External oversight and mandatory requirements for public sector digital technology adoption

April 11, 2023

I thought the time would never come, but the last piece of my book project puzzle is now more or less in place. After finding that procurement is not the right regulatory actor and does not have the best tools of ‘digital regulation by contract’, in this last draft chapter, I explore how to discharge procurement of the assigned digital regulation role to increase the likelihood of effective enforcement of desirable goals of public sector digital regulation.

I argue that this should be done through two inter-related regulatory interventions consisting of developing (1) a regulator tasked with the external oversight of the adoption of digital technologies by the public sector, as well as (2) a suite of mandatory requirements binding both public entities seeking to adopt digital technologies and technology providers, and both in relation to the digital technologies to be adopted by the public sector and the applicable governance framework.

Detailed analysis of these issues would require much more extensive treatment than this draft chapter can offer. The modest goal here is simply to stress the key attributes and functions that each of these two regulatory interventions should have to make a positive contribution to governing the transition towards a new model of public digital governance. In this blog post, I summarise the main arguments.

As ever, I would be most grateful for feedback: a.sanchez-graells@bristol.ac.uk. Especially as I will now turn my attention to seeing how the different pieces of the puzzle fit together, while I edit the manuscript for submission before end of July 2023.

Institutional deficit and risk of capture

In the absence of an alternative institutional architecture (or while it is put in place), procurement is expected to develop a regulatory gatekeeping role in relation to the adoption of digital technologies by the public sector, which is in turn expected to have norm-setting and market-shaping effects across the economy. This could be seen as a way of bypassing or postponing decisions on regulatory architecture.

However, earlier analysis has shown that the procurement function is not the right institution to which to assign a digital regulation role, as it cannot effectively discharge such a duty. This highlights the existence of an institutional deficit in the process of public sector digitalisation, as well as in relation to digital technology regulation more broadly. An alternative approach to institutional design is required, and it can be delivered through the creation of a notional ‘AI in Public Sector Authority’ (AIPSA).

Earlier analysis has also shown that there are pervasive risks of regulatory capture and commercial determination of the process of public sector digitalisation stemming from reliance on standards and benchmarks created by technology vendors or by bodies heavily influenced by the tech industry. AIPSA could safeguard against such risk through controls over the process of standard adoption. AIPSA could also guard against excessive experimentation with digital technologies by creating robust controls to counteract their policy irresistibility.

Overcoming the institutional deficit through AIPSA

The adoption of digital technologies in the process of public sector digitalisation creates regulatory challenges that require external oversight, as procurement is unable to effectively regulate this process. A particularly relevant issue concerns whether such oversight should be entrusted to a new regulator (broad approach), or whether it would suffice to assign new regulatory tasks to existing regulators (narrow approach).

I submit that the narrow approach is inadequate because it perpetuates regulatory fragmentation and can lead to undesirable spillovers or knock-on effects, whether the new regulatory tasks are assigned to data protection authorities, (quasi)regulators with a ‘sufficiently close’ regulatory remit in relation with information and communications technologies (ICT) (such as eg the Agency for Digital Italy (AgID), or the Dutch Advisory Council on IT assessment (AcICT)), or newly created centres of expertise in algorithmic regulation (eg the French PEReN). Such ‘organic’ or ‘incremental’ approach to institutional development could overshadow important design considerations, as well embed biases due to the institutional drivers of the existing (quasi)regulators.

To avoid these issues, I advocate a broader or more joined up approach in the proposal for AIPSA. AIPSA would be an independent authority with the statutory function of promoting overarching goals of digital regulation, and specifically tasked with regulating the adoption and use of digital technologies by the public sector, whether through in-house development or procurement from technology providers. AIPSA would also absorb regulatory functions in cognate areas, such as the governance of public sector data, and integrate work in areas such as cyber security. It would also serve a coordinating function with the data protection authority.

In the draft chapter, I stress three fundamental aspects of AIPSA’s institutional design: regulatory coherence, independence and expertise. Independence and expertise would be the two most crucial factors. AIPSA would need to be designed in a way that ensured both political and industry independence, with the issue of political independence having particular salience and requiring countervailing accountability mechanisms. Relatedly, the importance of digital capabilities to effectively exercise a digital regulation role cannot be overemphasised. It is not only important in relation to the active aspects of the regulatory role—such as control of standard setting or permissioning or licencing of digital technology use (below)—but also in relation to the passive aspects of the regulatory role and, in particular, in relation to reactive engagement with industry. High levels of digital capability would be essential to allow AIPSA to effectively scrutinise claims from those that sought to influence its operation and decision-making, as well as reduce AIPSA’s dependence on industry-provided information.

safeguard against regulatory capture and policy irresistibility

Regulating the adoption of digital technologies in the process of public sector digitalisation requires establishing the substantive requirements that such technology needs to meet, as well as the governance requirements need to ensure its proper use. AIPSA’s role in setting mandatory requirements for public sector digitalisation would be twofold.

First, through an approval or certification mechanism, it would control the process of standardisation to neutralise risks of regulatory capture and commercial determination. Where no standards were susceptible of approval or certification, AIPSA would develop them.

Second, through a permissioning or licencing process, AIPSA would ensure that decisions on the adoption of digital technologies by the public sector are not driven by ‘policy irresistibility’, that they are supported by clear governance structures and draw on sufficient resources, and that adherence to the goals of digital regulation is sustained throughout the implementation and use of digital technologies by the public sector and subject to proactive transparency requirements.

The draft chapter provides more details on both issues.

If not AIPSA … then clearly not procurement

There can be many objections to the proposals developed in this draft chapter, which would still require further development. However, most of the objections would likely also apply to the use of procurement as a tool of digital regulation. The functions expected of AIPSA closely match those expected of the procurement function under the approach to ‘digital regulation by contract’. Challenges to AIPSA’s ability to discharge such functions would be applicable to any public buyer seeking to achieve the same goals. Similarly, challenges to the independence or need for accountability of AIPSA would be similarly applicable to atomised decision-making by public buyers.

While the proposal is necessarily imperfect, I submit that it would improve upon the emerging status quo and that, in discharging procurement of the digital regulation role, it would make a positive contribution to the governance of the transition to a new model of digital public governance.

The draft chapter is available via SSRN: Albert Sanchez-Graells, ‘Discharging procurement of the digital regulation role: external oversight and mandatory requirements for public sector digital technology adoption’.

Governing the Assessment and Taking of Risks in Digital Procurement Governance

November 21, 2022

In a previous blog post, I explored the main governance risks and legal obligations arising from the adoption of digital technologies, which revolve around data governance, algorithmic transparency, technological dependency, technical debt, cybersecurity threats, the risks stemming from the long-term erosion of the skills base in the public sector, and difficult trade-offs due to the uncertainty surrounding immature and still changing technologies within an also evolving regulatory framework. To address such risks and ensure compliance with the relevant governance obligations, I stressed the need to embed a comprehensive mechanism of risk assessment in the process of technological adoption.

In a new draft chapter (num 9) for my book project, I analyse how to embed risk assessments in the initial stages of decision-making processes leading to the adoption of digital solutions for procurement governance, and how to ensure that they are iterated throughout the lifecycle of use of digital technologies. To do so, I critically review the model of AI risk regulation that is emerging in the EU and the UK, which is based on self-regulation and self-assessment. I consider its shortcomings and how to strengthen the model, including the possibility of subjecting the process of technological adoption to external checks. The analysis converges with a broader proposal for institutionalised regulatory checks on the adoption of digital technologies by the public sector that I will develop more fully in another part of the book.

This post provides a summary of my main findings, on which I will welcome any comments: a.sanchez-graells@bristol.ac.uk. The full draft chapter is free to download: A Sanchez-Graells, ‘Governing the Assessment and Taking of Risks in Digital Procurement Governance’ to be included in A Sanchez-Graells, Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming), Available at SSRN: https://ssrn.com/abstract=4282882.

AI Risk Regulation

The emerging (global) model of AI regulation is risk-based—as opposed to a strict precautionary approach. This implies an assumption that ‘a technology will be adopted despite its harms’. This primarily means accepting that technological solutions may (or will) generate (some) negative impacts on public and private interests, even if it is not known when or how those harms will arise, or how extensive they will be. AI are unique, as they are ‘long-term, low probability, systemic, and high impact’, and ‘AI both poses “aggregate risks” across systems and low probability but “catastrophic risks to society”’ [for discussion, see Margot E Kaminski, ‘Regulating the risks of AI’ (2023) 103 Boston University Law Review, forthcoming]

This should thus trigger careful consideration of the ultimate implications of AI risk regulation, and advocates in favour of taking a robust regulatory approach—including to the governance of the risk regulation mechanisms put in place, which may well require external controls, potentially by an independent authority. By contrast, the emerging model of AI risk regulation in the context of procurement digitalisation in the EU and the UK leaves the adoption of digital technologies by public buyers largely unregulated and only subject to voluntary measures, or to open-ended obligations in areas without clear impact assessment standards (which reduces the prospect of effective mandatory enforcement).

Governance of Procurement Digitalisation in the EU

Despite the emergence of a quickly expanding set of EU digital law instruments imposing a patchwork of governance obligations on public buyers, whether or not they adopt digital technologies (see here), the primary decision whether to adopt digital technologies is not subject to any specific constraints, and the substantive obligations that follow from the diverse EU law instruments tend to refer to open-ended standards that require advanced technical capabilities to operationalise them. This would not be altered by the proposed EU AI Act.

Procurement-related AI uses are classified as minimal risk under the EU AI Act, which leaves them subject only to voluntary self-regulation via codes of conduct—yet to be developed. Such codes of conduct should encourage voluntary compliance with the requirements applicable to high-risk AI uses—such as risk management systems, data and data governance requirements, technical documentation, record-keeping, transparency, or accuracy, robustness and cybersecurity requirements—‘on the basis of technical specifications and solutions that are appropriate means of ensuring compliance with such requirements in light of the intended purpose of the systems.’ This seems to introduce a further element of proportionality or ‘adaptability’ requirement that could well water down the requirements applicable to minimal risk AI uses.

Importantly, while it is possible for Member States to draw such codes of conduct, the EU AI Act would pre-empt Member States from going further and mandating compliance with specific obligations (eg by imposing a blanket extension of the governance requirements designed for high-risk AI uses) across their public administrations. The emergent EU model is thus clearly limited to the development of voluntary codes of conduct and their likely content, while yet unknown, seems unlikely to impose the same standards applicable to the adoption of high-risk AI uses.

Governance of Procurement Digitalisation in the UK

Despite its deliberate light-touch approach to AI regulation and actively seeking to deviate from the EU, the UK is relatively advanced in the formulation of voluntary standards to govern procurement digitalisation. Indeed, the UK has adopted guidance for the use of AI in the public sector, and for AI procurement, and is currently piloting an algorithmic transparency standard (see here). The UK has also adopted additional guidance in the Digital, Data and Technology Playbook and the Technology Code of Practice. Remarkably, despite acknowledging the need for risk assessments—and even linking their conduct to spend approvals required for the acquisition of digital technologies by central government organisations—none of these instruments provides clear standards on how to assess (and mitigate) risks related to the adoption of digital technologies.

Thus, despite the proliferation of guidance documents, the substantive assessment of governance risks in digital procurement remains insufficiently addressed and left to undefined risk assessment standards and practices. The only exception concerns cyber security assessments, given the consolidated approach and guidance of the National Cyber Security Centre. This lack of precision in the substantive requirements applicable to data and algorithmic impact assessments clearly constrains the likely effectiveness of the UK’s approach to embedding technology-related impact assessments in the process of adoption of digital technologies for procurement governance (and, more generally, for public governance). In the absence of clear standards, data and algorithmic impact assessments will lead to inconsistent approaches and varying levels of robustness. The absence of standards will also increase the need to access specialist expertise to design and carry out the assessments. Developing such standards and creating an effective institutional mechanism to ensure compliance therewith thus remain a challenge.

The Need for Strengthened Digital Procurement Governance

Both in the EU and the UK, the emerging model of AI risk regulation leaves digital procurement governance to compliance with voluntary measures such as (future) codes of conduct or transparency standards or impose open-ended obligations in areas without clear standards (which reduces the prospect of effective mandatory enforcement). This follows general trends of AI risk regulation and evidences the emergence of a (sub)model highly dependent on self-regulation and self-assessment. This approach is rather problematic.

Self-Regulation: Outsourcing Impact Assessment Regulation to the Private Sector

The absence of mandatory standards for data and algorithmic impact assessments, as well as the embedded flexibility in the standards for cyber security, are bound to outsource the setting of the substantive requirements for those impact assessments to private vendors offering solutions for digital procurement governance. With limited public sector digital capability preventing a detailed specification of the applicable requirements, it is likely that these will be limited to a general obligation for tenderers to provide an impact assessment plan, perhaps by reference to emerging (international private) standards. This would imply the outsourcing of standard setting for risk assessments to private standard-setting organisations and, in the absence of those standards, to the tenderers themselves. This generates a clear and problematic risk of regulatory capture. Moreover, this process of outsourcing or excessively reliance on private agents to commercially determine impact assessments requirements is not sufficiently exposed to scrutiny and contestation.

Self-Assessment: Inadequacy of Mechanisms for Contestability and Accountability

Public buyers will rarely develop the relevant technological solutions but rather acquire them from technological providers. In that case, the duty to carry out the self-assessment will (or should be) cascaded down to the technology provider through contractual obligations. This would place the technology provider as ‘first party’ and the public buyer as ‘second party’ in relation to assuring compliance with the applicable obligations. In a setting of limited public sector digital capability, and in part as a result of a lack of clear standards providing an applicable benchmark (as above), the self-assessment of compliance with risk management requirements will either be de facto outsourced to private vendors (through a lack of challenge of their practices), or carried out by public buyers with limited capabilities (eg during the oversight of contract implementation). Even where public buyers have the required digital capabilities to carry out a more thorough analysis, they lack independence. ‘Second party’ assurance models unavoidably raise questions about their integrity due to the conflicting interests of the assurance provider who wants to use the system (ie the public buyer).

This ‘second party’ assurance model does not include adequate challenge mechanisms despite efforts to disclose (parts of) the relevant self-assessments. Such disclosures are constrained by general problems with ‘comply or explain’ information-based governance mechanisms, with the emerging model showing design features that have proven problematic in other contexts (such as corporate governance and financial market regulation). Moreover, there is no clear mechanism to contest the decisions to adopt digital technologies revealed by the algorithmic disclosures. In many cases, shortcomings in the risk assessments and the related minimisation and mitigation measures will only become observable after the materialisation of the underlying harms. For example, the effects of the adoption of a defective digital solution for decision-making support (eg a recommender system) will only emerge in relation to challengeable decisions in subsequent procurement procedures that rely on such solution. At that point, undoing the effects of the use of the tool may be impossible or excessively costly. In this context, challenges based on procedure-specific harms, such as the possibility to challenge discrete procurement decisions under the general rules on procurement remedies, are inadequate. Not least, because there can be negative systemic harms that are very hard to capture in the challenge to discrete decisions, or for which no agent with active standing has adequate incentives. To avoid potential harms more effectively, ex ante external controls are needed instead.

Creating External Checks on Procurement Digitalisation

It is thus necessary to consider the creation of external ex ante controls applicable to these decisions, to ensure an adequate embedding of effective risk assessments to inform (and constrain) them. Two models are worth considering: certification schemes and independent oversight.

Certification or Conformity Assessments

While not applicable to procurement uses, the model of conformity assessment in the proposed EU AI Act offers a useful blueprint. The main potential shortcoming of conformity assessment systems is that they largely rely on self-assessments by the technology vendors, and thus on first party assurance. Third-party certification (or algorithmic audits) is possible, but voluntary. Whether there would be sufficient (market) incentives to generate a broad (voluntary) use of third-party conformity assessments remains to be seen. While it could be hoped that public buyers could impose the use of certification mechanisms as a condition for participation in tender procedures, this is a less than guaranteed governance strategy given the EU procurement rules’ functional approach to the use of labels and certificates—which systematically require public buyers to accept alternative means of proof of compliance. This thus seems to offer limited potential for (voluntary) certification schemes in this specific context.

Relatedly, the conformity assessment system foreseen in the EU AI Act is also weakened by its reliance on vague concepts with non-obvious translation into verifiable criteria in the context of a third-party assurance audit. This can generate significant limitations in the conformity assessment process. This difficulty is intended to be resolved through the development of harmonised standards by European standardisation organisations and, where those do not exist, through the approval by the European Commission of common specifications. However, such harmonised standards will largely create the same risks of commercial regulatory capture mentioned above.

Overall, the possibility of relying on ‘third-party’ certification schemes offers limited advantages over the self-regulatory approach.

Independent External Oversight

Moving beyond the governance limitations of voluntary third-party certification mechanisms and creating effective external checks on the adoption of digital technologies for procurement governance would require external oversight. An option would be to make the envisaged third-party conformity assessments mandatory, but that would perpetuate the risks of regulatory capture and the outsourcing of the assurance system to private parties. A different, preferable option would be to assign the approval of the decisions to adopt digital technologies and the verification of the relevant risks assessments to a centralised authority also tasked with setting the applicable requirements therefor. The regulator would thus be placed as gatekeeper of the process of transition to digital procurement governance, instead of the atomised imposition of this role on public buyers. This would be reflective of the general features of the system of external controls proposed in the US State of Washington’s Bill SB 5116 (for discussion, see here).

The main goal would be to introduce an element of external verification of the assessment of potential AI harms and the related taking of risks in the adoption of digital technologies. It is submitted that there is a need for the regulator to be independent, so that the system fully encapsulates the advantages of third-party assurance mechanisms. It is also submitted that the data protection regulator may not be best placed to take on the role as its expertise—even if advanced in some aspects of data-intensive digital technologies—primarily relates to issues concerning individual rights and their enforcement. The more diffuse collective interests at stake in the process of transition to a new model of public digital governance (not only in procurement) would require a different set of analyses. While reforming data protection regulators to become AI mega-regulators could be an option, that is not necessarily desirable and it seems that an easier to implement, incremental approach would involve the creation of a new independent authority to control the adoption of AI in the public sector, including in the specific context of procurement digitalisation.

Conclusion

An analysis of emerging regulatory approaches in the EU and the UK shows that the adoption of digital technologies by public buyers is largely unregulated and only subjected to voluntary measures, or to open-ended obligations in areas without clear standards (which reduces the prospect of effective mandatory enforcement). The emerging model of AI risk regulation in the EU and UK follows more general trends and points at the consolidation of a (sub)model of risk-based digital procurement governance that strongly relies on self-regulation and self-assessment.

However, given its limited digital capabilities, the public sector is not best placed to control or influence the process of self-regulation, which results in the outsourcing of crucial regulatory tasks to technology vendors and the consequent risk of regulatory capture and suboptimal design of commercially determined governance mechanisms. These risks are compounded by the emerging ‘second party assurance’ model, as self-assessments by technology vendors would not be adequately scrutinised by public buyers, either due to a lack of digital capabilities or the unavoidable structural conflicts of interest of assurance providers with an interest in the use of the technology, or both. This ‘second party’ assurance model does not include adequate challenge mechanisms despite efforts to disclose (parts of) the relevant self-assessments. Such disclosures are constrained by general problems with ‘comply or explain’ information-based governance mechanisms, with the emerging model showing design features that have proven problematic in other contexts (such as corporate governance and financial market regulation). Moreover, there is no clear mechanism to contest the decisions revealed by the disclosures, including in the context of (delayed) specific uses of the technological solutions.

The analysis also shows how a model of third-party assurance or certification would be affected by the same issues of outsourcing of regulatory decisions to private parties, and ultimately would largely replicate the shortcomings of the self-regulatory and self-assessed model. A certification model would thus only generate a marginal improvement over the emerging model—especially given the functional approach to the use of certification and labels in procurement.

Moving past these shortcomings requires assigning the approval of decisions whether to adopt digital technologies and the verification of the related impact assessments to an independent authority: the ‘AI in the Public Sector Authority’ (AIPSA). I will fully develop a proposal for such authority in coming months.

CJEU rubber stamps Italian minimum tariffs for certification in public procurement, subject to proportionality (C-327/12)

December 16, 2013

In its Judgment of 12 December 2013 in case C-327/12 Soa Nazionale Costruttori, the Court of Justice of the EU has followed rather closely AG Cruz Villalon's Opinion (commented here) and declared that a scheme of compulsory minimum tariffs for certification services supplied to undertakings seeking to participate in procedures for the award of public contracts is not per se contrary to EU competition and free movement rules, always provided that it is not disproportionate (which determination it referred back to the domestic courts).

One of the remarkable features of the Judgment is the level of detail in which the CJEU has summarised its State action doctrine. In this useful reminder, the CJEU has stressed that

37 [...] although it is true that Articles 101 TFEU and 102 TFEU are concerned solely with the conduct of undertakings and not with laws or regulations emanating from Member States, those articles, read in conjunction with Article 4(3) TEU, which lays down a duty of cooperation between the European Union and the Member States, none the less require the latter not to introduce or maintain in force measures, even of a legislative or regulatory nature, which may render ineffective the competition rules applicable to undertakings (see Joined Cases C‑94/04 and C‑202/94 Cipolla and Others [2006] ECR I‑11421, paragraph 46, and Case C‑393/08 Sbarigia [2010] ECR I‑6337, paragraph 31).

38 Articles 101 TFEU or 102 TFEU, read in conjunction with Article 4(3) TEU, are infringed where a Member State requires or encourages the adoption of agreements, decisions or concerted practices contrary to Article 101 TFEU or reinforces their effects, or where it divests its own rules of the character of legislation by delegating to private economic operators responsibility for taking decisions affecting the economic sphere, or requires or encourages abuses of a dominant position (see, to that effect, Cipolla and Others, paragraph 47) [C-327/12 at paras 37-38, emphasis added].

Further than this, and after dismissing the applicability of the State action doctrine on the basis of a lack of evidence of the existence of such effects--which is at least questionable where we are in presence of a de facto agreement on minimum prices between certification entities--the CJEU rejects the application of Art 106 TFEU on the basis that the authorisation given by the Italian State to the certification entities is not an exclusive or special right because there is no numerus clausus of authorisations. On this point, the CJEU must be praised for sticking to its stated case law in Ambulanz Glockner and not accepting the rather counterintuitive remarks made by the AG in his Opinion (criticised here).

Finally, and looking at the compatibility with freedom of establishment rules (art 49 TFEU), in the Soa Nazionale Construttori Judgment, the CJEU has followed very closely the Opinion of the Advocate General and accepted some premises for the existence of mandatory public procurement certification schemes subject to (non-disproportionate) minimum tariffs that I find objectionable. In particular, I think that the CJEU should have avoided declaring such a system adequate to protect a public interest in the following terms:

59 A restriction on the freedom of establishment may be justified where it serves overriding requirements relating to the public interest, is suitable for securing the attainment of the objective which it pursues and does not go beyond what is necessary in order to attain it (see DKV Belgium, paragraph 38).

60 Unionsoa and the Italian Government consider that the national legislation at issue in the main proceedings seeks to ensure the independence of SOAs and the quality of the certification services which they supply. Competition between SOAs at the level of tariffs negotiated with their customers and the possibility of fixing those tariffs at a very low level would risk compromising their independence with respect to those customers and having a negative impact on the quality of the certification services.

61 In that regard, it must be observed that the public interest in the protection of recipients of services can justify a restriction on the freedom of establishment (see Case C‑451/03 Servizi Ausiliari Dottori Commercialisti [2006] ECR I‑2941, paragraph 38).

62 In this case, first, SOAs are entrusted with certification of undertakings, receipt of an appropriate certificate being a necessary condition in order for the undertakings concerned to participate in public works contracts. In that context, the Italian legislation seeks to ensure the lack of any commercial or financial interest such as to result in unimpartial or discriminatory behaviour on the part of SOAs with regard to those undertakings.

63 Secondly, as is apparent from the order for reference, SOAs may only carry out certification activities. Moreover, they are required, in accordance with national legislation, to have resources and procedures suitable for ensuring that their services are carried out effectively and in good faith.

64 It is with a view to protecting the recipients of the services that the independence of SOAs vis-à-vis the specific interests of their customers is particularly important. A certain restriction of the possibility to negotiate the prices of services with those customers is likely to strengthen their independence.

65 In those circumstances, it must be held, as the Advocate General essentially stated in point 58 of his Opinion, that the setting of minimum tariffs for the supply of such services is intended, in principle, to ensure the quality of those services and it is suitable for attaining the objective of protecting the recipients of those services [C-327/12 at paras 59-65, emphasis added].

In my view, the CJEU's position is exceedingly lenient. Particularly if one takes into consideration that the ultimate "beneficiaries" of the certification services (i.e.the Italian contracting authorities) cannot impose the provision of those certificates to all entities willing to participate in their tenders for public contracts. Under Art 52(5) of Directive 2004/18 (the same provision that allows for the creation of certification entities such as the Italian SOAs) it is clearly stated that 'economic operators from other Member States may not be obliged to undergo such registration or certification in order to participate in a public contract. The contracting authorities shall recognise equivalent certificates from bodies established in other Member States. They shall also accept other equivalent means of proof' (emphasis added). So, even if only in relation to non-national undertakings, it is clear that contracting authorities need to retain independent capacity to assess alternative methods of proof of suitability of tenderers. Moreover, under Art 52(4), contracting authorities can challenge the certifications (or the information derived therefrom) as long as they have a sufficient reason to distrust it. Therefore, their reliance on the certificates (of domestic) tenderers is not intended to be acritical or necessarily automatic if there are reasons that justify a request for further information.

Consequently, the creation of systems of mandatory certification seem to protect a weak public interest inasmuch as they are simply a mechanism of administrative simplification (or red tape reduction). If this is borne in mind, the reasoning based on the independence of the certifying entities and the need to set minimum prices in order to preserve it so that contracting authorities' interests are sufficiently protected seems to fade away rather quickly.

Moreover, the CJEU's lukewarm approach to the proportionality of the Italian minimum certification tariffs (which is limited to indicate that 'It is for the referring court to determine whether, in the light of, inter alia, the method of calculating the minimum tariffs, particularly in the light of the number of categories of work for which the certificate is drawn up, that national legislation goes beyond what is necessary to attain that objective', para 69) does not establish a sufficiently clear indication of the lack of proportionality of a system that, effectively, forces (!) certification entities to charge larger sums for exactly the same amount of work depending on the number of contracts the certified undertaking wants to tender for. In this regard, the Opinon of Advocate General Cruz Villalon is much more detailed and convincing.

All in all, in my view, this is a formally correct and substantially very deficient Judgment of the CJEU, and one that keeps a very formal approach to restrictions on free movement (as the CJEU has only looked at restrictions on the freedom of establishment, forgetting completely about the implications of the system on the free movement of goods and free provision of services subjected to the EU public procurement rules). A more holistic and funcional approach would have been preferable.

GC on #quality assurance #standards in #publicprocurement: A knee-jerk reaction (T-288/11)

May 7, 2013

In its Judgment of 6 May 2013 in case T-288/11 Kieffer Omnitec v Commission (only available in French), the General Court of the European Union (GC) was presented with an important issue concerning the proportionality of quality assurance requirements under EU public procurement rules. In a setting that resembled the issue addressed a year ago by the Court of Justice (CJUE) in relation to general corporate social responsibility / fair trade requirements in Commission v Netherlands (Fair trade beverages) (C‑368/10), the GC was asked to consider whether requiring that tenderers be ISO certified for all their maintenance activities is disproportionate and, consequently, breaches the applicable EU rules.

In the case at hand, the European Commission had tendered a contract for the maintenance of HVAC, sprinklers and other equipment in one of its buildings. As a part of the tender requirements, the Commission requested that all tenderers furnished proof of ISO certification valid for the whole of their maintenance activities. A tenderer that failed to provide such proof (but which engaged a third party to ISO-audit its activities in the Commission's building in case it was awarded the contract) and was, hence, not considered for the award of the contract challenged this requirements on various grounds. Amongst the challenges raised by the disappointed tenderer, it is worth noting that it considered that extending the requirement to all maintenance activities instead of limiting it to the activities covered by the contract was excessive and disproportionate.

One of the arguments presented by the disappointed tenderer was that, despite the Commission not being directly subjected to the provisions of Directive 2004/18 on public procurement, the rules established in its article 49 should be taken into consideration. Such provision specifically addresses the issue of quality assurance standards and mandates that:

Should they require the production of certificates drawn up by independent bodies attesting the compliance of the economic operator with certain quality assurance standards, contracting authorities shall refer to quality assurance systems based on the relevant European standards series certified by bodies conforming to the European standards series concerning certification. They shall recognise equivalent certificates from bodies established in other Member States. They shall also accept other evidence of equivalent quality assurance measures from economic operators (emphasis added).

However, before entering the discussion of the proportionality of the requirement, the GC strangely separated itself from the use of Directive 2004/18 as a valid interpretation guide (by analogy). The GC considered that:

22 Before turning to the examination of the matter at hand, it is important at the outset to recall that, regarding the law applicable to procedures for the award of public service contracts undertaken by the institutions of the European Union, these procedures are governed by the provisions of Title V of Part I of the Financial Regulation as well as its Implementing Rules.

23 These provisions are based, of course, on the EU directives in this area (see, to that effect, judgment of 12 July 2007, Evropaïki Dynamiki / Commission, T-250/05, not published in the ECR, paragraph 1, and judgment of 9 September 2010, Evropaïki Dynamiki / EMCDDA, T-63/06, not published in the ECR, paragraph 4). However, Member States are the sole addressees of these directives and, therefore and in principle, these rules only govern public procurement by the institutions of the Member States. Such directives do not apply to public contracts awarded by the institutions of the Union on their own account, save for the question regarding the thresholds that determine the manner of publication, the choice of procedures and the applicable deadlines (judgment of 19 March 2010, Evropaïki Dynamiki / Commission, T-50/05, p. II-1071, paragraph 104).

24 It follows that, in this case, in the examination of the first plea raised by the applicant, only the provisions of the Financial Regulation and the Implementing Rules need to be taken into consideration. Reversely, however, there is no need to take into account Article 49 of Directive 2004/18, cited by the applicant. (T-288/11 at paras 22 to 24, own translation from French).

With these remarks, the GC is departing from its previous practice to consider the rules under Directive 2004/18 as a valid guide for interpretation and is generating a risk of inconsistency in the development of EU public procurement law. Moreover, there is no good reason why the general criteria encapsulated in article 49 dir 2004/18 could not be expressly referred to since, it must be stressed, they are no more than a specification of the general principles of 'technical neutrality' (in broad terms) and proportionality that the GC must take into consideration anyway. Nonetheless, as we shall see, by excluding the use of the general provision as a valid analytical framework and 'chopping off' the last bit of article 49 dir 2004/18, the GC conveniently avoids the issue of having to consider if the Commission failed to accept 'equivalent quality assurance measures'.

Once the assessment is carried out precisely in terms of the proportionality of the ISO requirement, the GC finds that:

38 [...] the requirement [of full ISO certification] does not appear disproportionate to the extent that, on the one hand, Article 137, paragraph 3a of the Implementing Rules provides that "[w]hen the contracting authorities require the production of certificates drawn up by independent certification bodies attesting that the economic operator complies with certain standards of quality assurance, they shall refer to quality assurance systems based on the relevant European standards certified by bodies conforming to the European standards series concerning certification."

39 Moreover, as the Commission has rightly pointed out in its defense, in the selection of tenderers, when it comes to ensuring their technical capacity, the ISO certification must necessarily target the agent itself and not the contract to be awarded. In fact, ISO 9001 specifies requirements for the quality management system when an organization needs to demonstrate its ability to provide a product that meets customer and regulatory and legal requirements. This standard of "quality" is applicable to the process that a company uses to make its products or services and so can attest to the effectiveness and quality of its organization and its ability to provide the deliverables covered by the contract.

40 It is true that, except for ISO certifications attesting to the quality of the organization of the company, there are ISO certifications to attest to the quality of products or specific projects. However, as pointed out by the Commission, only the former may be required under the selection criteria of a given tender. The latter can only be used, as appropriate, as a contract performance condition, since they can only be obtained once the contract is in place in order to certify that the project or the product has been made in accordance with ISO standards.

41 Contrary to what the applicant claims, the Court considers that the requirement of a certificate attesting that the bidders to comply with ISO [for all their maintenance activities] is proportionate to the subject of the contract. (T-288/11 at paras 38 to 41, own translation from French, emphasis added).

In my view, there are several objections to be raised to the finding of the GC. Firstly, as mentioned in passing, this 'maximalistic' approach to quality control that links it to a selection criteria may run contrary to the approach taken by the CJEU in Commission v Netherlands (Fair trade beverages). Indeed, the CJEU took a very restrictive approach to the use of general technical requirements that go beyond those specified in art 48 dir 2004/18. As the CJEU clearly put it 'Article 48 exhaustively lists the factors on the basis of which the contracting authority may evaluate and assess the technical and professional abilities of the tenderers' (C-368/10 at para 105).

In that regard, it is worth stressing that art 48 dir 2004/18 only mentions quality assurance in the following respects: i) an indication of the technicians or technical bodies involved in quality control [art 48(2)(b)]; ii) a description of the technical facilities and measures used by the supplier or service provider for ensuring quality [art 48(2)(c)]; and, only in relation to specific products to be supplied, certificates drawn up by official quality control institutes or agencies of recognised competence attesting the conformity of products clearly identified by references to specifications or standards [art 48(2)(j)(ii)]. Therefore, when art 49 dir 2004/18 refers to the 'production of certificates drawn up by independent bodies attesting the compliance of the economic operator with certain quality assurance standards', it can be said that it is only referring to the requirement of art 48(2)(j)(ii)--and clearly sets a strong link (and limitation) with the specific products (not services) to be supplied in a given contract. Failing that, and in any case, art 49 requires contracting authorities to accept 'equivalent quality assurance measures'.

In my view, then, the finding of the GC in Kieffer Omnitec is irreconcilable with the case law of the CJEU on selection criteria and with the foreseeable interpretation of art 49 dir 2004/18. Moreover, even from a broader perspective--and similarly to what I have argued elsewhere [Sanchez Graells, Public Procurement and the EU Competition Rules (Oxford, Hart, 2011) pp. 315]:

Even if rules on qualitative selection and non-discrimination requirements are formally complied with in a given tender, the adoption of certain award criteria could generate the same results as an infringement of those rules. That could be the case if the award criteria or their weighting favoured tenders submitted by certain operators on the basis of conditions that could not have been used for the purposes of the qualitative selection of candidates or that automatically exclude de facto a significant number of tenders (or even restrict the number of compliant tenders to one). For instance, they could do so by requiring the implementation of quality management systems for the purposes of the specific contract that would have proven excessive or irrelevant for the purposes of assessing the general suitability of the tenderer; or that exclude certain operators because they focus on requirements whose implementation would be impossible for tenderers that did not comply with these or other requirements beforehand, or whose partial implementation would not be economically viable with regard exclusively to the specific contract.[1] In these instances, the adoption of such award criteria could generate significant distortions or restrictions of competition—without, it must be admitted, generating a substantial potential for discrimination. Therefore, such a strategy should be banned and contracting authorities should guarantee that the award criteria and their weighting ensure equality of opportunity of all tenderers and, consequently, should not focus on or advantage compliance with criteria not restricted to the tender itself—ie criteria that undertakings would be in a position to comply with or not depending on previous or general conditions unrelated (or not specifically related) to the subject-matter of the contract.[2]

[1] In similar terms, rejecting the possibility of establishing general requirements that go further than required by the object of the contract, see P Trepte, Regulating Procurement. Understanding the Ends and Means of Public Procurement Regulation (Oxford, Oxford University Press, 2004) 197–8.

[2] For instance, if certifying compliance with a given quality standard for the product required the previous certification of the general operations of the undertaking as being compliant with a more general quality control system, and the tender documents did not require tenderers to be certified under that standard—then, giving better evaluations to certified than to non-certified products would generate a distortion of competition by de facto excluding or reducing the chances of award to non-certified undertakings (which would not be in a position to get the products certified only for the purposes of the tender). Therefore, by indirectly advantaging or requiring compliance with a condition not imposed at the qualitative selection stage, which refers to more general conditions unrelated to the specific contract, the contracting authority would be distorting competition in a way that should be declared to run contrary to the directives.

As the discussion above shows (despite it being referred to award criteria), the GC has opened the door to the requirement of general certification for undertakings to participate in tenders. In my view, this is incorrect, in that contracting authorities can only be concerned with the quality assurance of the products they are supplied or the services they receive, but cannot use procurement as a regulatory tool to mandate quality assurance compliance that goes beyond the remit of the contractual object--in the same manner that the CJEU clearly said in Commission v Netherlands (Fair trade beverages) that public procurement cannot be used to mandated corporate social responsibility.

In my opinion, the Judgment of the GC in Kieffer Omnitec is a knee-jerk reaction to an action brought by a disappointed bidder that clearly did not meet the technical requirements (properly) set by the European Commission. It will be desirable to hear the CJEU interpret art 49 dir 2004/18 and to rule on its (analogous) application to the procurement conducted by the EU Institutions--particularly because the trends to potential inconsistent development of EU public procurement law and the regulatory use of procurement for quality control purposes are not desirable at all.