Responsibly Buying Artificial Intelligence: A Regulatory Hallucination?

November 21, 2023

I look forward to delivering the lecture ‘Responsibly Buying Artificial Intelligence: A Regulatory Hallucination?’ as part of the Current Legal Problems Lecture Series 2023-24 organised by UCL Laws. The lecture will be this Thursday 23 November 2023 at 6pm GMT and you can still register to participate (either online or in person). These are the slides I will be using, in case you want to take a sneak peek. I will post a draft version of the paper after the lecture. Comments welcome!

Thoughts on the AI Safety Summit from a public sector procurement & use of AI perspective

November 3, 2023

The UK Government hosted an AI Safety Summit on 1-2 November 2023. A summary of the targeted discussions in a set of 8 roundtables has been published for Day 1, as well as a set of Chair’s statements for Day 2, including considerations around safety testing, the state of the science, and a general summary of discussions. There is also, of course, the (flagship?) Bletchley Declaration, and an introduction to the announced AI Safety Institute (UK AISI).

In this post, I collect some of my thoughts on these outputs of the AI Safety Summit from the perspective of public sector procurement and use of AI.

What was said at the AI safety Summit?

Although the summit was narrowly targeted to discussion of ‘frontier AI’ as particularly advanced AI systems, some of the discussions seem to have involved issues also applicable to less advanced (ie currently in existence) AI systems, and even to non-AI algorithms used by the public sector. As the general summary reflects, ‘There was also substantive discussion of the impact of AI upon wider societal issues, and suggestions that such risks may themselves pose an urgent threat to democracy, human rights, and equality. Participants expressed a range of views as to which risks should be prioritised, noting that addressing frontier risks is not mutually exclusive from addressing existing AI risks and harms.’ Crucially, ‘participants across both days noted a range of current AI risks and harmful impacts, and reiterated the need for them to be tackled with the same energy, cross-disciplinary expertise, and urgency as risks at the frontier.’ Hopefully, then, some of the rather far-fetched discussions of future existential risks can be conducive to taking action on current harms and risks arising from the procurement and use of less advanced systems.

There seemed to be some recognition of the need for more State intervention through regulation, for more regulatory control of standard-setting, and for more attention to be paid to testing and evaluation in the procurement context. For example, the summary of Day 1 discussions indicates that participants agreed that

‘We should invest in basic research, including in governments’ own systems. Public procurement is an opportunity to put into practice how we will evaluate and use technology.’ (Roundtable 4)
‘Company policies are just the baseline and don’t replace the need for governments to set standards and regulate. In particular, standardised benchmarks will be required from trusted external third parties such as the recently announced UK and US AI Safety Institutes.’ (Roundtable 5)

In Day 2, in the context of safety testing, participants agreed that

Governments have a responsibility for the overall framework for AI in their countries, including in relation to standard setting. Governments recognise their increasing role for seeing that external evaluations are undertaken for frontier AI models developed within their countries in accordance with their locally applicable legal frameworks, working in collaboration with other governments with aligned interests and relevant capabilities as appropriate, and taking into account, where possible, any established international standards.
Governments plan, depending on their circumstances, to invest in public sector capability for testing and other safety research, including advancing the science of evaluating frontier AI models, and to work in partnership with the private sector and other relevant sectors, and other governments as appropriate to this end.
Governments will plan to collaborate with one another and promote consistent approaches in this effort, and to share the outcomes of these evaluations, where sharing can be done safely, securely and appropriately, with other countries where the frontier AI model will be deployed.

This could be a basis on which to build an international consensus on the need for more robust and decisive regulation of AI development and testing, as well as a consensus of the sets of considerations and constraints that should be applicable to the procurement and use of AI by the public sector in a way that is compliant with individual (human) rights and social interests. The general summary reflects that ‘Participants welcomed the exchange of ideas and evidence on current and upcoming initiatives, including individual countries’ efforts to utilise AI in public service delivery and elsewhere to improve human wellbeing. They also affirmed the need for the benefits of AI to be made widely available’.

However, some statements seem at first sight contradictory or problematic. While the excerpt above stresses that ‘Governments have a responsibility for the overall framework for AI in their countries, including in relation to standard setting’ (emphasis added), the general summary also stresses that ‘The UK and others recognised the importance of a global digital standards ecosystem which is open, transparent, multi-stakeholder and consensus-based and many standards bodies were noted, including the International Standards Organisation (ISO), International Electrotechnical Commission (IEC), Institute of Electrical and Electronics Engineers (IEEE) and relevant study groups of the International Telecommunication Union (ITU).’ Quite how State responsibility for standard setting fits with industry-led standard setting by such organisations is not only difficult to fathom, but also one of the potentially most problematic issues due to the risk of regulatory tunnelling that delegation of standard setting without a verification or certification mechanism entails.

Moreover, there seemed to be insufficient agreement around crucial issues, which are summarised as ‘a set of more ambitious policies to be returned to in future sessions’, including:

‘1. Multiple participants suggested that existing voluntary commitments would need to be put on a legal or regulatory footing in due course. There was agreement about the need to set common international standards for safety, which should be scientifically measurable.

2. It was suggested that there might be certain circumstances in which governments should apply the principle that models must be proven to be safe before they are deployed, with a presumption that they are otherwise dangerous. This principle could be applied to the current generation of models, or applied when certain capability thresholds were met. This would create certain ‘gates’ that a model had to pass through before it could be deployed.

3. It was suggested that governments should have a role in testing models not just pre- and post-deployment, but earlier in the lifecycle of the model, including early in training runs. There was a discussion about the ability of governments and companies to develop new tools to forecast the capabilities of models before they are trained.

4. The approach to safety should also consider the propensity for accidents and mistakes; governments could set standards relating to how often the machine could be allowed to fail or surprise, measured in an observable and reproducible way.

5. There was a discussion about the need for safety testing not just in the development of models, but in their deployment, since some risks would be contextual. For example, any AI used in critical infrastructure, or equivalent use cases, should have an infallible off-switch.

…

8. Finally, the participants also discussed the question of equity, and the need to make sure that the broadest spectrum was able to benefit from AI and was shielded from its harms.’

All of these are crucial considerations in relation to the regulation of AI development, (procurement) and use. A lack of consensus around these issues already indicates that there was a generic agreement that some regulation is necessary, but much more limited agreement on what regulation is necessary. This is clearly reflected in what was actually agreed at the summit.

What was agreed at the AI Safety Summit?

Despite all the discussions, little was actually agreed at the AI Safety Summit. The Blethcley Declaration includes a lengthy (but rather uncontroversial?) description of the potential benefits and actual risks of (frontier) AI, some rather generic agreement that ‘something needs to be done’ (eg welcoming ‘the recognition that the protection of human rights, transparency and explainability, fairness, accountability, regulation, safety, appropriate human oversight, ethics, bias mitigation, privacy and data protection needs to be addressed’) and very limited and unspecific commitments.

Indeed, signatories only ‘committed’ to a joint agenda, comprising:

‘identifying AI safety risks of shared concern, building a shared scientific and evidence-based understanding of these risks, and sustaining that understanding as capabilities continue to increase, in the context of a wider global approach to understanding the impact of AI in our societies.
building respective risk-based policies across our countries to ensure safety in light of such risks, collaborating as appropriate while recognising our approaches may differ based on national circumstances and applicable legal frameworks. This includes, alongside increased transparency by private actors developing frontier AI capabilities, appropriate evaluation metrics, tools for safety testing, and developing relevant public sector capability and scientific research’ (emphases added).

This does not amount to much that would not happen anyway and, given that one of the UK Government’s objectives for the Summit was to create mechanisms for global collaboration (‘a forward process for international collaboration on frontier AI safety, including how best to support national and international frameworks’), this agreement for each jurisdiction to do things as they see fit in accordance to their own circumstances and collaborate ‘as appropriate’ in view of those seems like a very poor ‘win’.

In reality, there seems to be little coming out of the Summit other than a plan to continue the conversations in 2024. Given what had been said in one of the roundtables (num 5) in relation to the need to put in place adequate safeguards: ‘this work is urgent, and must be put in place in months, not years’; it looks like the ‘to be continued’ approach won’t do or, at least, cannot be claimed to have made much of a difference.

What did the UK Government promise in the AI Summit?

A more specific development announced with the occasion of the Summit (and overshadowed by the earlier US announcement) is that the UK will create the AI Safety Institute (UK AISI), a ‘state-backed organisation focused on advanced AI safety for the public interest. Its mission is to minimise surprise to the UK and humanity from rapid and unexpected advances in AI. It will work towards this by developing the sociotechnical infrastructure needed to understand the risks of advanced AI and enable its governance.’

Crucially, ‘The Institute will focus on the most advanced current AI capabilities and any future developments, aiming to ensure that the UK and the world are not caught off guard by progress at the frontier of AI in a field that is highly uncertain. It will consider open-source systems as well as those deployed with various forms of access controls. Both AI safety and security are in scope’ (emphasis added). This seems to carry forward the extremely narrow focus on ‘frontier AI’ and catastrophic risks that augured a failure of the Summit. It is also in clear contrast with the much more sensible and repeated assertions/consensus in that other types of AI cause very significant risks and that there is ‘a range of current AI risks and harmful impacts, and reiterated the need for them to be tackled with the same energy, cross-disciplinary expertise, and urgency as risks at the frontier.’

Also crucially, UK AISI ‘is not a regulator and will not determine government regulation. It will collaborate with existing organisations within government, academia, civil society, and the private sector to avoid duplication, ensuring that activity is both informing and complementing the UK’s regulatory approach to AI as set out in the AI Regulation white paper’.

According to initial plans, UK AISI ‘will initially perform 3 core functions:

Develop and conduct evaluations on advanced AI systems, aiming to characterise safety-relevant capabilities, understand the safety and security of systems, and assess their societal impacts
Drive foundational AI safety research, including through launching a range of exploratory research projects and convening external researchers
Facilitate information exchange, including by establishing – on a voluntary basis and subject to existing privacy and data regulation – clear information-sharing channels between the Institute and other national and international actors, such as policymakers, international partners, private companies, academia, civil society, and the broader public’

It is also stated that ‘We see a key role for government in providing external evaluations independent of commercial pressures and supporting greater standardisation and promotion of best practice in evaluation more broadly.’ However, the extent to which UK AISI will be able to do that will hinge on issues that are not currently clear (or publicly disclosed), such as the membership of UK AISI or its institutional set up (as ‘state-backed organisation’ does not say much about this).

On that very point, it is somewhat problematic that the UK AISI ‘is an evolution of the UK’s Frontier AI Taskforce. The Frontier AI Taskforce was announced by the Prime Minister and Technology Secretary in April 2023’ (ahem, as ‘Foundation Model Taskforce’—so this is the second rebranding of the same initiative in half a year). As is problematic that UK AISI ‘will continue the Taskforce’s safety research and evaluations. The other core parts of the Taskforce’s mission will remain in [the Department for Science, Innovation and Technology] as policy functions: identifying new uses for AI in the public sector; and strengthening the UK’s capabilities in AI.’ I find the retention of analysis pertaining to public sector AI use within government problematic and a clear indication of the UK’s Government unwillingness to put meaningful mechanisms in place to monitor the process of public sector digitalisation. UK AISI very much sounds like a research institute with a focus on a very narrow set of AI systems and with a remit that will hardly translate into relevant policymaking in areas in dire need of regulation. Finally, it is also very problematic that funding is not locked: ‘The Institute will be backed with a continuation of the Taskforce’s 2024 to 2025 funding as an annual amount for the rest of this decade, subject to it demonstrating the continued requirement for that level of public funds.’ In reality, this means that the Institute’s continued existence will depend on the Government’s satisfaction with its work and the direction of travel of its activities and outputs. This is not at all conducive to independence, in my view.

So, all in all, there is very little new in the announcement of the creation of the UK AISI and, while there is a (theoretical) possibility for the Institute to make a positive contribution to regulating AI procurement and use (in the public sector), this seems extremely remote and potentially undermined by the Institute’s institutional set up. This is probably in stark contrast with the US approach the UK is trying to mimic (though more on the US approach in a future entry).

AI in the public sector: can procurement promote trustworthy AI and avoid commercial capture?

July 6, 2023

The recording and slides of the public lecture on ‘AI in the public sector: can procurement promote trustworthy AI and avoid commercial capture?’ I gave at the University of Bristol Law School on 4 July 2023 are now available. As always, any further comments most warmly received at: a.sanchez-graells@bristol.ac.uk.

This lecture brought my research project to an end. I will now focus on finalising the manuscript and sending it off to the publisher, and then take a break for the rest of the summer. I will share details of the forthcoming monograph in a few months. I hope to restart blogging in September. in the meantime, I wish all HTCaN friends all the best. Albert

Two policy briefings on digital technologies and procurement

June 21, 2023

Now that my research project ‘Digital technologies and public procurement. Gatekeeping and experimentation in digital public governance’ nears its end, some outputs start to emerge. In this post, I would like to highlight two policy briefings summarising some of my top-level policy recommendations, and providing links to more detailed analysis. All materials are available in the ‘Digital Procurement Governance’ tab.

Policy Briefing 1: ‘Guaranteeing public sector adoption of trustworthy AI - a task that should not be left to procurement’

Policy Briefing 2: ‘Successful procurement digitalisation requires more data, in-house expertise, and improved governance mechanisms’

"Can Procurement Be Used to Effectively Regulate AI?" [recording]

May 31, 2023

The recording and slides for yesterday’s webinar on ‘Can Procurement Be Used to Effectively Regulate AI?’ co-hosted by the University of Bristol Law School and the GW Law Government Procurement Programme are now available for catch up if you missed it.

I would like to thank once again Dean Jessica Tillipman (GW Law), Dr Aris Georgopoulos (Nottingham), Elizabeth "Liz" Chirico (Acquisition Innovation Lead at Office of the Deputy Assistant Secretary of the Army - Procurement) and Scott Simpson (Digital Transformation Lead, Department of Homeland Security Office of the Chief Procurement Officer - Procurement Innovation Lab) for really interesting discussion, and to all participants for their questions. Comments most welcome, as always.

Free registration open for two events on procurement and artificial intelligence

April 21, 2023

Registration is now open for two free events on procurement and artificial intelligence (AI).

First, a webinar where I will be participating in discussions on the role of procurement in contributing to the public sector’s acquisition of trustworthy AI, and the associated challenges, from an EU and US perspective.

Second, a public lecture where I will present the findings of my research project on digital technologies and public procurement.

Please scroll down for details and links to registration pages. All welcome!

1. ‘Can Procurement Be Used to Effectively Regulate AI?’ | Free online webinar
30 May 2023 2pm BST / 3pm CET-SAST / 9am EST (90 mins)
Co-organised by University of Bristol Law School and George Washington University Law School.

Artificial Intelligence (“AI”) regulation and governance is a global challenge that is starting to generate different responses in the EU, US, and other jurisdictions. Such responses are, however, rather tentative and politically contested. A full regulatory system will take time to crystallise and be fully operational. In the meantime, despite this regulatory gap, the public sector is quickly adopting AI solutions for a wide range of activities and public services.

This process of accelerated AI adoption by the public sector places procurement as the (involuntary) gatekeeper, tasked with ‘AI regulation by contract’, at least for now. The procurement function is expected to design tender procedures and contracts capable of attaining goals of AI regulation (such as trustworthiness, explainability, or compliance with data protection and human and fundamental rights) that are so far eluding more general regulation.

This webinar will provide an opportunity to take a hard look at the likely effectiveness of AI regulation by contract through procurement and its implications for the commercialisation of public governance, focusing on key issues such as:

The interaction between tender design, technical standards, and negotiations.
The challenges of designing, monitoring, and enforcing contractual clauses capable of delivering effective ‘regulation by contract’ in the AI space.
The tension between the commercial value of tailored contractual design and the regulatory value of default clauses and standard terms.
The role of procurement disputes and litigation in shaping AI regulation by contract.
The alternative regulatory option of establishing mandatory prior approval by an independent regulator of projects involving AI adoption by the public sector.

This webinar will be of interest to those working on or researching the digitalisation of the public sector and AI regulation in general, as the discussion around procurement gatekeeping mirrors the main issues arising from broader trends.

I will have the great opportunity of discussing my research with Aris Georgopoulos (Nottingham), Scott Simpson (Digital Transformation Lead at U.S. Department of Homeland Security), and Liz Chirico (Acquisition Innovation Lead at Office of the Deputy Assistant Secretary of the Army). Jessica Tillipman (GW Law) will moderate the discussion and Q&A.

Registration: https://law-gwu-edu.zoom.us/webinar/register/WN_w_V9s_liSiKrLX9N-krrWQ.

2. ‘AI in the public sector: can procurement promote trustworthy AI and avoid commercial capture?’ | Free in-person public lecture
4 July 2023 2pm BST, Reception Room, Wills Memorial Building, University of Bristol
Organised by University of Bristol Law School, Centre for Global Law and Innovation

The public sector is quickly adopting artificial intelligence (AI) to manage its interactions with citizens and in the provision of public services – for example, using chatbots in official websites, automated processes and call-centres, or predictive algorithms.

There are inherent high stakes risks to this process of public governance digitalisation, such as bias and discrimination, unethical deployment, data and privacy risks, cyber security risks, or risks of technological debt and dependency on proprietary solutions developed by (big) tech companies.

However, as part of the UK Government’s ‘light touch’ ‘pro-innovation’ approach to digital technology regulation, the adoption of AI in the public sector remains largely unregulated.

In this public lecture, I will present the findings of my research funded by the British Academy, analysing how, in this deregulatory context, the existing rules on public procurement fall short of protecting the public interest.

An alternative approach is required to create mechanisms of external independent oversight and mandatory standards to embed trustworthy AI requirements and to mitigate against commercial capture in the acquisition of AI solutions.

Registration: https://www.eventbrite.co.uk/e/can-procurement-promote-trustworthy-ai-and-avoid-commercial-capture-tickets-601212712407.

External oversight and mandatory requirements for public sector digital technology adoption

April 11, 2023

I thought the time would never come, but the last piece of my book project puzzle is now more or less in place. After finding that procurement is not the right regulatory actor and does not have the best tools of ‘digital regulation by contract’, in this last draft chapter, I explore how to discharge procurement of the assigned digital regulation role to increase the likelihood of effective enforcement of desirable goals of public sector digital regulation.

I argue that this should be done through two inter-related regulatory interventions consisting of developing (1) a regulator tasked with the external oversight of the adoption of digital technologies by the public sector, as well as (2) a suite of mandatory requirements binding both public entities seeking to adopt digital technologies and technology providers, and both in relation to the digital technologies to be adopted by the public sector and the applicable governance framework.

Detailed analysis of these issues would require much more extensive treatment than this draft chapter can offer. The modest goal here is simply to stress the key attributes and functions that each of these two regulatory interventions should have to make a positive contribution to governing the transition towards a new model of public digital governance. In this blog post, I summarise the main arguments.

As ever, I would be most grateful for feedback: a.sanchez-graells@bristol.ac.uk. Especially as I will now turn my attention to seeing how the different pieces of the puzzle fit together, while I edit the manuscript for submission before end of July 2023.

Institutional deficit and risk of capture

In the absence of an alternative institutional architecture (or while it is put in place), procurement is expected to develop a regulatory gatekeeping role in relation to the adoption of digital technologies by the public sector, which is in turn expected to have norm-setting and market-shaping effects across the economy. This could be seen as a way of bypassing or postponing decisions on regulatory architecture.

However, earlier analysis has shown that the procurement function is not the right institution to which to assign a digital regulation role, as it cannot effectively discharge such a duty. This highlights the existence of an institutional deficit in the process of public sector digitalisation, as well as in relation to digital technology regulation more broadly. An alternative approach to institutional design is required, and it can be delivered through the creation of a notional ‘AI in Public Sector Authority’ (AIPSA).

Earlier analysis has also shown that there are pervasive risks of regulatory capture and commercial determination of the process of public sector digitalisation stemming from reliance on standards and benchmarks created by technology vendors or by bodies heavily influenced by the tech industry. AIPSA could safeguard against such risk through controls over the process of standard adoption. AIPSA could also guard against excessive experimentation with digital technologies by creating robust controls to counteract their policy irresistibility.

Overcoming the institutional deficit through AIPSA

The adoption of digital technologies in the process of public sector digitalisation creates regulatory challenges that require external oversight, as procurement is unable to effectively regulate this process. A particularly relevant issue concerns whether such oversight should be entrusted to a new regulator (broad approach), or whether it would suffice to assign new regulatory tasks to existing regulators (narrow approach).

I submit that the narrow approach is inadequate because it perpetuates regulatory fragmentation and can lead to undesirable spillovers or knock-on effects, whether the new regulatory tasks are assigned to data protection authorities, (quasi)regulators with a ‘sufficiently close’ regulatory remit in relation with information and communications technologies (ICT) (such as eg the Agency for Digital Italy (AgID), or the Dutch Advisory Council on IT assessment (AcICT)), or newly created centres of expertise in algorithmic regulation (eg the French PEReN). Such ‘organic’ or ‘incremental’ approach to institutional development could overshadow important design considerations, as well embed biases due to the institutional drivers of the existing (quasi)regulators.

To avoid these issues, I advocate a broader or more joined up approach in the proposal for AIPSA. AIPSA would be an independent authority with the statutory function of promoting overarching goals of digital regulation, and specifically tasked with regulating the adoption and use of digital technologies by the public sector, whether through in-house development or procurement from technology providers. AIPSA would also absorb regulatory functions in cognate areas, such as the governance of public sector data, and integrate work in areas such as cyber security. It would also serve a coordinating function with the data protection authority.

In the draft chapter, I stress three fundamental aspects of AIPSA’s institutional design: regulatory coherence, independence and expertise. Independence and expertise would be the two most crucial factors. AIPSA would need to be designed in a way that ensured both political and industry independence, with the issue of political independence having particular salience and requiring countervailing accountability mechanisms. Relatedly, the importance of digital capabilities to effectively exercise a digital regulation role cannot be overemphasised. It is not only important in relation to the active aspects of the regulatory role—such as control of standard setting or permissioning or licencing of digital technology use (below)—but also in relation to the passive aspects of the regulatory role and, in particular, in relation to reactive engagement with industry. High levels of digital capability would be essential to allow AIPSA to effectively scrutinise claims from those that sought to influence its operation and decision-making, as well as reduce AIPSA’s dependence on industry-provided information.

safeguard against regulatory capture and policy irresistibility

Regulating the adoption of digital technologies in the process of public sector digitalisation requires establishing the substantive requirements that such technology needs to meet, as well as the governance requirements need to ensure its proper use. AIPSA’s role in setting mandatory requirements for public sector digitalisation would be twofold.

First, through an approval or certification mechanism, it would control the process of standardisation to neutralise risks of regulatory capture and commercial determination. Where no standards were susceptible of approval or certification, AIPSA would develop them.

Second, through a permissioning or licencing process, AIPSA would ensure that decisions on the adoption of digital technologies by the public sector are not driven by ‘policy irresistibility’, that they are supported by clear governance structures and draw on sufficient resources, and that adherence to the goals of digital regulation is sustained throughout the implementation and use of digital technologies by the public sector and subject to proactive transparency requirements.

The draft chapter provides more details on both issues.

If not AIPSA … then clearly not procurement

There can be many objections to the proposals developed in this draft chapter, which would still require further development. However, most of the objections would likely also apply to the use of procurement as a tool of digital regulation. The functions expected of AIPSA closely match those expected of the procurement function under the approach to ‘digital regulation by contract’. Challenges to AIPSA’s ability to discharge such functions would be applicable to any public buyer seeking to achieve the same goals. Similarly, challenges to the independence or need for accountability of AIPSA would be similarly applicable to atomised decision-making by public buyers.

While the proposal is necessarily imperfect, I submit that it would improve upon the emerging status quo and that, in discharging procurement of the digital regulation role, it would make a positive contribution to the governance of the transition to a new model of digital public governance.

The draft chapter is available via SSRN: Albert Sanchez-Graells, ‘Discharging procurement of the digital regulation role: external oversight and mandatory requirements for public sector digital technology adoption’.

Two roles of procurement in public sector digitalisation: gatekeeping and experimentation

March 10, 2023

In a new draft chapter for my monograph, I explore how, within the broader process of public sector digitalisation, and embroiled in the general ‘race for AI’ and ‘race for AI regulation’, public procurement has two roles. In this post, I summarise the main arguments (all sources, included for quoted materials, are available in the draft chapter).

This chapter frames the analysis in the rest of the book and will be fundamental in the review of the other drafts, so comments would be most welcome (a.sanchez-graells@bristol.ac.uk).

Public sector digitalisation is accelerating in a regulatory vacuum

Around the world, the public sector is quickly adopting digital technologies in virtually every area of its activity, including the delivery of public services. States are not solely seeking to digitalise their public sector and public services with a view to enhance their operation (internal goal), but are also increasingly willing to use the public sector and the construction of public infrastructure as sources of funding and spaces for digital experimentation, to promote broader technological development and boost national industries in a new wave of (digital) industrial policy (external goal). For example, the European Commission clearly seeks to make the ‘public sector a trailblazer for using AI’. This mirrors similar strategic efforts around the globe. The process of public sector digitalisation is thus embroiled in the broader race for AI.

Despite the fact that such dynamic of public sector digitalisation raises significant regulatory risks and challenges, well-known problems in managing uncertainty in technology regulation—ie the Collingridge dilemma or pacing problem (‘cannot effectively regulate early on, so will probably regulate too late’)—and different normative positions, interact with industrial policy considerations to create regulatory hesitation and side-line anticipatory approaches. This creates a regulatory gap —or rather a laissez faire environment—whereby the public sector is allowed to experiment with the adoption of digital technologies without clear checks and balances. The current strategy is by and large one of ‘experiment first, regulate later’. And while there is little to no regulation, there is significant experimentation and digital technology adoption by the public sector.

Despite the emergence of a ‘race for AI regulation’, there are very few attempts to regulate AI use in the public sector—with the EU’s proposed EU AI Act offering a (partial) exception—and general mechanisms (such as judicial review) are proving slow to adapt. The regulatory gap is thus likely to remain, at least partially, in the foreseeable future—not least, as the effective functioning of new rules such as the EU AI Act will not be immediate.

Procurement emerges as a regulatory gatekeeper to plug that gap

In this context, proposals have started to emerge to use public procurement as a tool of digital regulation. Or, in other words, to use the acquisition of digital technologies by the public sector as a gateway to the ‘regulation by contract’ of their use and governance. Think tanks, NGOs, and academics alike have stressed that the ‘rules governing the acquisition of algorithmic systems by governments and public agencies are an important point of intervention in ensuring their accountable use’, and that procurement ‘is a central policy tool governments can deploy to catalyse innovation and influence the development of solutions aligned with government policy and society’s underlying values’. Public procurement is thus increasingly expected to play a crucial gatekeeping role in the adoption of digital technologies for public governance and the delivery of public services.

Procurement is thus seen as a mechanism of ‘regulation by contract’ whereby the public buyer can impose requirements seeking to achieve broad goals of digital regulation, such as transparency, trustworthiness, or explainability, or to operationalise more general ‘AI ethics’ frameworks. In more detail, the Council of Europe has recommended using procurement to: (i) embed requirements of data governance to avoid violations of human rights norms and discrimination stemming from faulty datasets used in the design, development, or ongoing deployment of algorithmic systems; (ii) ‘ensure that algorithmic design, development and ongoing deployment processes incorporate safety, privacy, data protection and security safeguards by design’; (iii) require ‘public, consultative and independent evaluations of the lawfulness and legitimacy of the goal that the [procured algorithmic] system intends to achieve or optimise, and its possible effects in respect of human rights’; (iv) require the conduct of human rights impact assessments; or (v) promote transparency of the ‘use, design and basic processing criteria and methods of algorithmic systems’.

Given the absence of generally applicable mandatory requirements in the development and use of digital technologies by the public sector in relation to some or all of the stated regulatory goals, the gatekeeping role of procurement in digital ‘regulation by contract’ would mostly involve the creation of such self-standing obligations—or at least the enforcement of emerging non-binding norms, such as those developed by (voluntary) standardisation bodies or, more generally, by the technology industry. In addition to creating risks of regulatory capture and commercial determination, this approach may overshadow the difficulties in using procurement for the delivery of the expected regulatory goals. A closer look at some selected putative goals of digital regulation by contract sheds light on the issue.

Procurement is not at all suited to deliver incommensurable goals of digital regulation

Some of the putative goals of digital regulation by contract are incommensurable. This is the case in particular of ‘trustworthiness’ or ‘responsibility’ in AI use in the public sector. Trustworthiness or responsibility in the adoption of AI can have several meanings, and defining what is ‘trustworthy AI’ or ‘responsible AI’ is in itself contested. This creates a risk of imprecision or generality, which could turn ‘trustworthiness’ or ‘responsibility’ into mere buzzwords—as well as exacerbate the problem of AI ethics-washing. As the EU approach to ‘trustworthy AI’ evidences, the overarching goals need to be broken down to be made operational. In the EU case, ‘trustworthiness’ is intended to cover three requirements for lawful, ethical, and robust AI. And each of them break down into more detailed or operationalizable requirements.

In turn, some of the goals into which ‘trustworthiness’ or ‘responsibility’ breaks down are also incommensurable. This is notably the case of ‘explainability’ or interpretability. There is no such thing as ‘the explanation’ that is required in relation to an algorithmic system, as explanations are (technically and legally) meant to serve different purposes and consequently, the design of the explainability of an AI deployment needs to take into account factors such as the timing of the explanation, its (primary) audience, the level of granularity (eg general or model level, group-based, or individual explanations), or the level of risk generated by the use of the technical solution. Moreover, there are different (and emerging) approaches to AI explainability, and their suitability may well be contingent upon the specific intended use or function of the explanation. And there are attributes or properties influencing the interpretability of a model (eg clarity) for which there are no evaluation metrics (yet?). Similar issues arise with other putative goals, such as the implementation of a principle of AI minimisation in the public sector.

Given the way procurement works, it is ill-suited for the delivery of incommensurable goals of digital regulation.

Procurement is not well suited to deliver other goals of digital regulation

There are other goals of digital regulation by contract that are seemingly better suited to delivery through procurement, such as those relating to ‘technical’ characteristics such as neutrality, interoperability, openness, or cyber security, or in relation to procurement-adjacent algorithmic transparency. However, the operationalisation of such requirements in a procurement context will be dependent on a range of considerations, such as judgements on the need to keep information confidential, judgements on the state of the art or what constitutes a proportionate and economically justified requirement, the generation of systemic effects that are hard to evaluate within the limits of a procurement procedure, or trade-offs between competing considerations. The extent to which procurement will be able to operationalise the desired goals of digital regulation will depend on its institutional embeddedness and on the suitability of procurement tools to impose specific regulatory approaches. Additional analysis conducted elsewhere (see here and here) suggests that, also in relation to these regulatory goals, the emerging approach to AI ‘regulation by contract’ cannot work well.

Procurement digitalisation offers a valuable case study

The theoretical analysis of the use of procurement as a tool of digital ‘regulation by contract’ (above) can be enriched and further developed with an in-depth case study of its practical operation in a discrete area of public sector digitalisation. To that effect, it is important to identify an area of public sector digitalisation which is primarily or solely left to ‘regulation by contract’ through procurement—to isolate it from the interaction with other tools of digital regulation (such as data protection, or sectoral regulation). It is also important for the chosen area to demonstrate a sufficient level of experimentation with digitalisation, so that the analysis is not a mere concretisation of theoretical arguments but rather grounded on empirical insights.

Public procurement is itself an area of public sector activity susceptible to digitalisation. The adoption of digital tools is seen as a potential source of improvement and efficiency in the expenditure of public funds through procurement, especially through the adoption of digital technology solutions developed in the context of supply chain management and other business operations in the private sector (or ‘ProcureTech’), but also through the adoption of digital tools tailored to the specific goals of procurement regulation, such as the prevention of corruption or collusion. There is emerging evidence of experimentation in procurement digitalisation, which is shedding light on regulatory risks and challenges.

In view of its strategic importance and the current pace of procurement digitalisation, it is submitted that procurement is an appropriate site of public sector experimentation in which to explore the shortcomings of the approach to AI ‘regulation by contract’. Procurement is an adequate case study because, being a ‘back-office’ function, it does not concern (likely) high-risk uses of AI or other digital technologies, and it is an area where data protection regulation is unlikely to provide a comprehensive regulatory framework (eg for decision automation) because the primary interactions are between public buyers and corporate institutions.

Procurement therefore currently represents an unregulated digitalisation space in which to test and further explore the effectiveness of the ‘regulation by contract’ approach to governing the transition to a new model of digital public governance.

* * * * * *

The full draft is available on SSRN as: Albert Sanchez-Graells, ‘The two roles of procurement in the transition towards digital public governance: procurement as regulatory gatekeeper and as site for public sector experimentation’ (March 10, 2023): https://ssrn.com/abstract=4384037.

Procurement centralisation, digital technologies and competition (new working paper)

March 2, 2023

I have just uploaded on SSRN the new working paper ‘Competition Implications of Procurement Digitalisation and the Procurement of Digital Technologies by Central Purchasing Bodies’, which I will present at the conference on “Centralization and new trends" to be held at the University of Copenhagen on 25-26 April 2023 (there is still time to register!).

The paper builds on my ongoing research on digital technologies and procurement governance, and focuses on the interaction between the strategic goals of procurement centralisation and digitalisation set by the European Commission in its 2017 public procurement strategy.

The paper identifies different ways in which current trends of procurement digitalisation and the challenges in procuring digital technologies push for further procurement centralisation. This is in particular to facilitate the extraction of insights from big data held by central purchasing bodies (CPBs); build public sector digital capabilities; and boost procurement’s regulatory gatekeeping potential. The paper then explores the competition implications of this technology-driven push for further procurement centralisation, in both ‘standard’ and digital markets.

The paper concludes by stressing the need to bring CPBs within the remit of competition law (which I had already advocated eg here), the opportunity to consider allocating CPB data management to a separate competent body under the Data Governance Act, and the related need to develop an effective system of mandatory requirements and external oversight of public sector digitalisation processes, specially to constrain CPBs’ (unbridled) digital regulatory power.

The full working paper reference is: A Sanchez-Graells, Albert, ‘Competition Implications of Procurement Digitalisation and the Procurement of Digital Technologies by Central Purchasing Bodies’ (March 2, 2023), Available at SSRN: https://ssrn.com/abstract=4376037. As always, any feedback most welcome: a.sanchez-graells@bristol.ac.uk.

Procurement tools for AI regulation by contract. Not the sharpest in the shed

February 24, 2023

I continue exploring the use of public procurement as a tool of digital regulation (or ‘AI regulation by contract’ as shorthand)—ie as a mechanism to promote transparency, explainability, cyber security, ethical and legal compliance leading to trustworthiness, etc in the adoption of digital technologies by the public sector.

After analysing procurement as a regulatory actor, a new draft chapter for my book project focuses on the procedural and substantive procurement tools that could be used for AI regulation by contract, to assess their suitability for the task.

The chapter considers whether procurement could effectively operationalise digital regulation goals without simply transferring regulatory decisions to economic operators. The chapter stresses how the need to prevent a transfer or delegation (ie a privatisation) of regulatory decisions as a result of the operation of the procurement rules is crucial, as technology providers are the primary target in proposals to use procurement for digital regulation by contract. In this post, I summarise the main arguments and insights in the chapter. As always, any feedback will be most warmly received: a.sanchez-graells@bristol.ac.uk.

Background

A first general consideration is that using procurement as a tool of digital regulation requires high levels of digital and commercial skills to understand the technologies being procured and the processes influencing technological design and deployment (as objects of regulation), and the procurement rules themselves (as regulatory tools). Gaps in those capabilities will jeopardise the effectiveness of using procurement as a tool of AI regulation by contract, beyond the limitations and constraints deriving from the relevant legal framework. However, to assess the (abstract) potential of procurement as a regulatory tool, it is worth distinguishing between practical and legal challenges, and to focus on legal challenges that would be present at all levels of public buyer capability.

A second general consideration is that this use of procurement could be seen as either a tool of ‘command and control’ regulation, or a tool of responsive regulation. In that regard, while there can be some space for a ‘command and control’ use of procurement as a tool of digital regulation, in the absence of clear (rules-based) regulatory benchmarks and legally-established mandatory requirements, the responsive approach to the use of procurement as a tool to enforce self-regulatory mechanisms seems likely to be predominant —in the sense that procurement requirements are likely to focus on the tenderers’ commitment to sets of practices and processes seeking to deliver (to the largest possible extent) the relevant regulatory attributes by reference to (technical) standards.

For example, it is hard to imagine the imposition of an absolute requirement for a digital solution to be ‘digitally secure’. It is rather more plausible for the tender and contract to seek to bind the technology provider to practices and procedures seeking to ensure high levels of cyber security (by reference to some relevant metrics, where they are available), as well as protocols and mechanisms to anticipate and react to any (potential) security breaches. The same applies to other desirable regulatory attributes in the procured digital technologies, such as transparency or explainability—which will most likely be describable (or described) by reference to technical standards and procedures—or to general principles, such as ethical or trustworthy AI, also requiring proceduralised implementation. In this context, procurement could be seen as a tool to promote co-regulation or (responsible) self-regulation both at tenderer and industry level, eg in relation to the development of ethical or trustworthy AI.

Against this background, it is relevant to focus on whether procurement tools could effectively operationalise digital regulation goals without simply transferring regulatory decisions to economic operators—ie operating as an effective tool of (responsive) meta-regulation. The analysis below takes a cradle-to-grave approach and focuses on the tools available at the phases of tender preparation and design, tender execution, and contract design and implementation. The analysis is based on EU procurement law, but the functional insights are broadly transferable to other systems.

Tender preparation and design

A public buyer seeking to use procurement as a tool of digital regulation faces an unavoidable information asymmetry. To try to reduce it, the public buyer can engage in a preliminary market consultation to obtain information on eg different technologies or implementation possibilities, or to ‘market-test’ the level of regulatory demand that could be met by existing technology providers. However, safeguards to prevent the use of preliminary market consultations to advantage specific technology providers through eg disclosure of exchanged information, as well as the level of effort required to participate in (detailed) market consultations, raise questions as to their utility to extract information in markets where secrecy is valued (as is notoriously the case of digital technology markets—see discussions on algorithmic secrecy) and where economic operators may be disinclined (or not have the resources) to provide ‘free consultancy’. Moreover, in this setting and given the absence of clear standards or industry practices, there is a heightened risk of capture in the interaction between the public buyer and potential technology providers, with preliminary market consultations not being geared for broader public consultation facilitating the participation of non-market agents (eg NGOs or research institutions). Overall, then, preliminary market consultations may do little to reduce the public buyer’s information asymmetry, while creating significant risks of capture leading to impermissible (discriminatory) procurement practices. They are thus unlikely to operate as an adequate tool to support regulation by contract.

Relatedly, a public buyer facing uncertainty as to the existing off-the-shelf offering and the level of adaptation, innovation or co-production required to otherwise achieve the performance sought in the digital technology procurement, faces a difficult choice of procurement procedure. This is a sort of chicken and egg problem, as the less information the public buyer has, the more difficult it is to choose an adequate procedure, but the choice of the procedure has implications on the information that the public buyer can extract. While the theoretical expectation could be that the public buyer would opt for a competitive dialogue or innovation partnership, as procedures targeted at this type of procurement, evidence of EU level practice shows that public buyers have a strong preference for competitive procedures with negotiations. The use of this procedure exposes the public buyer to direct risks of commercial capture (especially where the technology provider has more resources or the upper hand in negotiations) and the safeguards foreseen in EU law (ie the setting of non-negotiable minimum requirements and award criteria) are unlikely to be effective, as public buyers have a strong incentive to avoid imposing excessively demanding minima to avoid the risk of cancellation and retendering if no technology provider is capable (or willing) to meet them.

In addition, the above risks of commercial capture can be exacerbated when technology providers make exclusivity claims over the technological solutions offered, which could unlock the use of a negotiated procedure without prior publication—on the basis of absence of competition due to technical reasons, or due to the need to protect seclusive rights, including intellectual property rights. While the legal tests to access this negotiated procedure are in principle strict, the public buyer can have the wrong incentives to push through while at the same time controlling some of the safeguarding mechanisms (eg transparency of the award, or level of detail in the relevant disclosure). Similar issues arise with the possibility to creatively structure remuneration under some of these contracts to keep them below regulatory thresholds (eg by ‘remunerating in data’).

In general, this shows that the phase of tender preparation and design is vulnerable to risks of regulatory capture that are particularly relevant when the public buyer is expected to develop a regulatory role in disciplining the behaviour of the industry it interacts with. This indicates that existing flexible mechanisms of market engagement can be a source of regulatory risk, rather than a useful set of regulatory tools.

Tender execution

A public buyer seeking to use procurement as a tool of digital regulation could do so through the two main decisions of tenderer selection and tender evaluation. The expectation is that these are areas where the public buyer can exercise elements of ‘command and control’, eg through tenderer exclusion decisions as well as by setting demanding qualitative selection thresholds, or through the setting of mandatory technical specifications and the use of award constraints.

Tenderer selection

The public buyer could take a dual approach. First, to exclude technology providers with a previous track record of activity falling short of the relevant regulatory goals. Second, to incentivise or recompense high levels of positive commitment to the regulatory goals. However, both approaches present challenges.

First, the use of exclusion grounds would require clearly setting out in the tender documentation which types of digital-governance activities are considered to amount to ‘grave professional misconduct, which renders [the technology provider’s] integrity questionable’, and to reserve the possibility to exclude on grounds of ‘poor past performance’ linked to digital regulation obligations. In the absence of generally accepted standards of conduct and industry practices, and in a context of technological uncertainty, making this type of determinations can be difficult. Especially if the previous instance of ‘untrustworthy’ behaviour is being litigated or could (partially) be attributed to the public buyer under the previous contract. Moreover, a public buyer cannot automatically rely on the findings of another one, as the current EU rules require each contracting authority to come to its own view on the reliability of the economic operator. This raises the burden of engaging with exclusion based on these grounds, which may put some public buyers off, especially if there are complex technical questions on the background. Such judgments may require a level of expertise and available resources exceeding those of the public buyer, which could eg justify seeking to rely on third party certification instead.

Relatedly, it will be difficult to administer such tenderer screening to systems through the creation of lists of approved contractors or third-party certification (or equivalent mechanisms, such as dynamic purchasing systems administered by a central purchasing body, or quality assurance certification). In all cases, the practical difficulty will be that the public buyer will either see its regulatory function conditioned or precluded by the (commercially determined) standards underlying third-party certification, or face a significant burden if it seeks to directly scrutinise economic operators otherwise. The regulatory burden will to some extent be unavoidable because all the above-mentioned mechanisms foresee that (in some circumstances) economic operators that do not have access to the relevant certification or are under no obligation to register in the relevant list must be given the opportunity to demonstrate that they meet the relevant (substantive) qualitative selection criteria by other (equivalent) means.

There will also be additional challenges in ensuring that the relevant vetting of economic operators is properly applied where the digital technology solution relies on a long (technical) supply chain or assemblage, without this necessarily involving any (formal) relationship or subcontracting between the technology provider to be contracted and the developers of parts of the technical assemblage. This points at the significant burden that the public buyer may have to overcome in seeking to use qualitative selection rules to ‘weed out’ technology providers which (general, or past) behaviour is not aligned with the overarching regulatory goals.

Second, a more proactive approach that sought to go beyond exclusion or third-party certification to eg promote adherence to voluntary codes of conduct, or to require technology providers to justify how they eg generally ‘contribute to the development and deployment of trustworthy digital technologies’, would also face significant difficulties. Such requirements could be seen as unjustified and/or disproportionate, leading to an infringement of EU procurement law. They could also be altogether pre-empted by future legislation, such as the proposed EU AI Act.

Tender evaluation

As mentioned above, the possibility of setting demanding technical specifications and minimum requirements for tender evaluation through award constraints in principle seem like suitable tools of digital regulation. The public buyer could focus on the technical solutions and embedding the desired regulatory attributes (eg transparency, explainability, cyber security) and regulatory checks (on data and technology governance, eg in relation to open source code or interoperability, as well as in relation to ethical assessments) in the technical specifications. Award criteria could generate (further) incentives for regulatory performance, perhaps beyond the minimum mandatory baseline. However, this is far from uncomplicated.

The primary difficulty in using technical specifications as a regulatory tool relates to the challenge of clearly specifying the desired regulatory attributes. Some or most of the desired technological attributes are difficult to observe or measure, the processes leading to their promotion are not easy to establish, the outcomes of those processes are not binary and determining whether a requirement has been met cannot be subject to strict rules, but rather to (yet to be developed) technical standards with an unavoidable degree of indefinition, which may also be susceptible of iterative application in eg agile methods, and thus difficult to evaluate at tender stage. Moreover, the desired attributes can be in conflict between themselves and/or with the main functional specifications for the digital technology deployment (eg the increasingly clear unavoidable trade-off between explainability and accuracy in some AI technologies). This issue of the definitional difficulties and the incommensurability of some or most of the regulatory goals also relates to the difficulty of establishing minimum technical requirements as an award constraint—eg to require that no contract is awarded unless the tender reaches a specific threshold in the technical evaluation in relation to all or selected requirements (eg explainability). While imposing minimum technical requirements is permitted, it is difficult to design a mechanism to quantify or objectify the evaluation of some of the desired technological attributes, which will necessarily require a complex assessment. Such assessment cannot be conducted in such a way that the public buyer has an unrestricted freedom of choice, which will require clarifying the criteria and the relevant thresholds that would justify rejecting the tender. This could become a significant sticking point.

Designing technical specifications to capture whether a digital technology is ‘ethical’ or ‘trustworthy’ seems particularly challenging. These are meta-attributes or characteristics that refer to a rather broad set of principles in the design of the technology, but also of its specific deployment, and tend to proceduralise the taking into account of relevant considerations (eg which impact will the deployment have on the population affected). Additionally, in some respects, the extent to which a technological deployment will be ethical or trustworthy is out of the hands of the technology provider (eg may depend on decisions of the entity adopting the technology, eg on how it is used), and in some aspects it depends on specific decisions and choices made during contract implementation. This could make it impossible to verify at the point of the tender whether the end result will or not meet the relevant requirements—while including requirements that cannot be effectively verified prior to award would most likely breach current legal limits.

A final relevant consideration is that technical specifications cannot be imposed in a prescriptive manner, with technology providers having to be allowed to demonstrate compliance by equivalence. This limits the potential prescriptiveness of the technical specifications that can be developed by the public buyer, at least in relation to some of the desired technological attributes, which will always be constrained by their nature of standards rather than rules (or metrics) and the duty to consider equivalent modes of compliance. This erodes the practical scope of using technical specifications as regulatory instruments.

Relatedly, the difficulties in using award criteria to pursue regulatory goals stem from difficulties in the operationalisation of qualitative criteria in practice. First, there is a set of requirements on the formulation of award criteria that seek to avoid situations of unrestricted freedom of choice for the public buyer. The requirements tend to require a high level of objectivity, including in the structuring of award criteria of a subjective nature. In that regard, in order to guarantee an objective comparison and to eliminate the risk of arbitrary treatment, recent case law has been clear that award criteria intended to measure the quality of the tenders must be accompanied by indications which allow a sufficiently concrete comparative assessment between tenders, especially where the quality carries most of the points that may be allocated for the purposes of awarding the tender.

In part, the problem stems from the absence of clear standards or benchmarks to be followed in such an assessment, as well as the need to ensure the possibility of alternative compliance (eg with labels). This can be seen, for example, in relation to explainability. It would not suffice to establish that the solutions need to be explainable or to use explainability as an award criterion without more. It would be necessary to establish sub-criteria, such as eg ‘the solution needs to ensure that an individualised explanation for every output is generated’ (ie requiring local explainability rather than general explainability of the model). This would still need to be further specified, as to what type of explanation and containing which information, etc. The difficulty is that there are multiple approaches to local explainability and that most of them are contested, as is the general approach to post hoc explanations in itself. This puts the public buyer in the position of having to solve complex technical and other principled issues in relation to this award criterion alone. In the absence of standard methodologies, this is a tall order that can well make the procedure inviable or not used (with clear parallels to eg the low uptake of life-cycle costing approaches). However, the development of such methodologies parallels the issues concerning the development of technical standards. Once more, when such standards, benchmarks or methodologies emerge, reliance on them can thus (re)introduce risks of commercial determination, depending on how they are set.

Contract design and implementation

Given the difficulties in using qualitative selection, technical specifications and award criteria to embed regulatory requirements, it is possible that they are pushed to to the design of the contract and, in particular, to their treatment as contract performance conditions, in particular to create procedural obligations seeking to maximise attainment of the relevant regulatory goals during contract implementation (eg to create specific obligations to test, audit or upgrade the technological solution in relation to specific regulatory goals, with cyber security being a relatively straightforward one), or to pass on, ‘back-to-back’, mandatory obligations where they result from legislation (eg to impose transparency obligations, along the lines of the model standard clauses for AI procurement being developed at EU level).

In addition to the difficulty inherent in designing the relevant mechanisms of contractualised governance, a relevant limitation of this approach to embedding (self-standing) regulatory requirements in contract compliance clauses is that recent case law has made clear that ‘compliance with the conditions for the performance of a contract is not to be assessed when a contract is awarded’. Therefore, at award stage, all that can be asked is for technology providers to commit to such requirements as (future) contractual obligations—which creates the risk of awarding the contract to the best liar.

More generally, the effectiveness of contract performance clauses will depend on the contractual remedies attached to them and, in relation to some of the desirable attributes of the technologies, it can well be that there are no adequate contractual remedies or that the potential damages are disproportionate to the value of the contract. There will be difficulties in their use where obligations can be difficult to specify, where negative outputs and effects are difficult to observe or can only be observed with delay, and where contractual remedies are inadequate. It should be stressed that the embedding of regulatory requirements as contract performance clauses can have the effect of converting non-compliance into (mere) money claims against the technology provider. And, additionally, that contractual termination can be complicated or require a significant delay where the technological deployment has created operational dependency that cannot be mitigated in the short or medium term. This does not seem necessarily aligned with the regulatory gatekeeping role expected of procurement, as it can be difficult to create the adequate financial incentives to promote compliance with the overarching regulatory goals in this way—by contrast with, for example, the possibility of sanctions imposed by an independent regulator.

Conclusion

The analysis has stressed those areas where the existing rules prevent the imposition of rigid regulatory requirements or demands for compliance with pre-specified standards (to the exclusion of alternative ones), and those areas where the flexibility of the rules generates heightened risks of regulatory capture and commercial determination of the regulatory standards. Overall, this shows that it is either not easy or at all possible to use procurement tools to embed regulatory requirements in the tender procedure and in public contracts, or that those tools are highly likely to end up being a conduit for the direct or indirect application of commercially determined standards and industry practices.

This supports the claim that using procurement for digital regulation purposes will either be highly ineffective or, counterintuitively, put the public buyer in a position of rule-taker rather than rule-setter and market-shaper—or perhaps both. In the absence of non-industry led standards and requirements formulated eg by an independent regulator, on which procurement tools could be leveraged, each public buyer would either have to discharge a high (and possibly excessive) regulatory burden, or be exposed to commercial capture. This provides the basis for an alternative approach. The next step in the research project will thus be to focus on such mandatory requirements as part of a broader proposal for external oversight of the adoption of digital technologies by the public sector.

Regulating public and private interactions in public sector digitalisation through procurement

February 8, 2023

As discussed in previous entries in this blog (see here, here, here, here or here), public procurement is progressively being erected as the gatekeeper of the public interest in the process of digital technology adoption by the public sector, and thus positioned as digital technology regulator—especially in the EU and UK context.

In this gatekeeping role, procurement is expected to ensure that the public sector only acquires and adopts trustworthy technologies, and that (private) technology providers adhere to adequate technical, legal, and ethical standards to ensure that this is the case. Procurement is also expected to operate as a lever for the propagation of (soft) regulatory tools, such as independently set technical standards or codes of conduct, to promote their adoption and harness market dynamics to generate effects beyond the public sector (ie market-shaping). Even further, where such standards are not readily available or independently set, the procurement function is expected to formulate specific (contractual) requirements to ensure compliance with the overarching regulatory goals identified at higher levels of policymaking. The procurement function is thus expected to leverage the design of public tenders and public contracts as tools of digital technology regulation to plug the regulatory gap resulting from the absence of binding (legal) requirements. This is a tall order.

Analysing this gatekeeping role and whether procurement can adequately perform it is the focus of the last part of my current research project. In this latest draft book chapter, I focus on an analysis of the procurement function as a regulatory actor. The following chapter will focus on an analysis of procurement rules on the design of tender procedures and some elements of contractual design as regulatory tools. Combined, the analyses will shed light on the unsuitability of procurement to carry out this gatekeeping role in the absence of minimum mandatory requirements and external oversight, which will also be explored in detail in later chapters. This draft book chapter is giving me a bit of a hard time and some of the ideas there are still slightly tentative, so I would more than ever welcome any and all feedback.

In ‘Regulating public and private interactions in public sector digitalisation through procurement: the clash between agency and gatekeeping logics’, my main argument is that the proposals to leverage procurement to regulate public sector digitalisation, which seek to use public sector market power and its gatekeeping role to enforce standards of technological regulation by embedding them in public contracts, are bound to generate significant dysfunction due to a break in regulatory logic. That regulatory logic results from an analysis of the procurement function from an agency theory and a gatekeeping theory perspective, which in my view evidence the impossibility for procurement to carry out conflicting roles. To support this claim, I explore: 1) the position of the procurement function amongst the public and private actors involved in public sector digitalisation; 2) the governance implications of the procurement function’s institutional embeddedness; and 3) the likely (in)effectiveness of public contracts in disciplining private and public behaviour, as well as behaviour that is mutually influenced or coproduced by public and private actors during the execution of public contracts.

My analysis finds that, in the regulation of public-private interactions, the regulatory logic underpinning procurement is premised on the existence of a vertical relationship between the public buyer and (potential) technology providers and an expectation of superiority of the public buyer, which is thus (expected to be) able to dictate the terms of the market interaction (through tender requirements), to operate as gatekeeper (eg by excluding potential providers that fall short of pre-specified standards), and to dictate the terms of the future contract (eg through contract performance clauses with a regulatory component). This regulatory logic hits obvious limitations when the public buyer faces potential providers with market power, an insufficient offer of (regulated) goods and services, or significant information asymmetries, which result in a potential ‘weak public buyer’ problem. Such problem has generally been tried to be addressed through procurement centralisation and upskilling of the (centralised) procurement workforce, but those measures create additional governance challenges (especially centralisation) and are unlikely to completely re-establish the balance of power required for the effective regulation by contract of public sector digitalisation, as far as the provider side is concerned.

Parking the ‘weak public buyer’ problem, my analysis then focuses on the regulation of public-public interactions between the adopting public sector entity and the procurement function. I separate them for the purposes of the analysis, to point out that at theoretical level, there is a tension between the expectations of agency and gatekeeping theories in this context. While both of them conceptualise the relationship as vertical, they operate on an opposite understanding of who holds a predominant position. Under agency theory, the public buyer is the agent and thus subject to the instructions of the public entity that will ultimately adopt the digital technology. Conversely, under gatekeeping theory, the public buyer is the (independent) guarantor of a set of goals or attributes in public sector digitalisation projects and is thus tasked with ensuring compliance therewith. This would place the public buyer in a position of (functional) superiority, in that it would (be expected to) be able to dictate (some of) the terms of the technological adoption. This conflict in regulatory logics creates a structural conflict of interest for the procurement function as both agent and gatekeeper.

The analysis then focuses on how the institutional embeddedness of procurement exacerbates this problem. Where the procurement function is embedded in the same administrative unit or entity that is seeking to adopt the technology, it is subjected to hierarchical governance and thus lacks the independence required to carry out the gatekeeping role. Similarly, where the procurement function is separate (eg in the case of centralised or collaborative procurement), in the absence of mandatory requirements (eg to use the centralised procurement vehicle), the adopting public entity retains discretion whether to subject itself to the (gatekeeper) procurement function or to carry out its own procurement. Moreover, even when it uses centralised procurement vehicles, it tends to retain discretion (eg on the terms of mini-competitions or for the negotiation of some contractual clauses), which also erodes the position of the procurement function to effectively carry out its gatekeeping role.

On the whole, the procurement function is not in a good position to discipline the behaviour of the adopting public entity and this creates another major obstacle to the effectiveness of the proposed approach to the regulation by contract of public sector digitalisation. This is exacerbated by the fact that the adopting public entity will be the principal of the regulatory contract with the (chosen) technology provider, which means that the contractual mechanisms designed to enforce regulatory goals will be left to interpretation and enforcement by those actors whose behaviour it seeks to govern.

In such decentred interactions, procurement lacks any meaningful means to challenge deviations from the contract that are in the mutual interest of both the adopting entity and the technology provider. The emerging approach to regulation by contract cannot properly function where the adopting public entity is not entirely committed to maximising the goals of digital regulation that are meant to be enforced by contract, and where the public contractor has a concurring interest in deviating from those goals by reducing the level of demand of the relevant contractual clauses. In the setting of digital technology regulation, this seems a likely common case, especially if we consider that the main regulatory goals (eg explainability, trustworthiness) are open-ended and thus the question is not whether the goals in themselves are embraced in abstracto by the adopting entity and the technology provider, but the extent to which effective (and costly or limiting) measures are put in place to maximise the realisation of such goals. In this context, (relational) contracts seem inadequate to prevent behaviour (eg shirking) that is the mutual interest of the contractual parties.

This generates what I label as a ‘two-sided gatekeeping’ challenge. This challenge encapsulates the difficulties for the procurement function to effectively influence regulatory outcomes where it needs to discipline both the behaviour of technology providers and adopting entities, and where contract implementation depends on the decentred interaction of those two agents with the procurement function as a (toothless) bystander.

Overall, then, the analysis shows that agency and gatekeeping theory point towards a disfunction in the leveraging of procurement to regulate public sector digitalisation by contract. There are two main points of tension or rupture with the regulatory logic. First, the regulatory approach cannot effectively operate in the absence of a clear set of mandatory requirements to bind the discretion of the procurement function during the tendering and contract formation phase, as well as the discretion of the adopting public entity during contract implementation phase, and which are also enforceable on the technology provider regardless of the terms of the contract. Second, the regulatory approach cannot effectively operate in the absence of an independent actor capable of enforcing those standards and monitoring continuous compliance during the lifecycle of technological adoption and use by the public sector entity. As things stand, the procurement function is affected by structural and irresolvable conflicts between its overlaid roles. Moreover, even if the procurement function was not caught by the conflicting logics and requirements of agency and gatekeeping (eg as a result of the adoption of the mandatory requirements mentioned above), it would still not be in an adequate position to monitor and discipline the behaviour of the adopting public entity—and, relatedly, of the technology provider—after the conclusion of the procurement phase.

The regulatory analysis thus points to the need to discharge the procurement function from its newest gatekeeping role, to realign it with agency theory as appropriate. This would require both the enactment of mandatory requirements and the subjection to external oversight of the process of technological adoption by the public sector. This same conclusion will be further supported by an analysis of the limitations of procurement law to effectively operate as a regulatory tool, which will be the focus of the next chapter in the book.

Some further thoughts on setting procurement up to fail in 'AI regulation by contract'

January 27, 2023

The next bit of my reseach project concerns the leveraging of procurement to achieve ‘AI regulation by contract’ (ie to ensure in the use of AI by the public sector: trustworthiness, safety, explainability, human rights compliance, legality especially in data protection terms, ethical use, etc), so I have been thinking about it for the last few weeks to build on my previous views (see here).

In this post, I summarise my further thoughts — which have been prompted by the rich submissions to the House of Commons Science and Technology Committee [ongoing] inquiry on the ‘Governance of Artificial Intelligence’.

Let’s do it via procurement

As a starting point, it is worth stressing that the (perhaps unsurprising) increasingly generalised position is that procurement has a key role to play in regulating the adoption of digital technologies (and AI in particular) by the public sector—which consolidates procurement’s gatekeeping role in this regulatory space (see here).

More precisely, the generalised view is not that procurement ought to play such a role, but that it can do so (effectively and meaningfully). ‘AI regulation by contract’ via procurement is seen as an (easily?) actionable policy and governance mechanism despite the more generalised reluctance and difficulties in regulating AI through general legislative and policy measures, and in creating adequate governance architectures (more below).

This is very clear in several submissions to the ongoing Parliamentary inquiry (above). Without seeking to be exhaustive (I have read most, but not all submissions yet), the following points have been made in written submissions (liberally grouped by topics):

Procurement as (soft) AI regulation by contract & ‘Market leadership’

‘Procurement processes can act as a form of soft regulation … Government should use its purchasing power in the market to set procurement requirements that ensure private companies developing AI for the public sector address public standards. ’ (Committee on Standards in Public Life, at [25]-[26], emphasis added).
‘For public sector AI projects, two specific strategies could be adopted [to regulate AI use]. The first … is the use of strategic procurement. This approach utilises government funding to drive change in how AI is built and implemented, which can lead to positive spill-over effects in the industry’ (Oxford Internet Institute, at 5, emphasis added).
‘Responsible AI Licences (“RAILs”) utilise the well-established mechanisms of software and technology licensing to promote self-governance within the AI sector. RAILs allow developers, researchers, and companies to publish AI innovations while specifying restrictions on the use of source code, data, and models. These restrictions can refer to high-level restrictions (e.g., prohibiting uses that would discriminate against any individual) as well as application-specific restrictions (e.g., prohibiting the use of a facial recognition system without consent) … The adoption of such licenses for AI systems funded by public procurement and publicly-funded AI research will help support a pro-innovation culture that acknowledges the unique governance challenges posed by emerging AI technologies’ (Trustworthy Autonomous Systems Hub, at 4, emphasis added).

Procurement and AI explainability

‘public bodies will need to consider explainability in the early stages of AI design and development, and during the procurement process, where requirements for transparency could be stipulated in tenders and contracts’ (Committee on Standards in Public Life, at [17], emphasis added).
‘In the absence of strong regulations, the public sector may use strategic procurement to promote equitable and transparent AI … mandating various criteria in procurement announcements and specifying design criteria, including explainability and interpretability requirements. In addition, clear documentation on the function of a proposed AI system, the data used and an explanation of how it works can help. Beyond this, an approved vendor list for AI procurement in the public sector is useful, to which vendors that agree to meet the defined transparency and explainability requirements may be added’ (Oxford Internet Institute, at 2, referring to K McBride et al (2021) ‘Towards a Systematic Understanding on the Challenges of Procuring Artificial Intelligence in the Public Sector’, emphasis added).

Procurement and AI ethics

‘For example, procurement processes should be designed so products and services that facilitate high standards are preferred and companies that prioritise ethical practices are rewarded. As part of the commissioning process, the government should set out the ethical principles expected of companies providing AI services to the public sector. Adherence to ethical standards should be given an appropriate weighting as part of the evaluation process, and companies that show a commitment to them should be scored more highly than those that do not (Committee on Standards in Public Life, at [26], emphasis added).

Procurement and algorithmic transparency

‘… unlike public bodies, the private sector is not bound by the same safeguards – such as the Public Sector Equality Duty within the Equality Act 2010 (EA) – and is able to shield itself from criticisms regarding transparency behind the veil of ‘commercial sensitivity’. In addition to considering the private company’s purpose, AI governance itself must cover the private as well as public sphere, and be regulated to the same, if not a higher standard. This could include strict procurement rules – for example that private companies need to release certain information to the end user/public, and independent auditing of AI systems’ (Liberty, at [20]).
‘… it is important that public sector agencies are duly empowered to inspect the technologies they’re procuring and are not prevented from doing so by the intellectual property rights. Public sector buyers should use their purchasing power to demand access to suppliers’ systems to test and prove their claims about, for example, accuracy and bias’ (BILETA, at 6).

Procurement and technical standards

‘Standards hold an important role in any potential regulatory regime for AI. Standards have the potential to improve transparency and explainability of AI systems to detail data provenance and improve procurement requirements’ (Ada Lovelace Institute, at 10)
‘The speed at which the technology can develop poses a challenge as it is often faster than the development of both regulation and standards. Few mature standards for autonomous systems exist and adoption of emerging standards need to be encouraged through mechanisms such as regulation and procurement, for example by including the requirement to meet certain standards in procurement specification’ (Royal Academy of Engineering, at 8).

Can procurement do it, though?

Implicit in most views about the possibility of using procurement to regulate public sector AI adoption (and to generate broader spillover effects through market-based propagation mechanisms) is an assumption that the public buyer does (or can get to) know and can (fully, or sufficiently) specify the required standards of explainability, transparency, ethical governance, and a myriad other technical requirements (on auditability, documentation, etc) for the use of AI to be in the public interest and fully legally compliant. Or, relatedly, that such standards can (and will) be developed and readily available for the public buyer to effectively refer to and incorporate them into its public contracts.

This is a BIG implicit assumption, at least in relation with non trivial/open-ended proceduralised requirements and in relation to most of the complex issues raised by (advanced) forms of AI deployment. A sobering and persuasive analysis has shown that, at least for some forms of AI (based on neural networks), ‘it appears unlikely that anyone will be able to develop standards to guide development and testing that give us sufficient confidence in the applications’ respect for health and fundamental rights. We can throw risk management systems, monitoring guidelines, and documentation requirements around all we like, but it will not change that simple fact. It may even risk giving us a false sense of confidence’ [H Pouget, ‘The EU’s AI Act Is Barreling Toward AI Standards That Do Not Exist’ (Lawfare.com, 12 Jan 2023)].

Even for less complex AI deployments, the development of standards will be contested and protracted. This not only creates a transient regulatory gap that forces public buyers to ‘figure it out’ by themselves in the meantime, but can well result in a permanent regulatory gap that leaves procurement as the only safeguard (on paper) in the process of AI adoption in the public sector. If more general and specialised processes of standard setting are unlikely to plug that gap quickly or ever, how can public buyers be expected to do otherwise?

seriously, can procurement do it?

Further, as I wrote in my own submission to the Parliamentary inquiry, ‘to effectively regulate by contract, it is at least necessary to have (i) clarity on the content of the obligations to be imposed, (ii) effective enforcement mechanisms, and (iii) public sector capacity to establish, monitor, and enforce those obligations. Given that the aim of regulation by contract would be to ensure that the public sector only adopts trustworthy AI solutions and deploys them in a way that promotes the public interest in compliance with existing standards of protection of fundamental and individual rights, exercising the expected gatekeeping role in this context requires a level of legal, ethical, and digital capability well beyond the requirements of earlier instances of regulation by contract to eg enforce labour standards’ (at [4]).

Even optimistically ignoring the issues above and adopting the presumption that standards will emerge or the public buyer will be able to (eventually) figure it out (so we park requirement (i) for now), and also assuming that the public sector will be able to develop the required level of eg digital capability (so we also park (iii), but see here)), does however not overcome other obstacles to leveraging procurement for ‘AI regulation by contract’. In particular, it does not address the issue of whether there can be effective enforcement mechanisms within the contractual relationship resulting from a procurement process to impose compliance with the required standards (of explainability, transparency, ethical use, non-discrimination, etc).

I approach this issue as the challenge of enforcing not entirely measurable contractual obligations (ie obligations to comply with a contractual standard rather than a contractual rule), and the closest parallel that comes to my mind is the issue of enforcing quality requirements in public contracts, especially in the provision of outsourced or contracted-out public services. This is an issue on which there is a rich literature (on ‘regulation by contract’ or ‘government by contract’).

Quality-related enforcement problems relate to the difficulty of using contract law remedies to address quality shortcomings (other than perhaps price reductions or contractual penalties where those are permissible) that can do little to address the quality issues in themselves. Major quality shortcomings could lead to eg contractual termination, but replacing contractors can be costly and difficult (especially in a technological setting affected by several sources of potential vendor and technology lock in). Other mechanisms, such as leveraging past performance evaluations to eg bar access to future procurements can also do too little too late to control quality within a specific contract.

An illuminating analysis of the ‘problem of quality’ concluded that the ‘structural problem here is that reliable assurance of quality in performance depends ultimately not on contract terms but on trust and non-legal relations. Relations of trust and powerful non-legal sanctions depend upon the establishment of long-term … relations … The need for a governance structure and detailed monitoring in order to achieve co-operation and quality seems to lead towards the creation of conflictual relations between government and external contractors’ [see H Collins, Regulating Contracts (OUP 1999) 314-15].

To me, this raises important questions about the extent to which procurement and public contracts more generally can effectively deliver the expected safeguards and operate as an adequate sytem of ‘AI regulation by contract’. It seems to me that price clawbacks or financial penalties, even debarment decisions, are unilkely to provide an acceptable safety net in some (or most) cases — eg high-risk uses of complex AI. Not least because procurement disputes can take a long time to settle and because the incentives will not always be there to ensure strict enforcement anyway.

More thoughts to come

It seems increasingly clear to me that the expectations around the leveraging of procurement to ‘regulate AI by contract’ need reassessing in view of its likely effectiveness. Such effectiveness is constrained by the rules on the design of tenders for the award of public contracts, as well as those public contracts, and mechanisms to resolve disputes emerging from either tenders or contracts. The effectiveness of this approach is, of course, also constrained by public sector (digital) capability and by the broader difficulties in ascertaining the appropriate approach to (standards-based) AI regulation, which cannot so easily be set aside. I will keep thinking about all this in the process of writing my monograph. If this is of interested, keep an eye on this blog fior further thougths and analysis.

Registration open: TECH FIXES FOR PROCUREMENT PROBLEMS?

November 11, 2022

As previously announced, on 15 December, I will have the chance to discuss my ongoing research on procurement digitalisation with a stellar panel: Eliza Niewiadomska (EBRD), Jessica Tillipman (GW Law), and Sope Williams (Stellenbosch).

The webinar will provide an opportunity to take a hard look at the promise of tech fixes for procurement problems, focusing on key issues such as:

The ‘true’ potential of digital technologies in procurement.
The challenges arising from putting key enablers in place, such as an adequate big data architecture and access to digital skills in short supply.
The challenges arising from current regulatory frameworks and constraints not applicable to the private sector.
New challenges posed by data governance and cybersecurity risks.

The webinar will be held on December 15, 2022 at 9:00 am EST / 2:00 pm GMT / 3:00 pm CET-SAST. Full details and registration at: https://blogs.gwu.edu/law-govpro/tech-fixes-for-procurement-problems/.

Save the date: 15 Dec, Tech fixes for procurement problems?

October 27, 2022

If you are interested in procurement digitalisation, please save the date for an online workshop on ‘Tech fixes for procurement problems?’ on 15 December 2022, 2pm GMT. I will have the chance to discuss my ongoing research (scroll down for a few samples) with a stellar panel: Eliza Niewiadomska (EBRD), Jessica Tillipman (GW Law), and Sope Williams (Stellenbosch). We will also have plenty time for a conversation with participants. Do not let other commitments get on the way of joining the discussion!

More details and registration coming soon. For any questions, please email me: a.sanchez-graells@bristol.ac.uk.

Will public buyers be covered by new EU cybersecurity requirements? (Spoiler alert: some will, all should)

October 18, 2022

EU legislators have reached provisional agreement on a significant revamp of cybersecurity rules, likely to enter into force at some point in late 2024 or 2025. The future Directive (EU) 2022/... of the European Parliament and of the Council of .... on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (NIS 2 Directive) will significantly expand the obligations imposed on Member States and on ‘essential’ and ‘important’ entities.

Given the importance of managing cybersecurity as public buyers complete their (late) transition to e-procurement, or further progress down the procurement digitalisation road, the question arises whether the NIS 2 Directive will apply to public buyers. I address that issue in this blog post.

Conflicting definitions?

Different from other recent legislative instruments that adopt the definitions under the EU procurement rules to establish the scope of the ‘public sector bodies’ to which they apply (such as the Open Data Directive, Art 2(1) and (2); or the Data Governance Act, Art 2(17) and (18)), the NIS 2 Directive establishes its own approach. Art 4(23)* defines ‘public administration entities’ as:

an entity recognised as such in a Member State in accordance with national law, that complies with the following criteria:

(a) it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character;

(b) it has legal personality or it is entitled by law to act on behalf of another entity with legal personality;

(c) it is financed, for the most part, by the State, regional authority, or by other bodies governed by public law; or it is subject to management supervision by those authorities or bodies; or it has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities, or by other bodies governed by public law;

(d) it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital.

Procurement lawyers will immediately raise their eyebrows. Does the definition capture all contracting authorities covered by the EU procurement rules?

Some gaps

Let’s take Directive 2014/24/EU for comparison [see A Sanchez-Graells, ‘Art 2’ in R Caranta and idem (eds), European Public Procurement. Commentary on Directive 2014/24/EU (Edward Elgar 2021) 2.06-2.18].

Under Arts 1(1) and 2(1)(2), it is clear that Directive 2014/24/EU applies to ‘contracting authorities’, defined as ‘the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities or one or more such bodies governed by public law’.

Regarding the ‘State, regional or local authorities’, it seems clear that the NIS 2 Directive in principle covers them (more below), to the extent that they are recognised as a ‘public administration entity’ under national law. This does not seem problematic, although it will of course depend on the peculiarities of each Member State (not least because Directive 2014/24/EU operates a list system and refers to Annex I to establish what are central government authorities).

‘Bodies governed by public law’ are also largely covered by the definition of the NIS 2 Directive, as the material requirements of the definition map on to those under Art 2(1)(4) of Directive 2014/24/EU. However, there are two key deviations.

The first one concerns the addition of the requirement (d) that the body must have ‘the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital’. In my view, this is unproblematic, as all decisions concerning a procurement process covered by the EU rules have the potential to affect free movement rights and, to the extent that the body governed by public law can make those decisions, it meets the requirement.

The second deviation is that, under the ‘financing and control’ criterion (c), the NIS 2 Directive does not include finance or control by local authorities. This leaves out local-level bodies governed by public law, but only those that are not financed or influenced by other (local-level) bodies governed by public law (which is odd). However, this is aligned with the fact that the NIS 2 Directive does not cover local public administration entities (Art 2(2a)* NIS 2 Directive), although it foresees that Member States can extend its regime to local authorities. In such a case, the definitions would have to be carefully reworked in the process of domestic transposition.

A final issue is then whether the definition in the NIS 2 Directive covers ‘associations formed by one or more [central or sub-central] authorities or one or more such bodies governed by public law’. Here the position is much less clear, and it seems to depend on a case-by-case assessment of whether a given association meets all requirements under the definition, which can prove problematic and raise difficult interpretive questions—despite eg having extended the legal personality criterion (b) to the possibility of being ‘entitled by law to act on behalf of another entity with legal personality’. It is thus possible that some associations will not be covered by the NIS 2 Directive, eg if their status under domestic law is unclear.

More gaps

Although the NIS 2 Directive definition in principle covers the State and regional authorities (as above), it should stressed that the scope of application of the Directive only extends to public administration entities of central governments, and those at regional level ‘which following a risk based assessment, provide services the disruption of which could have a significant impact on critical economic or societal activities’ (Art 2(2a)* NIS 2 Directive).

In relation to regional procurement authorities, then, the question arises whether Member States will consider that the disruption of their activities ‘could have a significant impact on [other] critical economic or societal activities’. I submit that this will necessarily be the case, as the procurement function enables the performance of the general activities of the public administration and the provision of public services. However, there seems to be some undesirable legal wriggle room that could create legal uncertainty.

Moreover, the NIS 2 Directive does not apply ‘to public administration entities that carry out their activities in the areas of defence, national security, public security, or law enforcement, including the investigation, detection and prosecution of criminal offences’ (Art 2(3a)* NIS 2 Directive). This is another marked deviation from the treatment of entities in the defence and security sectors under the procurement rules [see B Heuninckx, ‘Art 15’ in Caranta and Sanchez-Graells, Commentary, above].

At a minimum, the reference to entities carrying out ‘the investigation, detection and prosecution of criminal offences’ raises questions on the applicability of the NIS 2 Directive to public buyers formally inserted in eg the Ministry of Justice and/or the judiciary, at Member State level. Whether this is a relevant practical issue will depend on the relevant national context, but it would have been preferable to take an approach that directly mapped onto the scope of Directive 2009/81/EC in determining the relevant activities.

Why is this a problem?

The potential inconsistencies between the scope of application of the NIS 2 Directive and the EU procurement rules are relevant in the context of the broader digitalisation of procurement, but also in the narrow context of the entry into force of the new rules on eForms (see here) and the related obligations under the Open Data Directive, which will require public buyers to make data collected by eForms available in electronic format.

Cutting a long story short, it has been stressed by eg the OECD that opening information systems to make data accessible may ‘expose parts of an organisation to digital security threats that can lead to incidents that disrupt the availability, integrity or confidentiality of data and information systems on which economic and social activities rely’. Moreover, given that the primary purpose of making procurement data open is to enable the development of AI solutions, such risks need to be considered in that context and cybersecurity of data sources has been raised as a key issue by eg the European Union Agency for Cybersecurity (ENISA).

Given that all procurement data systems will be interconnected (via APIs), and that they can provide the data architecture for other AI solutions, cybersecurity risks are a systemic issue that would benefit from a systemic approach. Having some (or most) but not all public buyers comply with high standards of cybersecurity may not eliminate significant vulnerabilities if the remaining points of access generate relevant cybersecurity risks.

How to fix it?

In my view, Member States should extend the obligations under the NIS 2 Directive not only to their local ‘public administration entities’, as envisaged by the Directive, but to all entities covered by significant data governance rules, such as the Open Data Directive. This would ensure high levels of cybersecurity to protect the integrity of the new procurement open data systems. It would also have the added benefit of ensuring alignment with the EU procurement rules and, in that regard, it would contribute to a clear regulatory framework for the governance of digital procurement across the EU. _________________________

* Please note that Articles in the provisional text of the NIS 2 Directive will have to be renumbered.

Digital procurement governance: drawing a feasibility boundary

September 29, 2022

In the current context of generalised quick adoption of digital technologies across the public sector and strategic steers to accelerate the digitalisation of public procurement, decision-makers can be captured by techno hype and the ‘policy irresistibility’ that can ensue from it (as discussed in detail here, as well as here).

To moderate those pressures and guide experimentation towards the successful deployment of digital solutions, decision-makers must reassess the realistic potential of those technologies in the specific context of procurement governance. They must also consider which enabling factors must be put in place to harness the potential of the digital technologies—which primarily relate to an enabling big data architecture (see here). Combined, the data requirements and the contextualised potential of the technologies will help decision-makers draw a feasibility boundary for digital procurement governance, which should inform their decisions.

In a new draft chapter (num 7) for my book project, I draw such a technology-informed feasibility boundary for digital procurement governance. This post provides a summary of my main findings, on which I will welcome any comments: a.sanchez-graells@bristol.ac.uk. The full draft chapter is free to download: A Sanchez-Graells, ‘Revisiting the promise: A feasibility boundary for digital procurement governance’ to be included in A Sanchez-Graells, Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming). Available at SSRN: https://ssrn.com/abstract=4232973.

Data as the main constraint

It will hardly be surprising to stress again that high quality big data is a pre-requisite for the development and deployment of digital technologies. All digital technologies of potential adoption in procurement governance are data-dependent. Therefore, without adequate data, there is no prospect of successful adoption of the technologies. The difficulties in generating an enabling procurement data architecture are detailed here.

Moreover, new data rules only regulate the capture of data for the future. This means that it will take time for big data to accumulate. Accessing historical data would be a way of building up (big) data and speeding up the development of digital solutions. Moreover, in some contexts, such as in relation with very infrequent types of procurement, or in relation to decisions concerning previous investments and acquisitions, historical data will be particularly relevant (eg to deploy green policies seeking to extend the use life of current assets through programmes of enhanced maintenance or refurbishment; see here). However, there are significant challenges linked to the creation of backward-looking digital databases, not only relating to the cost of digitisation of the information, but also to technical difficulties in ensuring the representativity and adequate labelling of pre-existing information.

An additional issue to consider is that a number of governance-relevant insights can only be extracted from a combination of procurement and other types of data. This can include sources of data on potential conflict of interest (eg family relations, or financial circumstances of individuals involved in decision-making), information on corporate activities and offerings, including detailed information on products, services and means of production (eg in relation with licensing or testing schemes), or information on levels of utilisation of public contracts and satisfaction with the outcomes by those meant to benefit from their implementation (eg users of a public service, or ‘internal’ users within the public administration).

To the extent that the outside sources of information are not digitised, or not in a way that is (easily) compatible or linkable with procurement information, some data-based procurement governance solutions will remain undeliverable. Some developments in digital procurement governance will thus be determined by progress in other policy areas. While there are initiatives to promote the availability of data in those settings (eg the EU’s Data Governance Act, the Guidelines on private sector data sharing, or the Open Data Directive), the voluntariness of many of those mechanisms raises important questions on the likely availability of data required to develop digital solutions.

Overall, there is no guarantee that the data required for the development of some (advanced) digital solutions will be available. A careful analysis of data requirements must thus be a point of concentration for any decision-maker from the very early stages of considering digitalisation projects.

Revised potential of selected digital technologies

Once (or rather, if) that major data hurdle is cleared, the possibilities realistically brought by the functionality of digital technologies need to be embedded in the procurement governance context, which results in the following feasibility boundary for the adoption of those technologies.

Robotic Process Automation (RPA)

RPA can reduce the administrative costs of managing pre-existing digitised and highly structured information in the context of entirely standardised and repetitive phases of the procurement process. RPA can reduce the time invested in gathering and cross-checking information and can thus serve as a basic element of decision-making support. However, RPA cannot increase the volume and type of information being considered (other than in cases where some available information was not being taken into consideration due to eg administrative capacity constraints), and it can hardly be successfully deployed in relation to open-ended or potentially contradictory information points. RPA will also not change or improve the processes themselves (unless they are redesigned with a view to deploying RPA).

This generates a clear feasibility boundary for RPA deployment, which will generally have as its purpose the optimisation of the time available to the procurement workforce to engage in information analysis rather than information sourcing and basic checks. While this can clearly bring operational advantages, it will hardly transform procurement governance.

Machine Learning (ML)

Developing ML solutions will pose major challenges, not only in relation to the underlying data architecture (as above), but also in relation to specific regulatory and governance requirements specific to public procurement. Where the operational management of procurement does not diverge from the equivalent function in the (less regulated) private sector, it will be possible to see the adoption or adaptation of similar ML solutions (eg in relation to category spend management). However, where there are regulatory constraints on the conduct of procurement, the development of ML solutions will be challenging.

For example, the need to ensure the openness and technical neutrality of procurement procedures will limit the possibilities of developing recommender systems other than in pre-procured closed lists or environments based on framework agreements or dynamic purchasing systems underpinned by electronic catalogues. Similarly, the intended use of the recommender system may raise significant legal issues concerning eg the exercise of discretion, which can limit their deployment to areas of information exchange or to merely suggestion-based tasks that could hardly replace current processes and procedures. Given the limited utility (or acceptability) of collective filtering recommender solutions (which is the predominant type in consumer-facing private sector uses, such as Netflix or Amazon), there are also constraints on the generality of content-based recommender systems for procurement applications, both at tenderer and at product/service level. This raises a further feasibility issue, as the functional need to develop a multiplicity of different recommenders not only reopens the issue of data sufficiency and adequacy, but also raises questions of (economic and technical) viability. Recommender systems would mostly only be susceptible of feasible adoption in highly centralised procurement settings. This could create a push for further procurement centralisation that is not neutral from a governance perspective, and that can certainly generate significant competition issues of a similar nature, but perhaps a different order of magnitude, than procurement centralisation in a less digitally advanced setting. This should be carefully considered, as the knock-on effects of the implementation of some ML solutions may only emerge down the line.

Similarly, the development and deployment of chatbots is constrained by specific regulatory issues, such as the need to deploy closed domain chatbots (as opposed to open domain chatbots, ie chatbots connected to the Internet, such as virtual assistants built into smartphones), so that the information they draw from can be controlled and quality assured in line with duties of good administration and other legal requirements concerning the provision of information within tender procedures. Chatbots are suited to types of high-volume information-based queries only. They would have limited applicability in relation to the specific characteristics of any given procurement procedure, as preparing the specific information to be used by the chatbot would be a challenge—with the added functionality of the chatbot being marginal. Chatbots could facilitate access to pre-existing and curated simple information, but their functionality would quickly hit a ceiling as the complexity of the information progressed. Chatbots would only be able to perform at a higher level if they were plugged to a knowledge base created as an expert system. But then, again, in that case their added functionality would be marginal. Ultimately, the practical space for the development of chatbots is limited to low added value information access tasks. Again, while this can clearly bring operational advantages, it will hardly transform procurement governance.

ML could facilitate the development and deployment of ‘advanced’ automated screens, or red flags, which could identify patterns of suspicious behaviour to then be assessed against the applicable rules (eg administrative and criminal law in case of corruption, or competition law, potentially including criminal law, in case of bid rigging) or policies (eg in relation to policy requirements to comply with specific targets in relation to a broad variety of goals). The trade off in this type of implementation is between the potential (accuracy) of the algorithmic screening and legal requirements on the explainability of decision-making (as discussed in detail here). Where the screens were not used solely for policy analysis, but acting on the red flag carried legal consequences (eg fines, or even criminal sanctions), the suitability of specific types of ML solutions (eg unsupervised learning solutions tantamount to a ‘black box’) would be doubtful, challenging, or altogether excluded. In any case, the development of ML screens capable of significantly improving over RPA-based automation of current screens is particularly dependent on the existence of adequate data, which is still proving an insurmountable hurdle in many an intended implementation (as above).

Distributed ledger technology (DLT) systems and smart contracts

Other procurement governance constraints limit the prospects of wholesale adoption of DLT (or blockchain) technologies, other than for relatively limited information management purposes. The public sector can hardly be expected to adopt DLT solutions that are not heavily permissioned, and that do not include significant safeguards to protect sensitive, commercially valuable, and other types of information that cannot be simply put in the public domain. This means that the public sector is only likely to implement highly centralised DLT solutions, with the public sector granting permissions to access and amend the relevant information. While this can still generate some (degrees of) tamper-evidence and permanence of the information management system, the net advantage is likely to be modest when compared to other types of secure information management systems. This can have an important bearing on decisions whether DLT solutions meet cost effectiveness or similar criteria of value for money controlling their piloting and deployment.

The value proposition of DLT solutions could increase if they enabled significant procurement automation through smart contracts. However, there are massive challenges in translating procurement procedures to a strict ‘if/when ... then’ programmable logic, smart contracts have limited capability that is not commensurate with the volumes and complexity of procurement information, and their development would only be justified in contexts where a given smart contract (ie specific programme) could be used in a high number of procurement procedures. This limits its scope of applicability to standardised and simple procurement exercises, which creates a functional overlap with some RPA solutions. Even in those settings, smart contracts would pose structural problems in terms of their irrevocability or automaticity. Moreover, they would be unable to generate off-chain effects, and this would not be easily sorted out even with the inclusion of internet of things (IoT) solutions or software oracles. This comes to largely restrict smart contracts to an information exchange mechanism, which does not significantly increase the value added by DLT plus smart contract solutions for procurement governance.

Conclusion

To conclude, there are significant and difficult to solve hurdles in generating an enabling data architecture, especially for digital technologies that require multiple sources of information or data points regarding several phases of the procurement process. Moreover, the realistic potential of most technologies primarily concerns the automation of tasks not involving data analysis of the exercise of procurement discretion, but rather relatively simple information cross-checks or exchanges. Linking back to the discussion in the earlier broader chapter (see here), the analysis above shows that a feasibility boundary emerges whereby the adoption of digital technologies for procurement governance can make contributions in relation to its information intensity, but not easily in relation to its information complexity, at least not in the short to medium term and not in the absence of a significant improvement of the required enabling data architecture. Perhaps in more direct terms, in the absence of a significant expansion in the collection and curation of data, digital technologies can allow procurement governance to do more of the same or to do it quicker, but it cannot enable better procurement driven by data insights, except in relatively narrow settings. Such settings are characterised by centralisation. Therefore, the deployment of digital technologies can be a further source of pressure towards procurement centralisation, which is not a neutral development in governance terms.

This feasibility boundary should be taken into account in considering potential use cases, as well as serve to moderate the expectations that come with the technologies and that can fuel ‘policy irresistibility’. Further, it should be stressed that those potential advantages do not come without their own additional complexities in terms of new governance risks (eg data and data systems integrity, cybersecurity, skills gaps) and requirements for their mitigation. These will be explored in the next stage of my research project.

Urgent: 'no eForms, no fun' -- getting serious about building a procurement data architecture in the EU

September 28, 2022

‘EU Member States only have about one year to make crucial decisions that will affect the procurement data architecture of the EU and the likelihood of successful adoption of digital technologies for procurement governance for years or decades to come’. Put like that, the relevance of the approaching deadline for the national implementation of new procurement eForms may grab more attention than the alternative statement that ‘in just about a year, new eForms will be mandatory for publication of procurement notices in TED’.

This latter more technical (obscure, and uninspiring?) understanding of the new eForms seems to have been dominating the approach to eForms implementation, which does not seem to have generally gained a high profile in domestic policy-making at EU Member State level despite the Publications Office’s efforts.

In this post, I reflect about the strategic importance of the eForms implementation for the digitalisation of procurement, the limited incentives for an ambitious implementation that stem from the voluntary approach of the most innovative aspects of the new eForms, and the opportunity that would be lost with a minimalistic approach to compliance with the new rules. I argue that it is urgent for EU Member States to get serious about building a procurement data architecture that facilitates the uptake of digital technologies for procurement governance across the EU, which requires an ambitious implementation of eForms beyond their minimum mandatory requirements.

eForms: some background

The EU is in the process of reforming the exchange of information about procurement procedures. This information exchange is mandated by the EU procurement rules, which regulate a variety of procurement notices with the two-fold objective of (i) fostering cross-border competition for public contracts and (ii) facilitating the oversight of procurement practices by the Member States, both in relation to the specific procedure (eg to enable access to remedies) and from a broad policy perspective (eg through the Single Market Scoreboard). In other words, this information exchange underpins the EU’s approach to procurement transparency, which mainly translates into publication of notices in the Tenders Electronic Daily (TED).

A 2019 Implementing Regulation established new standard forms for the publication of notices in the field of public procurement (eForms). The Implementing Regulation is accompanied by a detailed Implementation Handbook. The transition to eForms is about to hit a crucial milestone with the authorisation for their voluntary use from 14 November 2022, in parallel with the continued use of current forms. Following that, eForms will be mandatory and the only accepted format for publication of TED notices from 25 October 2023. There will thus have been a very long implementation period (of over four years), including an also lengthy (11-month) experimentation period about to start. This contrasts with previous revisions of the TED templates, which had given under six months’ notice (eg in 2015) or even just a 20-day implementation period (eg in 2011). This extended implementation period is reflective of the fact that the transition of eForms is not merely a matter of replacing a set of forms with another.

Indeed, eForms are not solely the new templates for the collection of information to be published in TED. eForms represent the EU’s open standard for publishing public procurement data — or, in other words, the ‘EU OCDS’ (which goes much beyond the OCDS mapping of the current TED forms). The importance of the implementation of a new data standard has been highlighted at strategic level, as this is the cornerstone of the EU’s efforts to improve the availability and quality of procurement data, which remain suboptimal (to say the least) despite continued efforts to improve the quality and (re)usability of TED data.

In that regard, the 2020 European strategy for data, emphasised that ‘Public procurement data are essential to improve transparency and accountability of public spending, fighting corruption and improving spending quality. Public procurement data is spread over several systems in the Member States, made available in different formats and is not easily possible to use for policy purposes in real-time. In many cases, the data quality needs to be improved.’ The European Commission now stresses how ‘eForms are at the core of the digital transformation of public procurement in the EU. Through the use of a common standard and terminology, they can significantly improve the quality and analysis of data’ (emphasis added).

It should thus be clear that the eForms implementation is not only about low level form-filling, but also (or primarily) about building a procurement data architecture that facilitates the uptake of digital technologies for procurement governance across the EU. Therefore, the implementation of eForms and the related data standard seeks to achieve two goals: first, to ensure the data quality (eg standardisation, machine-readability) required to facilitate its automated treatment for the purposes of publication of procurement notices mandated by EU law (ie their primary use); and, second, to build a data architecture that can facilitate the accumulation of big data so that advanced data analytics can be deployed by re-users of procurement data. This second(ary) goal is particularly relevant to our discussion. This requires some unpacking.

The importance of data for the deployment of digital technologies

It is generally accepted that quality (big) data is the primary requirement for the deployment of digital technologies to extract data-driven insights, as well as to automate menial back-office tasks. In a detailed analysis of these technologies, I stress the relevance of procurement data across technological solutions that could be deployed to improve procurement governance. In short, the outcome of robotic process automation (RPA) can only be as good as its sources of information, and adequate machine learning (ML) solutions can only be trained on high-quality big data—which thus conditions the possibility of developing recommender systems, chatbots, or algorithmic screens for procurement monitoring and oversight. Distributed Ledger Technology (DLT) systems (aka blockchain) can manage data, but cannot verify its content, accuracy, or reliability. Internet of Things (IoT) applications and software oracles can automatically capture data, which can alleviate some of the difficulties in generating an adequate data infrastructure. But this is only in relation with the observation of the ‘real world’ or in relation to digitally available information, which quality raises the same issues as other sources of data. In short, all digital technologies are data-centric or, more clearly, data-dependent.

Given the crucial relevance of data across digital technologies, it is hard to emphasise how any shortcomings in the enabling data architecture curtail the likelihood of successful adoption of digital technologies for procurement governance. With inadequate data, it may simply be impossible to develop digital solutions at all. And the development and adoption of digital solutions developed on poor or inadequate data can generate further problems—eg skewing decision-making on the basis of inadequately derived ‘data insights’. Ultimately, then, ensuring that adequate data is available to develop digital governance solutions is a challenging but unavoidable requirement in the process of procurement digitalisation. Success, or lack of it, in the creation of an enabling data architecture will determine the viability of the deployment of digital technologies more generally. From this perspective, the implementation of eForms gains clear strategic importance.

eForms Implementation: a flexible model

Implementing eForms is not an easy task. The migration towards eForms requires a complete redesign of information exchange mechanisms. eForms are designed around universal business language and involve the use of a much more structured information schema, compatible with the EU’s eProcurement Ontology, than the current TED forms. eForms are also meant to collect a larger amount of information than current TED forms, especially in relation to sub-units within a tender, such as lots, or in relation to framework agreements. eForms are meant to be flexible and regularly revised, in particular to add new fields to facilitate data capture in relation to specific EU-mandated requirements in procurement, such as in relation with the clean vehicles rules (with some changes already coming up, likely in November 2022).

From an informational point of view, the main constraint that remains despite the adoption of eForms is that their mandatory content is determined by existing obligations to report and publish tender-specific information under the current EU procurement rules, as well as to meet broader reporting requirements under international and EU law (eg the WTO GPA). This mandatory content is thus rather limited. Ultimately, eForms’ main concentration is on disseminating details of contract opportunities and capturing different aspects of decision-making by the contracting authorities. Given the process-orientedness and transactional focus of the procurement rules, most of the information to be mandatorily captured by the eForms concerns the scope and design of the tender procedure, some aspects concerning the award and formal implementation of the contract, as well as some minimal data points concerning its material outcome—primarily limited to the winning tender. As the Director-General of the Publications Office put it an eForms workshop yesterday, the new eForms will provide information on ‘who buys what, from whom and for what price’. While some of that information (especially in relation to the winning tender) will be reflective of broader market conditions, and while the accumulation of information across procurement procedures can progressively generate a broader view of (some of) the relevant markets, it is worth stressing that eForms are not designed as a tool of market intelligence.

Indeed, eForms do not capture the entirety of information generated by a procurement process and, as mentioned, their mandatory content is rather limited. eForms do include several voluntary or optional fields, and they could be adapted for some voluntary uses, such as in relation to detection of collusion in procurement, or in relation to the beneficial ownership of tenderers and subcontractors. Extensive use of voluntary fields and the development of additional fields and uses could contribute to generating data that enabled the deployment of digital technologies for the purposes of eg market intelligence, integrity checks, or other sorts of (policy-related) analysis. For example, there are voluntary fields in relation to green, social or innovation procurement, which could serve as the basis for data-driven insights into how to maximise the effects of such policy interventions. There are also voluntary fields concerning procurement challenges and disputes, which could facilitate a monitoring of eg areas requiring guidance or training. However, while the eForms are flexible, include voluntary fields, and the schema facilitates the development of additional fields, is it unclear that adequate incentives exist for adoption beyond their mandatory minimum content.

Implementation in two tiers

The fact that eForms are in part mandatory and in part voluntary will most likely result in two separate tiers of eForms implementation across the EU. Tier 1 will solely concern the collection and exchange of information mandated by EU law, that is the minimum mandatory eForm content. Tier 2 will concern the optional collection and exchange of a much larger volume of information concerning eg the entirety of tenders received, as well as qualitative information on eg specific policy goals embedded in a tender process. Of course, in the absence of coordination, a (large) degree of variation within Tier 2 can be expected. Tier 2 is potentially very important for (digital) procurement governance, but there is no guarantee that Member States will decide to implement eForms covering it.

One of the major obstacles to the broad adoption of a procurement data model so far, at least in the European Union, relates to the slow uptake of e-procurement (as discussed eg here). Without an underlying highly automated e-procurement system, the generation and capture of procurement data is a main challenge, as it is a labour-intensive process prone to input error. The entry into force of the eForms rules could serve as a further push for the completion of the transition to e-procurement—at least in relation to procurement covered by EU law (as below thresholds procurement is a voluntary potential use of eForms). However, it is also possible that low e-procurement uptake and generalised unsophisticated approaches to e-procurement (eg reduced automation) will limit the future functionality of eForms, with Member States that have so far lagged behind restricting the use of eForms to tier 1. Non life-cycle (automated) e-procurement systems may require manual inputs into the new eForms (or the databases from which they can draw information) and this implies that there is a direct cost to the implementation of each additional (voluntary) data field. Contracting authorities may not perceive the (potential) advantages of incurring those costs, or may more simply be constrained by their available budget. A collective action problem arises here, as the cost of adding more data to the eForms is to be shouldered by each public buyer, while the ensuing big data would potentially benefit everyone (especially as it will be published—although there are also possibilities to capture but not publish information that should be explored, at least to prevent excessive market transparency; but let’s park that issue for now) and perhaps in particular data re-users offering for pay added-value services.

In direct relation to this, and compounding the (dis)incentives problem, the possibility (or likelihood) of minimal implementation is compounded by the fact that, in many Member States, the operational adaptation to eForms does not directly concern public sector entities, but rather their service providers. e-procurement services providers compete for the provision of large volume, entirely standardised platform services, which are markets characterised by small operational margins. This creates incentives for a minimal adaptation of current e-sending systems and disincentives for the inclusion of added-value (data) services potentially unlikely to be used by public buyers. Some (or most) optional aspects of the eForm implementation will thus remain unused due to these market structure and dynamics, which does not clearly incentivise a race to the top (unless there is clear demand pull for it).

With some more nuance, it should be stressed that it is also possible that the adoption of eForms is uneven within a given jurisdiction where the voluntary character of parts of the eForm is kept (rather than made mandatory across the board through domestic legislation), with advanced procurement entities (eg central purchasing bodies, or large buyers) adopting tier 2 eForms, and (most) other public buyers limiting themselves to tier 1.

Ensuing data fragmentation

While this variety of approaches across the EU and within a Member State would not pose legal challenges, it would have a major effect on the utility of the eForms-generated data for the purposes of eg developing ML solutions, as the data would be fragmented, hardly representative of important aspects of procurement (markets), and could hardly be generalisable. The only consistent data would be that covered by tier 1 (ie mandatory and standardised implementation) and this would limit the potential use cases for the deployment of digital technologies—with some possibly limited to the procurement remit of the specific institutions with tier 2 implementations.

Relatedly, it should be stressed that, despite the effort to harmonise the underlying data architecture and link it to the Procurement Ontology, the Implementation Handbook makes clear that ‘eForms are not an “off the shelf” product that can be implemented only by IT developers. Instead, before developers start working, procurement policy decision-makers have to make a wide range of policy decisions on how eForms should be implemented’ in the different Member States.

This poses an additional challenge from the perspective of data quality (and consistency), as there are many fields to be tailored in the eForms implementation process that can result in significant discrepancies in the underlying understanding or methodology to determine them, in addition to the risk of potential further divergence stemming from the domestic interpretation of very similar requirements. This simply extends to the digital data world the current situation, eg in relation to diverging understandings of what is ‘recyclable’ or what is ‘social value’ and how to measure them. Whenever open-ended concepts are used, the data may be a poor source for comparative and aggregate analysis. Where there are other sources of standardisation or methodology, this issue may be minimised—eg in relation to the green public procurement criteria developed in the EU, if they are properly used. However, where there are no outside or additional sources of harmonisation, it seems that there is scope for quite a few difficult issues in trying to develop digital solutions on top of eForms data, except in relation to quantitative issues or in relation to information structured in clearly defined categories—which will mainly link back to the design of the procurement.

An opportunity about to be lost?

Overall, while the implementation of eForms could in theory build a big data architecture and facilitate the development of ML solutions, there are many challenges ahead and the generalised adoption of tier 2 eForms implementations seems unlikely, unless Member States make a positive decision in the process of national adoption. The importance of an ambitious tier 2 implementation of eForms should be assessed in light of its downstream importance for the potential deployment of digital technologies to extract data-driven insights and to automate parts of the procurement process. A minimalistic implementation of eForms would significantly constrain future possibilities of procurement digitalisation. Primarily in the specific jurisdiction, but also with spillover effects across the EU.

Therefore, a minimalistic eForms implementation approach would perpetuate (most of the) data deficit that prevents effective procurement digitalisation. It would be a short-sighted saving. Moreover, the effects of a ‘middle of the road’ approach should also be considered. A minimalistic implementation with a view to a more ambitious extension down the line could have short-term gains, but would delay the possibility of deploying digital technologies because the gains resulting from the data architecture are not immediate. In most cases, it will be necessary to wait for the accumulation of sufficiently big data. In some cases of infrequent procurement, missing data points will generate further time lags in the extraction of valuable insights. It is no exaggeration that every data point not captured carries an opportunity cost.

If Member States are serious about the digitalisation of public procurement, they will make the most of the coming year to develop tier 2 eForms implementations in their jurisdiction. They should also keep an eye on cross-border coordination. And the European Commission, both DG GROW and the Publications Office, would do well to put as much pressure on Member States as possible.

Public procurement governance as an information-intensive exercise, and the allure of digital technologies

September 12, 2022

Abstract picture used for decorative purposes only.

I have just started a 12-month Mid-Career Fellowship funded by the British Academy with the purpose of writing up the monograph Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming).

In the process of writing up, I will be sharing some draft chapters and other thought pieces. I would warmly welcome feedback that can help me polish the final version. As always, please feel free to reach out: a.sanchez-graells@bristol.ac.uk.

In this first draft chapter (num 6), I explore the technological promise of digital governance and use public procurement as a case study of ‘policy irresistibility’. The main ideas in the chapter are as follows:

This Chapter takes a governance perspective to reflect on the process of horizon scanning and experimentation with digital technologies. The Chapter stresses how aspirations of digital transformation can drive policy agendas and make them vulnerable to technological hype, despite technological immaturity and in the face of evidence of the difficulty of rolling out such transformation programmes—eg regarding the still ongoing wave of transition to e-procurement. Delivering on procurement’s goals of integrity, efficiency and transparency requires facing challenges derived from the information intensity and complexity of procurement governance. Digital technologies promise to bring solutions to such informational burden and thus augment decisionmakers’ ability to deal with that complexity and with related uncertainty. The allure of the potential benefits of deploying digital technologies generates ‘policy irresistibility’ that can capture decision-making by policymakers overly exposed to the promise of technological fixes to recalcitrant governance challenges. This can in turn result in excessive experimentation with digital technologies for procurement governance in the name of transformation. The Chapter largely focuses on the EU policy framework, but the insights derived from this analysis are easily exportable.

Another draft chapter (num 7) will follow soon with more detailed analysis of the feasibility boundary for the adoption of digital technologies for procurement governance purposes. The full details of this draft chapter are as follows: A Sanchez-Graells, ‘The technological promise of digital governance: procurement as a case study of “policy irresistibility”’ to be included in A Sanchez-Graells, Digital Technologies and Public Procurement. Gatekeeping and experimentation in digital public governance (OUP, forthcoming). Available at SSRN: https://ssrn.com/abstract=4216825.

Digital technologies, hype, and public sector capability

July 13, 2022

By Albert Sanchez-Graells (@How2CrackANut) and Michael Lewis (@OpsProf).*

The public sector’s reaction to digital technologies and the associated regulatory and governance challenges is difficult to map, but there are some general trends that seem worrisome. In this blog post, we reflect on the problematic compound effects of technology hype cycles and diminished public sector digital technology capability, paying particular attention to their impact on public procurement.

Digital technologies, smoke, and mirrors

There is a generalised over-optimism about the potential of digital technologies, as well as their likely impact on economic growth and international competitiveness. There is also a rush to ‘look digitally advanced’ eg through the formulation of ‘AI strategies’ that are unlikely to generate significant practical impacts (more on that below). However, there seems to be a big (and growing?) gap between what countries report (or pretend) to be doing (eg in reports to the OECD AI observatory, or in relation to any other AI readiness ranking) and what they are practically doing. A relatively recent analysis showed that European countries (including the UK) underperform particularly in relation to strategic aspects that require detailed work (see graph). In other words, there are very few countries ready to move past signalling a willingness to jump onto the digital tech bandwagon.

Source: PWC, The strategic use of public procurement for innovation in the digital economy (2021: 9).

Some of that over-optimism stems from limited public sector capability to understand the technologies themselves (as well as their implications), which leads to naïve or captured approaches to policymaking (on capture, see the eye-watering account emerging from the #Uberfiles). Given the closer alignment (or political meddling?) of policymakers with eg research funding programmes, including but not limited to academic institutions, naïve or captured approaches impact other areas of ‘support’ for the development of digital technologies. This also trickles down to procurement, as the ‘purchasing’ of digital technologies with public money is seen as a (not very subtle) way of subsidising their development (nb. there are many proponents of that approach, such as Mazzucato, as discussed here). However, this can also generate further space for capture, as the same lack of capability that affects high(er) level policymaking also affects funding organisations and ‘street level’ procurement teams. This results in a situation where procurement best practices such as market engagement result in the ‘art of the possible’ being determined by private industry. There is rarely co-creation of solutions, but too often a capture of procurement expenditure by entrepreneurs.

Limited capability, difficult assessments, and dependency risk

Perhaps the universalist techno-utopian framing (cost savings and efficiency and economic growth and better health and new service offerings, etc.) means it is increasingly hard to distinguish the specific merits of different digitalisation options – and the commercial interests that actively hype them. It is also increasingly difficult to carry out effective impact assessments where the (overstressed) benefits are relatively narrow and short-termist, while the downsides of technological adoption are diffuse and likely to only emerge after a significant time lag. Ironically, this limited ability to diagnose ‘relative’ risks and rewards is further exacerbated by the diminishing technical capability of the state: a negative mirror to Amazon’s flywheel model for amplifying capability. Indeed, as stressed by Bharosa (2022): “The perceptions of benefits and risks can be blurred by the information asymmetry between the public agencies and GovTech providers. In the case of GovTech solutions using new technologies like AI, Blockchain and IoT, the principal-agent problem can surface”.

As Colington (2021) points out, despite the “innumerable papers in organisation and management studies” on digitalisation, there is much less understanding of how interests of the digital economy might “reconfigure” public sector capacity. In studying Denmark’s policy of public sector digitalisation – which had the explicit intent of stimulating nascent digital technology industries – she observes the loss of the very capabilities necessary “for welfare states to develop competences for adapting and learning”. In the UK, where it might be argued there have been attempts, such as the Government Digital Services (GDS) and NHS Digital, to cultivate some digital skills ‘in-house’, the enduring legacy has been more limited in the face of endless demands for ‘cost saving’. Kattel and Takala (2021) for example studied GDS and noted that, despite early successes, they faced the challenge of continual (re)legitimization and squeezed investment; especially given the persistent cross-subsidised ‘land grab’ of platforms, like Amazon and Google, that offer ‘lower cost and higher quality’ services to governments. The early evidence emerging from the pilot algorithmic transparency standard seems to confirm this trend of (over)reliance on external providers, including Big Tech providers such as Microsoft (see here).

This is reflective of Milward and Provan’s (2003) ‘hollow state’ metaphor, used to describe "the nature of the devolution of power and decentralization of services from central government to subnational government and, by extension, to third parties – nonprofit agencies and private firms – who increasingly manage programs in the name of the state.” Two decades after its formulation, the metaphor is all the more applicable, as the hollowing out of the State is arguably a few orders of magnitude larger due the techno-centricity of reforms in the race towards a new model of digital public governance. It seems as if the role of the State is currently understood as being limited to that of enabler (and funder) of public governance reforms, not solely implemented, but driven by third parties—and primarily highly concentrated digital tech giants; so that “some GovTech providers can become the next Big Tech providers that could further exploit the limited technical knowledge available at public agencies [and] this dependency risk can become even more significant once modern GovTech solutions replace older government components” (Bharosa, 2022). This is a worrying trend, as once dominance is established, the expected anticompetitive effects of any market can be further multiplied and propagated in a setting of low public sector capability that fuels risk aversion, where the adage “Nobody ever gets fired for buying IBM” has been around since the 70s with limited variation (as to the tech platform it is ‘safe to engage’).

Ultimately, the more the State takes a back seat, the more its ability to steer developments fades away. The rise of a GovTech industry seeking to support governments in their digital transformation generates “concerns that GovTech solutions are a Trojan horse, exploiting the lack of technical knowledge at public agencies and shifting decision-making power from public agencies to market parties, thereby undermining digital sovereignty and public values” (Bharosa, 2022). Therefore, continuing to simply allow experimentation in the GovTech market without a clear strategy on how to reign the industry in—and, relatedly, how to build the public sector capacity needed to do so as a precondition—is a strategy with (exponentially) increasing reversal costs and an unclear tipping point past which meaningful change may simply not be possible.

Public sector and hype cycle

Being more pragmatic, the widely cited, if impressionistic, “hype cycle model” developed by Gartner Inc. provides additional insights. The model presents a generalized expectations path that new technologies follow over time, which suggests that new industrial technologies progress through different stages up to a peak that is followed by disappointment and, later, a recovery of expectations.

Although intended to describe aggregate technology level dynamics, it can be useful to consider the hype cycle for public digital technologies. In the early phases of the curve, vendors and potential users are actively looking for ways to create value from new technology and will claim endless potential use cases. If these are subsequently piloted or demonstrated – even if ‘free’ – they are exciting and visible, and vendors are keen to share use cases, they contribute to creating hype. Limited public sector capacity can also underpin excitement for use cases that are so far removed from their likely practical implementation, or so heavily curated, that they do not provide an accurate representation of how the technology would operate at production phase in the generally messy settings of public sector activity and public sector delivery. In phases such as the peak of inflated expectations, only organisations with sufficient digital technology and commercial capabilities can see through sophisticated marketing and sales efforts to separate the hype from the true potential of immature technologies. The emperor is likely to be naked, but who’s to say?

Moreover, as mentioned above, international organisations one step (upwards) removed from the State create additional fuel for the hype through mapping exercises and rankings, which generate a vicious circle of “public sector FOMO” as entrepreneurial bureaucrats and politicians are unlikely to want to be listed bottom of the table and can thus be particularly receptive to hyped pitches. This can leverage incentives to support *almost any* sort of tech pilots and implementations just to be seen to do something ‘innovative’, or to rush through high-risk implementations seeking to ‘cash in’ on the political and other rents they can (be spun to) generate.

However, as emerging evidence shows (AI Watch, 2022), there is a big attrition rate between announced and piloted adoptions, and those that are ultimately embedded in the functioning of the public sector in a value-adding manner (ie those that reach the plateau of productivity stage in the cycle). Crucially, the AI literacy and skills in the staff involved in the use of the technology post-pilot are one of the critical challenges to the AI implementation phase in the EU public sector (AI Watch, 2021). Thus, early moves in the hype curve are unlikely to translate into sustainable and expectations-matching deployments in the absence of a significant boost of public sector digital technology capabilities. Without committed long-term investment in that capability, piloting and experimentation will rarely translate into anything but expensive pet projects (and lucrative contracts).

Locking the hype in: IP, data, and acquisitions markets

Relatedly, the lack of public sector capacity is a foundation for eg policy recommendations seeking to avoid the public buyer acquiring (and having to manage) IP rights over the digital technologies it funds through procurement of innovation (see eg the European Commission’s policy approach: “There is also a need to improve the conditions for companies to protect and use IP in public procurement with a view to stimulating innovation and boosting the economy. Member States should consider leaving IP ownership to the contractors where appropriate, unless there are overriding public interests at stake or incompatible open licensing strategies in place” at 10).

This is clear as mud (eg what does overriding public interest mean here?) but fails to establish an adequate balance between public funding and public access to the technology, as well as generating (unavoidable?) risks of lock-in and exacerbating issues of lack of capacity in the medium and long-term. Not only in terms of re-procuring the technology (see related discussion here), but also in terms of the broader impact this can have if the technology is propagated to the private sector as a result of or in relation to public sector adoption.

Linking this recommendation to the hype curve, such an approach to relying on proprietary tech with all rights reserved to the third-party developer means that first mover advantages secured by private firms at the early stages of the emergence of a new technology are likely to be very profitable in the long term. This creates further incentives for hype and for investment in being the first to capture decision-makers, which results in an overexposure of policymakers and politicians to tech entrepreneurs pushing hard for (too early) adoption of technologies.

The exact same dynamic emerges in relation to access to data held by public sector entities without which GovTech (and other types of) innovation cannot take place. The value of data is still to be properly understood, as are the mechanisms that can ensure that the public sector obtains and retains the value that data uses can generate. Schemes to eg obtain value options through shares in companies seeking to monetise patient data are not bullet-proof, as some NHS Trusts recently found out (see here, and here paywalled). Contractual regulation of data access, data ownership and data retention rights and obligations pose a significant challenge to institutions with limited digital technology capabilities and can compound IP-related lock-in problems.

A final further complication is that the market for acquisitions of GovTech and other digital technologies start-ups and scale-ups is very active and unpredictable. Even with standard levels of due diligence, public sector institutions that had carefully sought to foster a diverse innovation ecosystem and to avoid contracting (solely) with big players may end up in their hands anyway, once their selected provider leverages their public sector success to deliver an ‘exit strategy’ for their founders and other (venture capital) investors. Change of control clauses clearly have a role to play, but the outside alternatives for public sector institutions engulfed in this process of market consolidation can be limited and difficult to assess, and particularly challenging for organisations with limited digital technology and associated commercial capabilities.

Procurement at the sharp end

Going back to the ongoing difficulty (and unwillingness?) in regulating some digital technologies, there is a (dominant) general narrative that imposes a ‘balanced’ approach between ensuring adequate safeguards and not stifling innovation (with some countries clearly erring much more on the side of caution, such as the UK, than others, such as the EU with the proposed EU AI Act, although the scope of application of its regulatory requirements is narrower than it may seem). This increasingly means that the tall order task of imposing regulatory constraints on the digital technologies and the private sector companies that develop (and own them) is passed on to procurement teams, as the procurement function is seen as a useful regulatory mechanism (see eg Select Committee on Public Standards, Ada Lovelace Institute, Coglianese and Lampmann (2021), Ben Dor and Coglianese (2022), etc but also the approach favoured by the European Commission through the standard clauses for the procurement of AI).

However, this approach completely ignores issues of (lack of) readiness and capability that indicate that the procurement function is being set up to fail in this gatekeeping role (in the absence of massive investment in upskilling). Not only because it lacks the (technical) ability to figure out the relevant checks and balances, and because the levels of required due diligence far exceed standard practices in more mature markets and lower risk procurements, but also because the procurement function can be at the sharp end of the hype cycle and (pragmatically) unable to stop the implementation of technological deployments that are either wasteful or problematic from a governance perspective, as public buyers are rarely in a position of independent decision-making that could enable them to do so. Institutional dynamics can be difficult to navigate even with good insights into problematic decisions, and can be intractable in a context of low capability to understand potential problems and push back against naïve or captured decisions to procure specific technologies and/or from specific providers.

Final thoughts

So, as a generalisation, lack of public sector capability seems to be skewing high level policy and limiting the development of effective plans to roll it out, filtering through to incentive systems that will have major repercussions on what technologies are developed and procured, with risks of lock-in and centralisation of power (away from the public sector), as well as generating a false comfort in the ability of the public procurement function to provide an effective route to tech regulation. The answer to these problems is both evident, simple, and politically intractable in view of the permeating hype around new technologies: more investment in capacity building across the public sector.

This regulatory answer is further complicated by the difficulty in implementing it in an employment market where the public sector, its reward schemes and social esteem are dwarfed by the high salaries, flexible work conditions and allure of the (Big) Tech sector and the GovTech start-up scene. Some strategies aimed at alleviating the generalised lack of public sector capability, e.g. through a GovTech platform at the EU level, can generate further risks of reduction of (in-house) public sector capability at State (and regional, local) level as well as bottlenecks in the access of tech to the public sector that could magnify issues of market dominance, lock-in and over-reliance on GovTech providers (as discussed in Hoekstra et al, 2022).

Ultimately, it is imperative to build more digital technology capability in the public sector, and to recognise that there are no quick (or cheap) fixes to do so. Otherwise, much like with climate change, despite the existence of clear interventions that can mitigate the problem, the hollowing out of the State and the increasing overdependency on Big Tech providers will be a self-fulfilling prophecy for which governments will have no one to blame but themselves.

___________________________________

* We are grateful to Rob Knott (@Procure4Health) for comments on an earlier draft. Any remaining errors and all opinions are solely ours.

The perils of not carrying out technology-centered research into digital technologies and procurement governance -- re Sava and Dragos (2022), plus authors' response

July 4, 2022

This is a post in two parts. The first part addresses my methodological concerns with research on digital technologies and public procurement (and public governance more generally), as exemplified by a recent paper. The second part collects the response by the authors of that paper.

This pair of points of view are offered together to try to create debate. While the authors found my comments harsh (I cannot judge that), they engaged with them and provided their own counter-arguments. In itself, I think that is laudable and already has value. Any further discussion with the broader community, via comments (or email), would be a bonus.

Part 1: The perils of not carrying out technology-centered research into digital technologies and procurement governance -- re Sava and Dragos (2022)

When I started researching the interaction between digital technologies and procurement governance, it was clear to me that a technology-centered legal method was required. A significant amount of the scholarship that is published fails to properly address the governance implications of digital technologies because it simply does not engage with their functionality—or, put otherwise, because the technology is not understood. This can lead to either excessive claims of what ‘technology fixes’ can achieve or, perhaps even more problematic, it can generate analysis that is based on a misleading, shallow and oftentimes purely literal reading of the labels with which the technology is described and referred to.

A recent paper on smart contracts and procurement clearly exemplifies this problem: N.A. Sava & D. Dragos, ‘The Legal Regime of Smart Contracts in Public Procurement’ (2022) Transylvanian Review of Administrative Sciences, No. 66 E/2022, pp. 99–112.

Conceptual problems

From the outset, the paper is at pains to distinguish blockchain and smart contracts, and proposes ’a needed conceptual distinction that would fit the public contracts theory: before a contract is signed, it is logical to refer to blockchain technology when discussing digital means of awarding the procurement contract. As a result of this award, the concluded contract could be a “smart contract”’ (at 101).

The trap into which the paper falls, of course, is that of believing that blockchain and smart contracts can be distinguished ‘conceptually’ (in a legal sense), rather than on the basis of their technological characteristics and functionality.

Blockchain is a type of distributed ledger technology (DLT). In some more detail: ‘A DLT system is a system of electronic records that enables a network of independent participants to establish a consensus around the authoritative ordering of cryptographically-validated (‘signed’) transactions. These records are made persistent by replicating the data across multiple nodes, and tamper-evident by linking them by cryptographic hashes. The shared result of the reconciliation/consensus process - the ‘ledger’ - serves as the authoritative version for these records’ (M Rauchs et al, Distributed Ledger Technology Systems. A Conceptual Framework (2018), at 24). Blockchain is thus a ‘passive’ digital technology in the sense that it cannot perform any sort of automation of (decision-making) processes because it simply serves to create a data infrastructure.

In turn, smart contracts are a type of ‘active’ (or automating) digital technology that can be deployed on top of a DLT. In more detail: ‘Smart contracts are simply programs stored on a blockchain that run when predetermined conditions are met. They typically are used to automate the execution of an agreement so that all participants can be immediately certain of the outcome, without any intermediary’s involvement or time loss. They can also automate a workflow, triggering the next action when conditions are met’ (IBM, What are smart contracts on blockchain? (undated, accessed 1 July 2022)).

What this means is that, functionally, ‘smart contracts’ may or may not map onto the legal concept of contract, as a ‘smart contract’ can be a unilaterally programmed set of instructions aimed at the automation of a workflow underpinned by data held on a DLT.

Taking this to the public procurement context, it is then clear that both the management of the award process and the execution of an awarded public contract, to the extent that they could be automated, would both need to be instrumentalised via smart contracts plus an underlying blockchain (I would though be remiss not to stress that the practical possibilities of automating either of those procurement phases are extremely limited, if at all realistic; see here and here, which the paper refers to in passing). It does not make any (technological/functional) sense to try to dissociate both layers of digital technology to suggest that ‘blockchain technology [should be used] when discussing digital means of awarding the procurement contract. As a result of this award, the concluded contract could be a “smart contract”’ (Sava & Dragos, above, 101).

This is important, because that technology-incongruent conceptual distinction is then the foundation of legal analysis. The paper e.g. posits that ‘the award of public contracts is a unilateral procedure, organized by state authorities according to specific rules, and that automation of such procedure may be done using blockchain technology, but it is not a ‘“smart contract” (sic). Smart contracts, on the other hand, can be an already concluded procurement contract, which is executed, oversaw (sic) and even remedied transparently, using blockchain technology (sic)’ (ibid, 103, emphasis added).

There are three problems here. First, the automation of the procurement award procedure carried out on top of a DLT layer would require a smart contract (or a number of them). Second, the outcome of that automated award would only be a ‘smart contract’ in itself if it was fully coded and its execution fully automated. In reality, it seems likely that some parts of a public contract could be coded (e.g. payments upon invoice approval), whereas other parts could not (e.g. anything that has to happen offline). Third, the modification of the smart contract (ie coded) parts of a public contract could not be modified (solely) using blockchain technology, but would require another (or several) smart contract/s.

Some more problems

Similarly, the lack of technology-centricity of the analysis leads the paper to present as open policy choices some issues that are simply technologically-determined.

For example, the paper engages in this analysis:

… the question is where should the smart public contracts be awarded? In the electronic procurement systems already developed by the different jurisdictions? On separate platforms using blockchain technology? The best option for integrating smart contracts into the procurement procedures may be the already existing digital infrastructure, therefore on the electronic procurement platforms of the member states. We believe this would be an optimal solution, as smart contracts should enhance the current electronic procurement framework and add value to it, thus leveraging the existing system and not replacing it (at 103, emphasis added).

Unless the existing electronic procurement platforms ran on blockchain—which I do not think they do—then this is not a policy option at all, as it is not possible to deploy smart contracts on top of a different layer of information. It may be possible to automate some tasks using different types of digital technologies (e.g. robotic process automation), but not smart contracts (if the technological concept, as discussed above, is to be respected).

The problems continue with the shallow approach to the technology (and to the underlying legal and practical issues), as also evidenced in the discussion of the possibility of automating checks related to the European Single Procurement Document (ESPD), which is a self-declaration that the economic operator is not affected by exclusion grounds (see Art 59 Directive 2014/24/EU).

The paper states

In the context of automatized checks, the blockchain technology can provide an avenue for checking the validity of proofs presented. The system could automate the verifications of the exclusion grounds and the selection criteria by checking the original documents referenced in the ESPD in real time (that is, before determining the winning tender). The blockchain technology could verify the respect of the exclusions grounds and rule out any economic operator that does not comply with this condition (at 104, emphasis added).

This is a case of excessive claim based on a misunderstanding of the technology. A smart contract could only verify whatever information was stored in a DLT. There is no existing DLT capturing the information required to assess the multiplicity of exclusion grounds regulated under EU law. Moreover, the check would never be of the original documents, but rather of digital records that would either be self-declared by the economic operators or generated by a trusted authority. If the latter, what is the point of a blockchain (or other DLT), given that the authority and veracity of the information comes from the legal authority of the issuer, not the consensus mechanism?

There are also terminological/conceptual inconsistencies in the paper, which does not consistently stick to its conceptual distinction that blockchain should be used to refer to the automation of the award procedure, with smart contracts being reserved to the awarded contract. For example, it (correctly) asserts that ‘When it comes to selection criteria, the smart contract could also perform automatic checks on the elements listed in the contract notice’ (at 104). However, this can creates confusion for a reader not familiar with the technology.

Other issues point at the potentially problematic implications of analysis based on a lack of in-depth exploration of the technologies. For example, the paper discusses a project in Colombia, which ‘created a blockchain software that allowed for record keeping, real time auditability, automation through smart contracts and enhanced citizen engagement’ (at 105). After limited analysis, the paper goes on to stress that ‘Our opinion is that the system in Colombia resembles very much the regular e-procurement systems in Europe. For instance, Romania’s SEAP (Electronic Public Procurement System) insures exactly the same features — non-alteration of bids, traceability and automatic evaluation of tenders (price). So, the question is whether the smart contract system in Colombia is anything else than a functional e-procurement system’ (ibid). This reflects a conflation of functionality with technology, at best.

In the end, the lack of technology-centered (legal) analysis significantly weakens the paper and makes its insights and recommendations largely unusable.

The need for a technology-centric legal methodology

To avoid this type of problems in much-needed legal scholarship on the impact of digital technologies on public governance, it is necessary to develop a technology-centric legal methodology. This is something I am working on, in the context of my project funded by the British Academy. I will seek to publish a draft methodology towards the end of the year. Comments and suggestions on what to take into account would be most welcome: a.sanchez-graells@bristol.ac.uk.

Part 2: authors’ response

Dear Professor,

As a first-year PhD student, being read and offered feedback, especially in the incipient phase of the research, is an amazing learning opportunity. Not all PhD students have the chance to exchange on their topic, and even more with a revered name in the doctrine of public procurement like yourself, therefore am I am very grateful for this debate (Sava).

The co-author Dragos also shares the respect and gratitude for the scholarly critique, although considers the comments rather theoretical and lacking an alternative constructive conclusion.

Concerning the need to conduct a ʻtechnology-centered legal’ research, I fully agree, and I will try to integrate more technology-centered research into the thesis.

However, being lawyers, we believe that technology-centered research does not take into account the established concepts from law and especially public procurement law, therefore an interdisciplinary perspective is needed.

Now we will address the arguments you formulated.

1) Conceptual problems

Concerning the definitions of blockchain and smart contract that you offer, we are of course familiar with them and agree with them.

We agree that blockchain-based smart-contracts could automate certain aspects of the procurement procedures, both in the award and in the execution phase. In our paper, we acknowledge the fact that ʻsmart contracts could automate any process that can be presented as an IF+THEN formula’ (p. 100-101). In this sense, like you noticed, we give the example of automating the check of the selection criteria: ‘When it comes to selection criteria, the smart contract could also perform automatic checks on the elements listed in the contract notice’ (p. 104).

However, beyond these two concepts (blockchain and smart contracts), there is a third concept, that of a ʻsmart legal contract’.

DiMatteo, L., Cannarsa, M. and Poncibò, C., in The Cambridge Handbook of Smart Contracts, Blockchain Technology and Digital Platforms (Cambridge: Cambridge University Press, 2019, p. 63) draw attention to the inadequacy of the terminology: ʻFor blockchain-based smart contracts, a useful dichotomy can be drawn between the ‘smart contract code’ that is, the computer code that is ‘– stored, verified, and executed on a blockchain and the ‘smart legal contract’ - a complement (or maybe even a substitute) for a legal contract that applies that technology. In essence, a ‘smart legal contract’ is a combination of the ‘smart contract code’ and traditional legal language.

'The LawTech panel recently decided that (...) smart contracts could still be legally binding provided that they include the typical elements of a contract.’ (https://juro.com/learn/smart-contracts, consulted on the 2nd of July 2022). Like you mention, ‘functionally, ‘smart contracts’ may or may not map onto the legal concept of contract, as a ‘smart contract’ can be a unilaterally programmed set of instructions aimed at the automation of a workflow underpinned by data held on a DLT’.

Therefore, the correct conceptual distinction would be between ʻsmart contract code’ and ʻsmart legal contract’. In the paper, we tried to focus on the smart legal contract, and discuss its compatibility with public procurement contracts. Through the conceptual distinction, we actually wanted to point out the fact that it would be difficult to imagine a smart legal contract (legally binding) exclusively in the award phase. On the other hand, concerning the ʻsmart contract code’ we agree that it could be applicable to both the award and the execution phase, although the terminology remains debatable.

2) The question of where to integrate smart contracts

We state that ʻThe best option for integrating smart contracts into the procurement procedures may be the already existing digital infrastructure, therefore on the electronic procurement platforms of the member states. We believe this would be an optimal solution, as smart contracts should enhance the current electronic procurement framework and add value to it, thus leveraging the existing system and not replacing it’ (p. 103).

Of course, we do not believe that the current system works on blockchain (in the paper we explore why this would be a difficult task), but we did discuss the integration of emerging technologies in the existing context of e-procurement tools. However, this would be an integration among the e-procurement tools, not on top of the existing tools, as adequate infrastructure would be needed.

Actually we mean exactly what you pointed out in your conclusions, so we are in agreement here: some aspects of the procedure could be automated, yet the rest of the procedure could function based on the rules already in place. By the idea of not replacing the e-procurement system, we mean automatizing some punctual aspects, but not replacing the entire system.

3) The ESPD

The idea was that smart contracts could automatically check certain documents, such as the ones referenced in the ESPD.

In our text, we only discuss the idea of a verification, we do not describe in detail how this should be performed and we do not state that the DLT should capture on its own ʻthe information required to assess the multiplicity of exclusion grounds regulated under EU law’. Of course, these documents would need to be uploaded to the DLT and the uploaded documents would have a digital form. By ‘original document’ we refer to the document per se, the reference document and not the simple declaration from the ESPD.

An analogy of this idea could be made with the Canadian ‘Supplier information registration system, which facilitates the registration of supplier information on blockchain to validate it against different records and to validate it in an automated way’ (NTT Data Presentation at EPLD Meeting, May 2022).

4) The Colombian example

We could not understand your critique here. The referenced example described a system for selecting economic operators in public procurement (for more information: https://www.weforum.org/reports/exploring-blockchain-technology-for-government-transparency-to-reduce-corruption/), which we believe is comparable with a regular e-procurement portal.

5) Conclusions

Through our analysis, we intended to raise the following question: would automating some aspects of the public procurement procedure through “smart contracts” ensure the same characteristics and guarantees as the ones offered by an e-public procurement system of an EU member state? In that case, what is the added value of “smart contracts” in public procurement? It is a research question that we will try to focus on in the future, we merely pose it here.

This paper is an exploratory and incipient one. For the moment, our goal was to raise some questions and to explore some potential paths. Apart from theoretical “what ifs”, it is hard to find specificities of assertions that new digital technologies will definitely have numerous and game-changing applications in the procurement process, as long as the procurement process is still managed unilaterally by public bodies and entertains a public law regime.

The intention is to challenge a rather theoretical assumption on the role of digital technologies in public procurement and subsequently trying to find real, practical examples or applications, if any.

In no circumstance did we state that we are formulating policy recommendations, this was misunderstood. Only after extensive research conclusions may lead to policy recommendations but we are still far from that moment.

However, we believe that in order to actually draw some conclusions on the use of such technologies in public procurement, scholars should delve in more depth into the topic, by critically assessing the current literature in the field and trying to have an interdisciplinary (legal, technological and managerial) look at the topic. As of now, the literature is too theoretical.

In other words, in our opinion, the exclusive tech-centered approach that you suggest would be equally harmful as an exclusively legal one.

Thank you for this chance of a constructive dialogue, we are looking forward to future exchange on the topic.