well make the procedure inviable or not used (with clear parallels to eg the low uptake of life-cycle costing approaches). However, the development of such methodologies parallels the issues concerning the development of technical standards. Once more, when such standards, benchmarks or methodologies emerge, reliance on them can thus (re)introduce risks of commercial determination, depending on how they are set.

Contract design and implementation

Given the difficulties in using qualitative selection, technical specifications and award criteria to embed regulatory requirements, it is possible that they are pushed to to the design of the contract and, in particular, to their treatment as contract performance conditions, in particular to create procedural obligations seeking to maximise attainment of the relevant regulatory goals during contract implementation (eg to create specific obligations to test, audit or upgrade the technological solution in relation to specific regulatory goals, with cyber security being a relatively straightforward one), or to pass on, ‘back-to-back’, mandatory obligations where they result from legislation (eg to impose transparency obligations, along the lines of the model standard clauses for AI procurement being developed at EU level).

In addition to the difficulty inherent in designing the relevant mechanisms of contractualised governance, a relevant limitation of this approach to embedding (self-standing) regulatory requirements in contract compliance clauses is that recent case law has made clear that ‘compliance with the conditions for the performance of a contract is not to be assessed when a contract is awarded’. Therefore, at award stage, all that can be asked is for technology providers to commit to such requirements as (future) contractual obligations—which creates the risk of awarding the contract to the best liar.

More generally, the effectiveness of contract performance clauses will depend on the contractual remedies attached to them and, in relation to some of the desirable attributes of the technologies, it can well be that there are no adequate contractual remedies or that the potential damages are disproportionate to the value of the contract. There will be difficulties in their use where obligations can be difficult to specify, where negative outputs and effects are difficult to observe or can only be observed with delay, and where contractual remedies are inadequate. It should be stressed that the embedding of regulatory requirements as contract performance clauses can have the effect of converting non-compliance into (mere) money claims against the technology provider. And, additionally, that contractual termination can be complicated or require a significant delay where the technological deployment has created operational dependency that cannot be mitigated in the short or medium term. This does not seem necessarily aligned with the regulatory gatekeeping role expected of procurement, as it can be difficult to create the adequate financial incentives to promote compliance with the overarching regulatory goals in this way—by contrast with, for example, the possibility of sanctions imposed by an independent regulator.

Conclusion

The analysis has stressed those areas where the existing rules prevent the imposition of rigid regulatory requirements or demands for compliance with pre-specified standards (to the exclusion of alternative ones), and those areas where the flexibility of the rules generates heightened risks of regulatory capture and commercial determination of the regulatory standards. Overall, this shows that it is either not easy or at all possible to use procurement tools to embed regulatory requirements in the tender procedure and in public contracts, or that those tools are highly likely to end up being a conduit for the direct or indirect application of commercially determined standards and industry practices.

This supports the claim that using procurement for digital regulation purposes will either be highly ineffective or, counterintuitively, put the public buyer in a position of rule-taker rather than rule-setter and market-shaper—or perhaps both. In the absence of non-industry led standards and requirements formulated eg by an independent regulator, on which procurement tools could be leveraged, each public buyer would either have to discharge a high (and possibly excessive) regulatory burden, or be exposed to commercial capture. This provides the basis for an alternative approach. The next step in the research project will thus be to focus on such mandatory requirements as part of a broader proposal for external oversight of the adoption of digital technologies by the public sector.

Regulating public and private interactions in public sector digitalisation through procurement

February 8, 2023

As discussed in previous entries in this blog (see here, here, here, here or here), public procurement is progressively being erected as the gatekeeper of the public interest in the process of digital technology adoption by the public sector, and thus positioned as digital technology regulator—especially in the EU and UK context.

In this gatekeeping role, procurement is expected to ensure that the public sector only acquires and adopts trustworthy technologies, and that (private) technology providers adhere to adequate technical, legal, and ethical standards to ensure that this is the case. Procurement is also expected to operate as a lever for the propagation of (soft) regulatory tools, such as independently set technical standards or codes of conduct, to promote their adoption and harness market dynamics to generate effects beyond the public sector (ie market-shaping). Even further, where such standards are not readily available or independently set, the procurement function is expected to formulate specific (contractual) requirements to ensure compliance with the overarching regulatory goals identified at higher levels of policymaking. The procurement function is thus expected to leverage the design of public tenders and public contracts as tools of digital technology regulation to plug the regulatory gap resulting from the absence of binding (legal) requirements. This is a tall order.

Analysing this gatekeeping role and whether procurement can adequately perform it is the focus of the last part of my current research project. In this latest draft book chapter, I focus on an analysis of the procurement function as a regulatory actor. The following chapter will focus on an analysis of procurement rules on the design of tender procedures and some elements of contractual design as regulatory tools. Combined, the analyses will shed light on the unsuitability of procurement to carry out this gatekeeping role in the absence of minimum mandatory requirements and external oversight, which will also be explored in detail in later chapters. This draft book chapter is giving me a bit of a hard time and some of the ideas there are still slightly tentative, so I would more than ever welcome any and all feedback.

In ‘Regulating public and private interactions in public sector digitalisation through procurement: the clash between agency and gatekeeping logics’, my main argument is that the proposals to leverage procurement to regulate public sector digitalisation, which seek to use public sector market power and its gatekeeping role to enforce standards of technological regulation by embedding them in public contracts, are bound to generate significant dysfunction due to a break in regulatory logic. That regulatory logic results from an analysis of the procurement function from an agency theory and a gatekeeping theory perspective, which in my view evidence the impossibility for procurement to carry out conflicting roles. To support this claim, I explore: 1) the position of the procurement function amongst the public and private actors involved in public sector digitalisation; 2) the governance implications of the procurement function’s institutional embeddedness; and 3) the likely (in)effectiveness of public contracts in disciplining private and public behaviour, as well as behaviour that is mutually influenced or coproduced by public and private actors during the execution of public contracts.

My analysis finds that, in the regulation of public-private interactions, the regulatory logic underpinning procurement is premised on the existence of a vertical relationship between the public buyer and (potential) technology providers and an expectation of superiority of the public buyer, which is thus (expected to be) able to dictate the terms of the market interaction (through tender requirements), to operate as gatekeeper (eg by excluding potential providers that fall short of pre-specified standards), and to dictate the terms of the future contract (eg through contract performance clauses with a regulatory component). This regulatory logic hits obvious limitations when the public buyer faces potential providers with market power, an insufficient offer of (regulated) goods and services, or significant information asymmetries, which result in a potential ‘weak public buyer’ problem. Such problem has generally been tried to be addressed through procurement centralisation and upskilling of the (centralised) procurement workforce, but those measures create additional governance challenges (especially centralisation) and are unlikely to completely re-establish the balance of power required for the effective regulation by contract of public sector digitalisation, as far as the provider side is concerned.

Parking the ‘weak public buyer’ problem, my analysis then focuses on the regulation of public-public interactions between the adopting public sector entity and the procurement function. I separate them for the purposes of the analysis, to point out that at theoretical level, there is a tension between the expectations of agency and gatekeeping theories in this context. While both of them conceptualise the relationship as vertical, they operate on an opposite understanding of who holds a predominant position. Under agency theory, the public buyer is the agent and thus subject to the instructions of the public entity that will ultimately adopt the digital technology. Conversely, under gatekeeping theory, the public buyer is the (independent) guarantor of a set of goals or attributes in public sector digitalisation projects and is thus tasked with ensuring compliance therewith. This would place the public buyer in a position of (functional) superiority, in that it would (be expected to) be able to dictate (some of) the terms of the technological adoption. This conflict in regulatory logics creates a structural conflict of interest for the procurement function as both agent and gatekeeper.

The analysis then focuses on how the institutional embeddedness of procurement exacerbates this problem. Where the procurement function is embedded in the same administrative unit or entity that is seeking to adopt the technology, it is subjected to hierarchical governance and thus lacks the independence required to carry out the gatekeeping role. Similarly, where the procurement function is separate (eg in the case of centralised or collaborative procurement), in the absence of mandatory requirements (eg to use the centralised procurement vehicle), the adopting public entity retains discretion whether to subject itself to the (gatekeeper) procurement function or to carry out its own procurement. Moreover, even when it uses centralised procurement vehicles, it tends to retain discretion (eg on the terms of mini-competitions or for the negotiation of some contractual clauses), which also erodes the position of the procurement function to effectively carry out its gatekeeping role.

On the whole, the procurement function is not in a good position to discipline the behaviour of the adopting public entity and this creates another major obstacle to the effectiveness of the proposed approach to the regulation by contract of public sector digitalisation. This is exacerbated by the fact that the adopting public entity will be the principal of the regulatory contract with the (chosen) technology provider, which means that the contractual mechanisms designed to enforce regulatory goals will be left to interpretation and enforcement by those actors whose behaviour it seeks to govern.

In such decentred interactions, procurement lacks any meaningful means to challenge deviations from the contract that are in the mutual interest of both the adopting entity and the technology provider. The emerging approach to regulation by contract cannot properly function where the adopting public entity is not entirely committed to maximising the goals of digital regulation that are meant to be enforced by contract, and where the public contractor has a concurring interest in deviating from those goals by reducing the level of demand of the relevant contractual clauses. In the setting of digital technology regulation, this seems a likely common case, especially if we consider that the main regulatory goals (eg explainability, trustworthiness) are open-ended and thus the question is not whether the goals in themselves are embraced in abstracto by the adopting entity and the technology provider, but the extent to which effective (and costly or limiting) measures are put in place to maximise the realisation of such goals. In this context, (relational) contracts seem inadequate to prevent behaviour (eg shirking) that is the mutual interest of the contractual parties.

This generates what I label as a ‘two-sided gatekeeping’ challenge. This challenge encapsulates the difficulties for the procurement function to effectively influence regulatory outcomes where it needs to discipline both the behaviour of technology providers and adopting entities, and where contract implementation depends on the decentred interaction of those two agents with the procurement function as a (toothless) bystander.

Overall, then, the analysis shows that agency and gatekeeping theory point towards a disfunction in the leveraging of procurement to regulate public sector digitalisation by contract. There are two main points of tension or rupture with the regulatory logic. First, the regulatory approach cannot effectively operate in the absence of a clear set of mandatory requirements to bind the discretion of the procurement function during the tendering and contract formation phase, as well as the discretion of the adopting public entity during contract implementation phase, and which are also enforceable on the technology provider regardless of the terms of the contract. Second, the regulatory approach cannot effectively operate in the absence of an independent actor capable of enforcing those standards and monitoring continuous compliance during the lifecycle of technological adoption and use by the public sector entity. As things stand, the procurement function is affected by structural and irresolvable conflicts between its overlaid roles. Moreover, even if the procurement function was not caught by the conflicting logics and requirements of agency and gatekeeping (eg as a result of the adoption of the mandatory requirements mentioned above), it would still not be in an adequate position to monitor and discipline the behaviour of the adopting public entity—and, relatedly, of the technology provider—after the conclusion of the procurement phase.

The regulatory analysis thus points to the need to discharge the procurement function from its newest gatekeeping role, to realign it with agency theory as appropriate. This would require both the enactment of mandatory requirements and the subjection to external oversight of the process of technological adoption by the public sector. This same conclusion will be further supported by an analysis of the limitations of procurement law to effectively operate as a regulatory tool, which will be the focus of the next chapter in the book.

Governing the Assessment and Taking of Risks in Digital Procurement Governance

November 21, 2022

In a previous blog post, I explored the main governance risks and legal obligations arising from the adoption of digital technologies, which revolve around data governance, algorithmic transparency, technological dependency, technical debt, cybersecurity threats, the risks stemming from the long-term erosion of the skills base in the public sector, and difficult trade-offs due to the uncertainty surrounding immature and still changing technologies within an also evolving regulatory framework. To address such risks and ensure compliance with the relevant governance obligations, I stressed the need to embed a comprehensive mechanism of risk assessment in the process of technological adoption.

In a new draft chapter (num 9) for my book project, I analyse how to embed risk assessments in the initial stages of decision-making processes leading to the adoption of digital solutions for procurement governance, and how to ensure that they are iterated throughout the lifecycle of use of digital technologies. To do so, I critically review the model of AI risk regulation that is emerging in the EU and the UK, which is based on self-regulation and self-assessment. I consider its shortcomings and how to strengthen the model, including the possibility of subjecting the process of technological adoption to external checks. The analysis converges with a broader proposal for institutionalised regulatory checks on the adoption of digital technologies by the public sector that I will develop more fully in another part of the book.

This post provides a summary of my main findings, on which I will welcome any comments: a.sanchez-graells@bristol.ac.uk. The full draft chapter is free to download: A Sanchez-Graells, ‘Governing the Assessment and Taking of Risks in Digital Procurement Governance’ to be included in A Sanchez-Graells, Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming), Available at SSRN: https://ssrn.com/abstract=4282882.

AI Risk Regulation

The emerging (global) model of AI regulation is risk-based—as opposed to a strict precautionary approach. This implies an assumption that ‘a technology will be adopted despite its harms’. This primarily means accepting that technological solutions may (or will) generate (some) negative impacts on public and private interests, even if it is not known when or how those harms will arise, or how extensive they will be. AI are unique, as they are ‘long-term, low probability, systemic, and high impact’, and ‘AI both poses “aggregate risks” across systems and low probability but “catastrophic risks to society”’ [for discussion, see Margot E Kaminski, ‘Regulating the risks of AI’ (2023) 103 Boston University Law Review, forthcoming]

This should thus trigger careful consideration of the ultimate implications of AI risk regulation, and advocates in favour of taking a robust regulatory approach—including to the governance of the risk regulation mechanisms put in place, which may well require external controls, potentially by an independent authority. By contrast, the emerging model of AI risk regulation in the context of procurement digitalisation in the EU and the UK leaves the adoption of digital technologies by public buyers largely unregulated and only subject to voluntary measures, or to open-ended obligations in areas without clear impact assessment standards (which reduces the prospect of effective mandatory enforcement).

Governance of Procurement Digitalisation in the EU

Despite the emergence of a quickly expanding set of EU digital law instruments imposing a patchwork of governance obligations on public buyers, whether or not they adopt digital technologies (see here), the primary decision whether to adopt digital technologies is not subject to any specific constraints, and the substantive obligations that follow from the diverse EU law instruments tend to refer to open-ended standards that require advanced technical capabilities to operationalise them. This would not be altered by the proposed EU AI Act.

Procurement-related AI uses are classified as minimal risk under the EU AI Act, which leaves them subject only to voluntary self-regulation via codes of conduct—yet to be developed. Such codes of conduct should encourage voluntary compliance with the requirements applicable to high-risk AI uses—such as risk management systems, data and data governance requirements, technical documentation, record-keeping, transparency, or accuracy, robustness and cybersecurity requirements—‘on the basis of technical specifications and solutions that are appropriate means of ensuring compliance with such requirements in light of the intended purpose of the systems.’ This seems to introduce a further element of proportionality or ‘adaptability’ requirement that could well water down the requirements applicable to minimal risk AI uses.

Importantly, while it is possible for Member States to draw such codes of conduct, the EU AI Act would pre-empt Member States from going further and mandating compliance with specific obligations (eg by imposing a blanket extension of the governance requirements designed for high-risk AI uses) across their public administrations. The emergent EU model is thus clearly limited to the development of voluntary codes of conduct and their likely content, while yet unknown, seems unlikely to impose the same standards applicable to the adoption of high-risk AI uses.

Governance of Procurement Digitalisation in the UK

Despite its deliberate light-touch approach to AI regulation and actively seeking to deviate from the EU, the UK is relatively advanced in the formulation of voluntary standards to govern procurement digitalisation. Indeed, the UK has adopted guidance for the use of AI in the public sector, and for AI procurement, and is currently piloting an algorithmic transparency standard (see here). The UK has also adopted additional guidance in the Digital, Data and Technology Playbook and the Technology Code of Practice. Remarkably, despite acknowledging the need for risk assessments—and even linking their conduct to spend approvals required for the acquisition of digital technologies by central government organisations—none of these instruments provides clear standards on how to assess (and mitigate) risks related to the adoption of digital technologies.

Thus, despite the proliferation of guidance documents, the substantive assessment of governance risks in digital procurement remains insufficiently addressed and left to undefined risk assessment standards and practices. The only exception concerns cyber security assessments, given the consolidated approach and guidance of the National Cyber Security Centre. This lack of precision in the substantive requirements applicable to data and algorithmic impact assessments clearly constrains the likely effectiveness of the UK’s approach to embedding technology-related impact assessments in the process of adoption of digital technologies for procurement governance (and, more generally, for public governance). In the absence of clear standards, data and algorithmic impact assessments will lead to inconsistent approaches and varying levels of robustness. The absence of standards will also increase the need to access specialist expertise to design and carry out the assessments. Developing such standards and creating an effective institutional mechanism to ensure compliance therewith thus remain a challenge.

The Need for Strengthened Digital Procurement Governance

Both in the EU and the UK, the emerging model of AI risk regulation leaves digital procurement governance to compliance with voluntary measures such as (future) codes of conduct or transparency standards or impose open-ended obligations in areas without clear standards (which reduces the prospect of effective mandatory enforcement). This follows general trends of AI risk regulation and evidences the emergence of a (sub)model highly dependent on self-regulation and self-assessment. This approach is rather problematic.

Self-Regulation: Outsourcing Impact Assessment Regulation to the Private Sector

The absence of mandatory standards for data and algorithmic impact assessments, as well as the embedded flexibility in the standards for cyber security, are bound to outsource the setting of the substantive requirements for those impact assessments to private vendors offering solutions for digital procurement governance. With limited public sector digital capability preventing a detailed specification of the applicable requirements, it is likely that these will be limited to a general obligation for tenderers to provide an impact assessment plan, perhaps by reference to emerging (international private) standards. This would imply the outsourcing of standard setting for risk assessments to private standard-setting organisations and, in the absence of those standards, to the tenderers themselves. This generates a clear and problematic risk of regulatory capture. Moreover, this process of outsourcing or excessively reliance on private agents to commercially determine impact assessments requirements is not sufficiently exposed to scrutiny and contestation.

Self-Assessment: Inadequacy of Mechanisms for Contestability and Accountability

Public buyers will rarely develop the relevant technological solutions but rather acquire them from technological providers. In that case, the duty to carry out the self-assessment will (or should be) cascaded down to the technology provider through contractual obligations. This would place the technology provider as ‘first party’ and the public buyer as ‘second party’ in relation to assuring compliance with the applicable obligations. In a setting of limited public sector digital capability, and in part as a result of a lack of clear standards providing an applicable benchmark (as above), the self-assessment of compliance with risk management requirements will either be de facto outsourced to private vendors (through a lack of challenge of their practices), or carried out by public buyers with limited capabilities (eg during the oversight of contract implementation). Even where public buyers have the required digital capabilities to carry out a more thorough analysis, they lack independence. ‘Second party’ assurance models unavoidably raise questions about their integrity due to the conflicting interests of the assurance provider who wants to use the system (ie the public buyer).

This ‘second party’ assurance model does not include adequate challenge mechanisms despite efforts to disclose (parts of) the relevant self-assessments. Such disclosures are constrained by general problems with ‘comply or explain’ information-based governance mechanisms, with the emerging model showing design features that have proven problematic in other contexts (such as corporate governance and financial market regulation). Moreover, there is no clear mechanism to contest the decisions to adopt digital technologies revealed by the algorithmic disclosures. In many cases, shortcomings in the risk assessments and the related minimisation and mitigation measures will only become observable after the materialisation of the underlying harms. For example, the effects of the adoption of a defective digital solution for decision-making support (eg a recommender system) will only emerge in relation to challengeable decisions in subsequent procurement procedures that rely on such solution. At that point, undoing the effects of the use of the tool may be impossible or excessively costly. In this context, challenges based on procedure-specific harms, such as the possibility to challenge discrete procurement decisions under the general rules on procurement remedies, are inadequate. Not least, because there can be negative systemic harms that are very hard to capture in the challenge to discrete decisions, or for which no agent with active standing has adequate incentives. To avoid potential harms more effectively, ex ante external controls are needed instead.

Creating External Checks on Procurement Digitalisation

It is thus necessary to consider the creation of external ex ante controls applicable to these decisions, to ensure an adequate embedding of effective risk assessments to inform (and constrain) them. Two models are worth considering: certification schemes and independent oversight.

Certification or Conformity Assessments

While not applicable to procurement uses, the model of conformity assessment in the proposed EU AI Act offers a useful blueprint. The main potential shortcoming of conformity assessment systems is that they largely rely on self-assessments by the technology vendors, and thus on first party assurance. Third-party certification (or algorithmic audits) is possible, but voluntary. Whether there would be sufficient (market) incentives to generate a broad (voluntary) use of third-party conformity assessments remains to be seen. While it could be hoped that public buyers could impose the use of certification mechanisms as a condition for participation in tender procedures, this is a less than guaranteed governance strategy given the EU procurement rules’ functional approach to the use of labels and certificates—which systematically require public buyers to accept alternative means of proof of compliance. This thus seems to offer limited potential for (voluntary) certification schemes in this specific context.

Relatedly, the conformity assessment system foreseen in the EU AI Act is also weakened by its reliance on vague concepts with non-obvious translation into verifiable criteria in the context of a third-party assurance audit. This can generate significant limitations in the conformity assessment process. This difficulty is intended to be resolved through the development of harmonised standards by European standardisation organisations and, where those do not exist, through the approval by the European Commission of common specifications. However, such harmonised standards will largely create the same risks of commercial regulatory capture mentioned above.

Overall, the possibility of relying on ‘third-party’ certification schemes offers limited advantages over the self-regulatory approach.

Independent External Oversight

Moving beyond the governance limitations of voluntary third-party certification mechanisms and creating effective external checks on the adoption of digital technologies for procurement governance would require external oversight. An option would be to make the envisaged third-party conformity assessments mandatory, but that would perpetuate the risks of regulatory capture and the outsourcing of the assurance system to private parties. A different, preferable option would be to assign the approval of the decisions to adopt digital technologies and the verification of the relevant risks assessments to a centralised authority also tasked with setting the applicable requirements therefor. The regulator would thus be placed as gatekeeper of the process of transition to digital procurement governance, instead of the atomised imposition of this role on public buyers. This would be reflective of the general features of the system of external controls proposed in the US State of Washington’s Bill SB 5116 (for discussion, see here).

The main goal would be to introduce an element of external verification of the assessment of potential AI harms and the related taking of risks in the adoption of digital technologies. It is submitted that there is a need for the regulator to be independent, so that the system fully encapsulates the advantages of third-party assurance mechanisms. It is also submitted that the data protection regulator may not be best placed to take on the role as its expertise—even if advanced in some aspects of data-intensive digital technologies—primarily relates to issues concerning individual rights and their enforcement. The more diffuse collective interests at stake in the process of transition to a new model of public digital governance (not only in procurement) would require a different set of analyses. While reforming data protection regulators to become AI mega-regulators could be an option, that is not necessarily desirable and it seems that an easier to implement, incremental approach would involve the creation of a new independent authority to control the adoption of AI in the public sector, including in the specific context of procurement digitalisation.

Conclusion

An analysis of emerging regulatory approaches in the EU and the UK shows that the adoption of digital technologies by public buyers is largely unregulated and only subjected to voluntary measures, or to open-ended obligations in areas without clear standards (which reduces the prospect of effective mandatory enforcement). The emerging model of AI risk regulation in the EU and UK follows more general trends and points at the consolidation of a (sub)model of risk-based digital procurement governance that strongly relies on self-regulation and self-assessment.

However, given its limited digital capabilities, the public sector is not best placed to control or influence the process of self-regulation, which results in the outsourcing of crucial regulatory tasks to technology vendors and the consequent risk of regulatory capture and suboptimal design of commercially determined governance mechanisms. These risks are compounded by the emerging ‘second party assurance’ model, as self-assessments by technology vendors would not be adequately scrutinised by public buyers, either due to a lack of digital capabilities or the unavoidable structural conflicts of interest of assurance providers with an interest in the use of the technology, or both. This ‘second party’ assurance model does not include adequate challenge mechanisms despite efforts to disclose (parts of) the relevant self-assessments. Such disclosures are constrained by general problems with ‘comply or explain’ information-based governance mechanisms, with the emerging model showing design features that have proven problematic in other contexts (such as corporate governance and financial market regulation). Moreover, there is no clear mechanism to contest the decisions revealed by the disclosures, including in the context of (delayed) specific uses of the technological solutions.

The analysis also shows how a model of third-party assurance or certification would be affected by the same issues of outsourcing of regulatory decisions to private parties, and ultimately would largely replicate the shortcomings of the self-regulatory and self-assessed model. A certification model would thus only generate a marginal improvement over the emerging model—especially given the functional approach to the use of certification and labels in procurement.

Moving past these shortcomings requires assigning the approval of decisions whether to adopt digital technologies and the verification of the related impact assessments to an independent authority: the ‘AI in the Public Sector Authority’ (AIPSA). I will fully develop a proposal for such authority in coming months.

Emerging risks in digital procurement governance

October 21, 2022

In a previous blog post, I drew a technology-informed feasibility boundary to assess the realistic potential of digital technologies in the specific context of procurement governance. I suggested that the potential benefits from the adoption of digital technologies within that feasibility boundary had to be assessed against new governance risks and requirements for their mitigation.

In a new draft chapter (num 8) for my book project, I now explore the main governance risks and legal obligations arising from the adoption of digital technologies, which revolve around data governance, algorithmic transparency, technological dependency, technical debt, cybersecurity threats, the risks stemming from the long-term erosion of the skills base in the public sector, and difficult trade-offs due to the uncertainty surrounding immature and still changing technologies within an also evolving regulatory framework.

The analysis is not carried out in a vacuum, but in relation to the increasingly complex framework of EU digital law, including: the Open Data Directive; the Data Governance Act; the proposed Data Act; the NIS 2 Directive on cybersecurity measures, including its interaction with the Cybersecurity Act, and the proposed Directive on the resilience of critical entities and Cyber Resilience Act; as well as some aspects of the proposed EU AI Act.

This post provides a summary of my main findings, on which I will welcome any comments: a.sanchez-graells@bristol.ac.uk. The full draft chapter is free to download: A Sanchez-Graells, ‘Identifying Emerging Risks in Digital Procurement Governance’ to be included in A Sanchez-Graells, Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming). Available at SSRN: https://ssrn.com/abstract=4254931.

current and Imminent digital governance obligations for public buyers

Public buyers already shoulder, and will very soon face further digital governance obligations, even if they do not directly engage with digital technologies. These concern both data governance and cybersecurity obligations.

Data governance obligations

The Open Data Directive imposes an obligation to facilitate access to and re-use of procurement data for commercial or non-commercial purposes, and generates the starting position that data held by public buyers needs to be made accessible. Access is however excluded in relation to data subject to third-party rights, such as data protected by intellectual property rights (IPR), or data subject to commercial confidentiality (including business, professional, or company secrets). Moreover, in order to ensure compliance with the EU procurement rules, access should also be excluded to data subject to procurement-related confidentiality (Art 21 Dir 2014/24/EU), and data which disclosure should be withheld because the release of such information would impede law enforcement or would otherwise be contrary to the public interest … or might prejudice fair competition between economic operators (Art 55 Dir 2014/24/EU). Compliance with the Open Data Directive can thus not result in a system where all procurement data becomes accessible.

The Open Data Directive also falls short of requiring that access is facilitated through open data, as public buyers are under no active obligation to digitalise their information and can simply allow access to the information they hold ‘in any pre-existing format or language’. However, this will change with the entry into force of the rules on eForms (see here). eForms will require public buyers to hold (some) procurement information in digital format. This will trigger the obligation under the Open Data Directive to make that information available for re-use ‘by electronic means, in formats that are open, machine-readable, accessible, findable and re-usable, together with their metadata’. Moreover, procurement data that is not captured by the eForms but in other ways (eg within the relevant e-procurement platform) will also be subject to this regime and, where making that information available for re-use by electronic means involves no ‘disproportionate effort, going beyond a simple operation’, it is plausible that the obligation of publication by electronic means will extend to such data too. This will potentially significantly expand the scope of open procurement data obligations, but it will be important to ensure that it does not result in excessive disclosure of third-party data or competition-sensitive data.

Some public buyers may want to go further in facilitating (controlled) access to procurement data not susceptible of publication as open data. In that case, they will have to comply with the requirements of the Data Governance Act (and the Data Act, if adopted). In this case, they will need to ensure that, despite authorising access to the data, ‘the protected nature of data is preserved’. In the case of commercially confidential information, including trade secrets or content protected by IPR, this can require ensuring that the data has been ‘modified, aggregated or treated by any other method of disclosure control’. Where ‘anonymising’ information is not possible, access can only be given with permission of the third-party, and in compliance with the applicable IPR, if any. The Data Governance Act explicitly imposes liability on the public buyer if it breaches the duty not to disclose third-party data, and it also explicitly requires that data access complies with EU competition law.

This shows that public buyers have an inescapable data governance role that generates tensions in the design of open procurement data mechanisms. It is simply not possible to create a system that makes all procurement data open. Data governance requires the careful management of a system of multi-tiered access to different types of information at different times, by different stakeholders and under different conditions (as I already proposed a few years ago, see here). While the need to balance procurement transparency and the protection of data subject to the rights of others and competition-sensitive data is not a new governance challenge, the digital management of this information creates heightened risks to the extent that the implementation of data management solutions is tendentially open access. Moreover, the assessment of the potential competition impact of data disclosure can be a moving target. The risk of distortions of competition is heightened by the possibility that the availability of data allows for the deployment of technology-supported forms of collusive behaviour (as well as corrupt behaviour).

Cybersecurity obligations

Most public buyers will face increased cybersecurity obligations once the NIS 2 Directive enters into force. The core substantive obligation will be a mandate to ‘take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services’. This will require a detailed assessment of what is proportionate to the cybersecurity exposure of a public buyer.

In that analysis, the public buyer will be able to take into account ‘the state of the art and, where applicable, relevant European and international standards, as well as the cost of implementation’, and in ‘assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, its size, the likelihood of occurrence of incidents and their severity, including their societal and economic impact’.

Public buyers may not have the ability to carry out such an assessment with internal capabilities, which immediately creates a risk of outsourcing of the cybersecurity risk assessment, as well as other measures to comply with the related substantive obligations. This can generate further organisational dependency on outside capability, which can itself be a cybersecurity risk. As discussed below, imminent cybersecurity obligations heighten the need to close the current gaps in digital capability.

Increased governance obligations for public buyers ‘going digital’

Public buyers that are ‘going digital’ and experimenting with or deploying digital solutions face increased digital governance obligations. Given the proportionality of the cybersecurity requirements under the NIS 2 Directive (above), public buyers that use digital technologies can expect to face more stringent substantive obligations. Moreover, the adoption of digital solutions generates new or increased risks of technological dependency, of two main types. The first type refers to vendor lock-in and interoperability, and primarily concerns the increasing need to develop advanced strategies to manage IPR, algorithmic transparency, and technical debt—which could largely be side-stepped by an ‘open source by default’ approach. The second concerns the erosion of the skills base of the public buyer as technology replaces the current workforce, which generates intellectual debt and operational dependency.

Open Source by Default?

The problem of technological lock-in is well understood, even if generally inadequately or insufficiently managed. However, the deployment of Artificial Intelligence (AI), and Machine Learning (ML) in particular, raise the additional issue of managing algorithmic transparency in the context of technological dependency. This generates specific challenges in relation with the administration of public contracts and the obligation to create competition in their (re)tendering. Without access to the algorithm’s source code, it is nigh impossible to ensure a level playing field in the tender of related services, as well as in the re-tendering of the original contract for the specific ML or AI solution. This was recognised by the CJEU in a software procurement case (see here), which implies that, under EU law, public buyers are under an obligation to ensure that they have access and dissemination rights over the source code. This goes beyond emerging standards on algorithmic transparency, such as the UK’s, or what would be required if the EU AI Act was applicable, as reflected in the draft contract clauses for AI procurement. This creates a significant governance risk that requires explicit and careful consideration by public buyers, and which points at the need of embedding algorithmic transparency requirements as a pillar of technological governance related to the digitalisation of procurement.

Moreover, the development of digital technologies also creates a new wave of lock-in risks, as digital solutions are hardly off-the-shelf and can require a high level of customisation or co-creation between the technology provider and the public buyer. This creates the need for careful consideration of the governance of IPR allocation—with some of the guidance seeking to promote leaving IPR rights with the vendor needing careful reconsideration. A nuanced approach is required, as well as coordination with other legal regimes (eg State aid) where IPR is left with the contractor. Following some recent initiatives by the European Commission, an ‘open source by default’ approach would be suitable, as there can be high value derived from using and reusing common solutions, not only in terms of interoperability and a reduction of total development costs—but also in terms of enabling the emergence of communities of practice that can contribute to the ongoing improvement of the solutions on the basis of pooled resources, which can in turn mitigate some of the problems arising from limited access to digital skills.

Finally, it should be stressed that most of these technologies are still emergent or immature, which generates additional governance risks. The adoption of such emergent technologies generates technical debt. Technical debt is not solely a financial issue, but a structural barrier to digitalisation. Technical debt risks stress the importance of the adoption of the open source by default approach mentioned above, as open source can facilitate the progressive collective repayment of technical debt in relation to widely adopted solutions.

(Absolute) technological dependency

As mentioned, a second source of technological dependency concerns the erosion of the skills base of the public buyer as technology replaces the current workforce. This is different from dependence on a given technology (as above), and concerns dependence on any technological solution to carry out functions previously undertaken by human operators. This can generate two specific risks: intellectual debt and operational dependency.

In this context, intellectual debt refers to the loss of institutional knowledge and memory resulting from eg the participation in the development and deployment of the technological solutions by agents no longer involved with the technology (eg external providers). There can be many forms of intellectual debt risk, and some can be mitigated or excluded through eg detailed technical documentation. Other forms of intellectual debt risk, however, are more difficult to mitigate. For example, situations where reliance on a technological solution (eg robotic process automation, RPA) erases institutional knowledge of the reason why a specific process is carried out, as well as how that process is carried out (eg why a specific source of information is checked for the purposes of integrity screening and how that is done). Mitigating against this requires keeping additional capability and institutional knowledge (and memory) to be able to explain in full detail what specific function the technology is carrying out, why, how that is done, and how that would be done in the absence of the technology (if it could be done at all). To put it plainly, it requires keeping the ability to ‘do it by hand’—or at the very least to be able to explain how that would be done.

Where it would be impossible or unfeasible to carry out the digitised task without using technology, digitalisation creates absolute operational dependency. Mitigating against such operational dependency requires an assessment of ‘system critical’ technological deployments without which it is not possible to carry out the relevant procurement function and, most likely, to deploy measures to ensure system resilience (including redundancy if appropriate) and system integrity (eg in relation to cybersecurity, as above). It is however important to acknowledge that there will always be limits to ensuring system resilience and integrity, which should raise questions about the desirability of generating situations of absolute operational dependency. While this may be less relevant in the context of procurement governance than in other contexts, it can still be an important consideration to factor into decision-making as technological practice can fuel a bias towards (further) technological practice that can then help support unquestioned technological expansion. In other words, it will be important to consider what are the limits of absolute technological delegation.

The crucial need to boost in-house digital skills in the public sector

The importance of digital capabilities to manage technological governance risks emerges a as running theme. The specific governance risks identified in relation to data and systems integrity, including cybersecurity risks, as well as the need to engage in sophisticated management of data and IPR, show that skills shortages are problematic in the ongoing use and maintenance of digital solutions, as their implementation does not diminish, but rather expands the scope of technology-related governance challenges.

There is an added difficulty in the fact that the likelihood of materialisation of those data, systems integrity, and cybersecurity risks grows with reduced digital capabilities, as the organisation using digital solutions may be unable to identify and mitigate them. It is not only that the technology carries risks that are either known knowns or known unknowns (as above), but also that the organisation may experience them as unknown unknowns due to its limited digital capability. Limited digital skills compound those governance risks.

There is a further risk that digitalisation and the related increase in digital capability requirements can embed an element of (unacknowledged) organisational exposure that mirrors the potential benefits of the technologies. While technology adoption can augment the organisation’s capability (eg by reducing administrative burdens through automation), this also makes the entire organisation dependent on its (disproportionately small) digital capabilities. This makes the organisation particularly vulnerable to the loss of limited capabilities. From a governance perspective, this places sustainable access to digital skills as a crucial element of the critical vulnerabilities and resilience assessment that should accompany all decisions to deploy a digital technology solution.

A plausible approach would be to seek to mitigate the risk of insufficient access to in-house skills through eg the creation of additional, standby or redundant contracted capability, but this would come with its own costs and governance challenges. Moreover, the added complication is that the digital skills gap that exposes the organisation to these risks in the first place, can also fuel a dynamic of further reliance on outside capabilities (from consultancy firms) beyond the development and adoption of those digital solutions. This has the potential to exacerbate the long-term erosion of the skills base in the public sector. Digitalisation heightens the need for the public sector to build up its expertise and skills, as the only way of slowing down or reducing the widening digital skills gap and ensuring organisational resilience and a sustainable digital transition.

Conclusion

Public buyers already face significant digital governance obligations, and those and the underlying risks can only increase (potentially, very significantly) with further progress in the path of procurement digitalisation. Ultimately, to ensure adequate digital procurement governance, it is not only necessary to take a realistic look at the potential of the technology and the required enabling factors (see here), but also to embed a comprehensive mechanism of risk assessment in the process of technological adoption, which requires enhanced public sector digital capabilities, as stressed here. Such an approach can mitigate against the policy irresistibility that surrounds these technologies (see here) and contribute to a gradual and sustainable process of procurement digitalisation. The ways in which such risk assessment should be carried out require further exploration, including consideration of whether to subject the adoption of digital technologies for procurement governance to external checks (see here). This will be the object of forthcoming analysis.

Public procurement governance as an information-intensive exercise, and the allure of digital technologies

September 12, 2022

Abstract picture used for decorative purposes only.

I have just started a 12-month Mid-Career Fellowship funded by the British Academy with the purpose of writing up the monograph Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming).

In the process of writing up, I will be sharing some draft chapters and other thought pieces. I would warmly welcome feedback that can help me polish the final version. As always, please feel free to reach out: a.sanchez-graells@bristol.ac.uk.

In this first draft chapter (num 6), I explore the technological promise of digital governance and use public procurement as a case study of ‘policy irresistibility’. The main ideas in the chapter are as follows:

This Chapter takes a governance perspective to reflect on the process of horizon scanning and experimentation with digital technologies. The Chapter stresses how aspirations of digital transformation can drive policy agendas and make them vulnerable to technological hype, despite technological immaturity and in the face of evidence of the difficulty of rolling out such transformation programmes—eg regarding the still ongoing wave of transition to e-procurement. Delivering on procurement’s goals of integrity, efficiency and transparency requires facing challenges derived from the information intensity and complexity of procurement governance. Digital technologies promise to bring solutions to such informational burden and thus augment decisionmakers’ ability to deal with that complexity and with related uncertainty. The allure of the potential benefits of deploying digital technologies generates ‘policy irresistibility’ that can capture decision-making by policymakers overly exposed to the promise of technological fixes to recalcitrant governance challenges. This can in turn result in excessive experimentation with digital technologies for procurement governance in the name of transformation. The Chapter largely focuses on the EU policy framework, but the insights derived from this analysis are easily exportable.

Another draft chapter (num 7) will follow soon with more detailed analysis of the feasibility boundary for the adoption of digital technologies for procurement governance purposes. The full details of this draft chapter are as follows: A Sanchez-Graells, ‘The technological promise of digital governance: procurement as a case study of “policy irresistibility”’ to be included in A Sanchez-Graells, Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming). Available at SSRN: https://ssrn.com/abstract=4216825.

Initial comments on the UK's Procurement Bill: A lukewarm assessment

May 19, 2022

Having read the Procurement Bill, its Impact Assessment and the Explanatory Notes, I have some initial comments, which I have tried to articulate in a working paper.

In the paper I offer some initial comments on the Bill and related documents, including: (i) the economic justification in its impact assessment; (ii) some general comments on legislative technique and the quality of the Bill and its Explanatory Notes; (iii) some observations on what may have not been carried over from the Transforming Public Procurement consultation and government response; (iv) a mapping of important aspects of procurement regulation that the Bill does not cover and will thus have to wait for secondary legislation and/or guidance; (v) some general considerations on the unclear impact of different wording for ‘terms of art’, including their interpretation; and (vi) fifty selected issues I have spotted in my first reading of the Bill. I close with some considerations on the difficulty of ensuring a sufficient fix along the legislative process.

In case of interest, the paper can be dowloaded here: https://ssrn.com/abstract=4114141.

More than ever, this is work in progress and I would be grateful for any feedback or discussion: a.sanchez-graells@bristol.ac.uk.

Recent developments in UK procurement regulation -- consolidated overview

January 24, 2022

I have put together a consolidated review of recent developments in UK procurement regulation, to be included as a country report in a forthcoming issue of the European Procurement & Public Private Partnership Law Review.

It brings together developments discussed in the blog in recent months. including the Post-Brexit rulebook reform, the proposal of special rules for healthcare services commissioning, the procurement chapter in the UK-Australia Free Trade Agreement, and a recent decision in the PPE procurement litigation saga.

In case of interest, it can be downloaded from SSRN: https://ssrn.com/abstract=4016424.

It contains nothing new, though, so assiduous readers may want to skip this one!

New paper on procurement corruption and AI

October 29, 2021

I have just uploaded a new paper on SSRN: ‘Procurement corruption and artificial intelligence: between the potential of enabling data architectures and the constraints of due process requirements’, to be published in S. Williams-Elegbe & J. Tillipman (eds), Routledge Handbook of Public Procurement Corruption (forthcoming). In this paper, I reflect on the potential improvements that using AI for anti-corruption purposes can practically have in the current (and foreseeable) context of AI development, (lack of) procurement and other data, and existing due process constraints on the automation or AI-support of corruption-related procurement decision-making (such as eg debarment/exclusion or the imposition of fines). The abstract is as follows:

This contribution argues that the expectations around the deployment of AI as an anti-corruption tool in procurement need to be tamed. It explores how the potential applications of AI replicate anti-corruption interventions by human officials and, as such, can only provide incremental improvements but not a significant transformation of anti-corruption oversight and enforcement architectures. It also stresses the constraints resulting from existing procurement data and the difficulties in creating better, unbiased datasets and algorithms in the future, which would also generate their own corruption risks. The contribution complements this technology-centred analysis with a critical assessment of the legal constraints based on due process rights applicable even when AI supports continued human intervention. This in turn requires a close consideration of the AI-human interaction, as well as a continuation of the controls applicable to human decision-making in corruption-prone activities. The contribution concludes, first, that prioritising improvements in procurement data capture, curation and interconnection is a necessary but insufficient step; and second, that investments in AI-based anti-corruption tools cannot substitute, but only complement, current anti-corruption approaches to procurement.

As always, feedback more than welcome. Not least, because I somehow managed to write this ahead of the submission deadline, so I would have time to adjust things ahead of publication. Thanks in advance: a.sanchez-graells@bristol.ac.uk.

New SSRN article on the UK's 'Transforming Public Procurement' Green Paper

February 17, 2021

I have uploaded on SSRN the new article ‘The UK’s Green Paper on Post-Brexit Public Procurement Reform: Transformation or Overcomplication?’, which will appear in the European Procurement & Public Private Partnership Law Review soon. The article builds on my earlier submission to the ongoing public consultation (still open, submissions accepted until 10 March 2021). The abstract is as follows:

In December 2020, seeking to start cashing in on its desired ‘Brexit dividends’, the UK Government published the Green Paper ‘Transforming Public Procurement’. The Green Paper sets out a blueprint for the reform of UK public procurement law that aims to depart from the regulatory baseline of EU law and deliver a much-touted ‘bonfire of procurement red tape’. The Green Paper seeks ‘to speed up and simplify [UK] procurement processes, place value for money at their heart, and unleash opportunities for small businesses, charities and social enterprises to innovate in public service delivery’. The Green Paper seeks to do so by creating ‘a progressive, modern regime which can adapt to the fastmoving environment in which business operates’ underpinned by ‘a culture of continuous improvement to support more resilient, diverse and innovative supply chains.’ I argue that the Green Paper has very limited transformative potential and that its proposals merely represent an ‘EU law +’ approach to the regulation of public procurement that would only result in an overcomplicated regulatory infrastructure, additional administrative burdens for both public buyers and economic operators, and tensions and contradictions in the oversight model. I conclude that a substantial rethink is needed if the Green Paper’s goals are to be achieved.

The full paper is free to download: Sanchez-Graells, Albert, The UK’s Green Paper on Post-Brexit Public Procurement Reform: Transformation or Overcomplication? (February 17, 2021). To be published in (2021) European Procurement & Public Private Partnership Law Review, forthcoming, Available at SSRN: http://ssrn.com/abstract=3787380. As always, feedback most welcome: a.sanchez-graells@bristol.ac.uk.

New Paper on Extraterritoriality of EU Procurement Rules

July 13, 2017

I am presenting a paper on the extraterritoriality of EU public procurement rules at the research workshop "Extraterritoriality of EU Law & Human Rights after Lisbon: Scope and Boundaries", held at the Sussex European Institute on 13 & 14 July 2017.

The paper is entitled "An Ever-Changing Scope? The Expansive Boundaries of EU Public Procurement Rules, Extraterritoriality and the Court of Justice", and is available at SSRN: https://ssrn.com/abstract=3000256.

As the abstract indicates:

This paper looks at how the EU public procurement rules have shown a tendency to permanently expand their scope of application, both within and outside the EU. Inside the EU, the expansion has primarily resulted from blurred coverage boundaries and a creeping application outside their explicit scope. Outside the EU, the extraterritoriality has concerned scenarios such as the applicability of EU financial rules to procurement carried out as part of the EU’s external action in other areas (such as common foreign and security policy), or the regulatory transfer (or ‘export’) of EU procurement rules as part of trade deals—notably, the EU-Canada CETA, but also the EU-Ukraine DCFTA.

Concentrating solely on the ‘external’ dimension of the expansive scope of EU public procurement rules, in trying to explore some of the impacts of the extraterritorial effects of EU public procurement law on the legal and regulatory systems of third countries, this paper focuses on the implications that this expansion and extraterritoriality can have in terms of jurisdiction of the Court of Justice, as well as in terms of difficulties for the coordination of remedies systems in the area of public procurement. The paper concludes that the extraterritorial expansiveness of the EU’s public procurement rules is creating areas of potential legal uncertainty that deserve further analysis. Given the highly speculative nature of those scenarios at this stage, however, the paper does not attempt to provide any specific answers or tentative solutions to the issues it raises.

I intend to review the paper after the workshop and will appreciate any additional feedback that helps me improve it so, if you have the time and inclination to read the paper, please email me any comments to a.sanchez-graells@bristol.ac.uk, or feel free to post them in the comments section. Thank you in advance for any input.

Separate operational units within a contracting authority and the scope of Directive 2014/24

February 13, 2017

One of the reforms of EU public procurement rules in 2014 that may well have slipped under the radar concerns the treatment of procurement carried out by separate operational units within a contracting authority. For the purposes of calculating the estimated value of procurement to determine the applicability of the EU rules, Art 5(2) Dir 2014/24 now establishes that "Where a contracting authority is comprised of separate operational units, account shall be taken of the total estimated value for all the individual operational units. Notwithstanding [that] where a separate operational unit is independently responsible for its procurement or certain categories thereof, the values may be estimated at the level of the unit in question."

This seemingly simple rule raises an important number of issues and, most importantly, requires a determination of what is a "separate operational unit" for the purposes of Art 5(2) Dir 2014/24 and the associated anti-circumvention rule. These issues are the focus of the comparative report "Characteristics of Separate Operational Units – A Study on Aggregation Rules under Public Procurement Law", commissioned to Dr Kirsi-Maria Halonen by the Swedish Competition Authority.

The study includes a comparative overview that is interesting in itself and, of more practical relevance, it also formulates a test for the assessment of whether units within a contracting authority meet the requirements for being considered operationally separate and, thus, able to trigger a differentiated calculation of value thresholds triggering (or most likely, not) the application of EU public procurement rules in Dir 2014/24. The test is presented as follows:

"In order to facilitate the evaluation of a unit’s status, this study identifies six key elements which can be of importance when determining, whether the contract value can be estimated at the level of a separate unit or, whether all purchases of units within the same contracting authority should be aggregated:

The unit has a separate budget line which is managed by the unit itself and from which the procured items are paid from
The unit runs the tender procedure independently
Competence to make buying decisions and to conclude contracts on behalf of the contracting authority
Is any other part of contracting authority interfering or affecting the contract between the unit and its contractor?
Will other units of the same contracting authority purchase through the contract awarded by the unit?
Obligation to purchase through centralized framework agreements or contracts"

I find the test (which is further detailed in the study) well thought-through and the only addition I would suggest would concern a dimension of supply-side analysis, mainly to assess whether the seemingly separate operational units are supplied by different suppliers / under different terms. That would allow for a final check to be added in order to capture situations where looking only at the demand side (ie at the units within a contracting authority) may mask issues concerning the bigger picture of the procurement/supply relationship between specific suppliers and the contracting authority as a whole.

The report is well worth reading, in particular in countries where the existence of separate operational units has been taken for granted in the past (such as in Spain). This is an area where future empirical research could usefully provide good insights on the way in which the creation of the new rule in Art 5(2) Dir 2014/24 may result in different levels of stringency in the application of EU public procurement rules at domestic level--depending on the extent to which Member States adapt the internal organisation of their contracting authorities to maximise, minimise (or ignore) the new possibilities.

Institutional deficit and risk of capture

Overcoming the institutional deficit through AIPSA

safeguard against regulatory capture and policy irresistibility

If not AIPSA … then clearly not procurement

Public sector digitalisation is accelerating in a regulatory vacuum

Procurement emerges as a regulatory gatekeeper to plug that gap

Procurement is not at all suited to deliver incommensurable goals of digital regulation

Procurement is not well suited to deliver other goals of digital regulation

Procurement digitalisation offers a valuable case study

Background

Tender preparation and design

Tender execution

Tenderer selection

Tender evaluation

Contract design and implementation

Conclusion

AI Risk Regulation

Governance of Procurement Digitalisation in the EU

Governance of Procurement Digitalisation in the UK

The Need for Strengthened Digital Procurement Governance

Self-Regulation: Outsourcing Impact Assessment Regulation to the Private Sector

Self-Assessment: Inadequacy of Mechanisms for Contestability and Accountability

Creating External Checks on Procurement Digitalisation

Certification or Conformity Assessments

Independent External Oversight

Conclusion

current and Imminent digital governance obligations for public buyers

Data governance obligations

Cybersecurity obligations

Increased governance obligations for public buyers ‘going digital’

Open Source by Default?

(Absolute) technological dependency

The crucial need to boost in-house digital skills in the public sector

Conclusion

MORE STUFF

SUBSCRIBE

recent posts