Procurement tools for AI regulation by contract. Not the sharpest in the shed

I continue exploring the use of public procurement as a tool of digital regulation (or ‘AI regulation by contract’ as shorthand)—ie as a mechanism to promote transparency, explainability, cyber security, ethical and legal compliance leading to trustworthiness, etc in the adoption of digital technologies by the public sector.

After analysing procurement as a regulatory actor, a new draft chapter for my book project focuses on the procedural and substantive procurement tools that could be used for AI regulation by contract, to assess their suitability for the task.

The chapter considers whether procurement could effectively operationalise digital regulation goals without simply transferring regulatory decisions to economic operators. The chapter stresses how the need to prevent a transfer or delegation (ie a privatisation) of regulatory decisions as a result of the operation of the procurement rules is crucial, as technology providers are the primary target in proposals to use procurement for digital regulation by contract. In this post, I summarise the main arguments and insights in the chapter. As always, any feedback will be most warmly received: a.sanchez-graells@bristol.ac.uk.

Background

A first general consideration is that using procurement as a tool of digital regulation requires high levels of digital and commercial skills to understand the technologies being procured and the processes influencing technological design and deployment (as objects of regulation), and the procurement rules themselves (as regulatory tools). Gaps in those capabilities will jeopardise the effectiveness of using procurement as a tool of AI regulation by contract, beyond the limitations and constraints deriving from the relevant legal framework. However, to assess the (abstract) potential of procurement as a regulatory tool, it is worth distinguishing between practical and legal challenges, and to focus on legal challenges that would be present at all levels of public buyer capability.

A second general consideration is that this use of procurement could be seen as either a tool of ‘command and control’ regulation, or a tool of responsive regulation. In that regard, while there can be some space for a ‘command and control’ use of procurement as a tool of digital regulation, in the absence of clear (rules-based) regulatory benchmarks and legally-established mandatory requirements, the responsive approach to the use of procurement as a tool to enforce self-regulatory mechanisms seems likely to be predominant —in the sense that procurement requirements are likely to focus on the tenderers’ commitment to sets of practices and processes seeking to deliver (to the largest possible extent) the relevant regulatory attributes by reference to (technical) standards.

For example, it is hard to imagine the imposition of an absolute requirement for a digital solution to be ‘digitally secure’. It is rather more plausible for the tender and contract to seek to bind the technology provider to practices and procedures seeking to ensure high levels of cyber security (by reference to some relevant metrics, where they are available), as well as protocols and mechanisms to anticipate and react to any (potential) security breaches. The same applies to other desirable regulatory attributes in the procured digital technologies, such as transparency or explainability—which will most likely be describable (or described) by reference to technical standards and procedures—or to general principles, such as ethical or trustworthy AI, also requiring proceduralised implementation. In this context, procurement could be seen as a tool to promote co-regulation or (responsible) self-regulation both at tenderer and industry level, eg in relation to the development of ethical or trustworthy AI.

Against this background, it is relevant to focus on whether procurement tools could effectively operationalise digital regulation goals without simply transferring regulatory decisions to economic operators—ie operating as an effective tool of (responsive) meta-regulation. The analysis below takes a cradle-to-grave approach and focuses on the tools available at the phases of tender preparation and design, tender execution, and contract design and implementation. The analysis is based on EU procurement law, but the functional insights are broadly transferable to other systems.

Tender preparation and design

A public buyer seeking to use procurement as a tool of digital regulation faces an unavoidable information asymmetry. To try to reduce it, the public buyer can engage in a preliminary market consultation to obtain information on eg different technologies or implementation possibilities, or to ‘market-test’ the level of regulatory demand that could be met by existing technology providers. However, safeguards to prevent the use of preliminary market consultations to advantage specific technology providers through eg disclosure of exchanged information, as well as the level of effort required to participate in (detailed) market consultations, raise questions as to their utility to extract information in markets where secrecy is valued (as is notoriously the case of digital technology markets—see discussions on algorithmic secrecy) and where economic operators may be disinclined (or not have the resources) to provide ‘free consultancy’. Moreover, in this setting and given the absence of clear standards or industry practices, there is a heightened risk of capture in the interaction between the public buyer and potential technology providers, with preliminary market consultations not being geared for broader public consultation facilitating the participation of non-market agents (eg NGOs or research institutions). Overall, then, preliminary market consultations may do little to reduce the public buyer’s information asymmetry, while creating significant risks of capture leading to impermissible (discriminatory) procurement practices. They are thus unlikely to operate as an adequate tool to support regulation by contract.

Relatedly, a public buyer facing uncertainty as to the existing off-the-shelf offering and the level of adaptation, innovation or co-production required to otherwise achieve the performance sought in the digital technology procurement, faces a difficult choice of procurement procedure. This is a sort of chicken and egg problem, as the less information the public buyer has, the more difficult it is to choose an adequate procedure, but the choice of the procedure has implications on the information that the public buyer can extract. While the theoretical expectation could be that the public buyer would opt for a competitive dialogue or innovation partnership, as procedures targeted at this type of procurement, evidence of EU level practice shows that public buyers have a strong preference for competitive procedures with negotiations. The use of this procedure exposes the public buyer to direct risks of commercial capture (especially where the technology provider has more resources or the upper hand in negotiations) and the safeguards foreseen in EU law (ie the setting of non-negotiable minimum requirements and award criteria) are unlikely to be effective, as public buyers have a strong incentive to avoid imposing excessively demanding minima to avoid the risk of cancellation and retendering if no technology provider is capable (or willing) to meet them.

In addition, the above risks of commercial capture can be exacerbated when technology providers make exclusivity claims over the technological solutions offered, which could unlock the use of a negotiated procedure without prior publication—on the basis of absence of competition due to technical reasons, or due to the need to protect seclusive rights, including intellectual property rights. While the legal tests to access this negotiated procedure are in principle strict, the public buyer can have the wrong incentives to push through while at the same time controlling some of the safeguarding mechanisms (eg transparency of the award, or level of detail in the relevant disclosure). Similar issues arise with the possibility to creatively structure remuneration under some of these contracts to keep them below regulatory thresholds (eg by ‘remunerating in data’).

In general, this shows that the phase of tender preparation and design is vulnerable to risks of regulatory capture that are particularly relevant when the public buyer is expected to develop a regulatory role in disciplining the behaviour of the industry it interacts with. This indicates that existing flexible mechanisms of market engagement can be a source of regulatory risk, rather than a useful set of regulatory tools.

Tender execution

A public buyer seeking to use procurement as a tool of digital regulation could do so through the two main decisions of tenderer selection and tender evaluation. The expectation is that these are areas where the public buyer can exercise elements of ‘command and control’, eg through tenderer exclusion decisions as well as by setting demanding qualitative selection thresholds, or through the setting of mandatory technical specifications and the use of award constraints.

Tenderer selection

The public buyer could take a dual approach. First, to exclude technology providers with a previous track record of activity falling short of the relevant regulatory goals. Second, to incentivise or recompense high levels of positive commitment to the regulatory goals. However, both approaches present challenges.

First, the use of exclusion grounds would require clearly setting out in the tender documentation which types of digital-governance activities are considered to amount to ‘grave professional misconduct, which renders [the technology provider’s] integrity questionable’, and to reserve the possibility to exclude on grounds of ‘poor past performance’ linked to digital regulation obligations. In the absence of generally accepted standards of conduct and industry practices, and in a context of technological uncertainty, making this type of determinations can be difficult. Especially if the previous instance of ‘untrustworthy’ behaviour is being litigated or could (partially) be attributed to the public buyer under the previous contract. Moreover, a public buyer cannot automatically rely on the findings of another one, as the current EU rules require each contracting authority to come to its own view on the reliability of the economic operator. This raises the burden of engaging with exclusion based on these grounds, which may put some public buyers off, especially if there are complex technical questions on the background. Such judgments may require a level of expertise and available resources exceeding those of the public buyer, which could eg justify seeking to rely on third party certification instead.

Relatedly, it will be difficult to administer such tenderer screening to systems through the creation of lists of approved contractors or third-party certification (or equivalent mechanisms, such as dynamic purchasing systems administered by a central purchasing body, or quality assurance certification). In all cases, the practical difficulty will be that the public buyer will either see its regulatory function conditioned or precluded by the (commercially determined) standards underlying third-party certification, or face a significant burden if it seeks to directly scrutinise economic operators otherwise. The regulatory burden will to some extent be unavoidable because all the above-mentioned mechanisms foresee that (in some circumstances) economic operators that do not have access to the relevant certification or are under no obligation to register in the relevant list must be given the opportunity to demonstrate that they meet the relevant (substantive) qualitative selection criteria by other (equivalent) means.

There will also be additional challenges in ensuring that the relevant vetting of economic operators is properly applied where the digital technology solution relies on a long (technical) supply chain or assemblage, without this necessarily involving any (formal) relationship or subcontracting between the technology provider to be contracted and the developers of parts of the technical assemblage. This points at the significant burden that the public buyer may have to overcome in seeking to use qualitative selection rules to ‘weed out’ technology providers which (general, or past) behaviour is not aligned with the overarching regulatory goals.

Second, a more proactive approach that sought to go beyond exclusion or third-party certification to eg promote adherence to voluntary codes of conduct, or to require technology providers to justify how they eg generally ‘contribute to the development and deployment of trustworthy digital technologies’, would also face significant difficulties. Such requirements could be seen as unjustified and/or disproportionate, leading to an infringement of EU procurement law. They could also be altogether pre-empted by future legislation, such as the proposed EU AI Act.

Tender evaluation

As mentioned above, the possibility of setting demanding technical specifications and minimum requirements for tender evaluation through award constraints in principle seem like suitable tools of digital regulation. The public buyer could focus on the technical solutions and embedding the desired regulatory attributes (eg transparency, explainability, cyber security) and regulatory checks (on data and technology governance, eg in relation to open source code or interoperability, as well as in relation to ethical assessments) in the technical specifications. Award criteria could generate (further) incentives for regulatory performance, perhaps beyond the minimum mandatory baseline. However, this is far from uncomplicated.

The primary difficulty in using technical specifications as a regulatory tool relates to the challenge of clearly specifying the desired regulatory attributes. Some or most of the desired technological attributes are difficult to observe or measure, the processes leading to their promotion are not easy to establish, the outcomes of those processes are not binary and determining whether a requirement has been met cannot be subject to strict rules, but rather to (yet to be developed) technical standards with an unavoidable degree of indefinition, which may also be susceptible of iterative application in eg agile methods, and thus difficult to evaluate at tender stage. Moreover, the desired attributes can be in conflict between themselves and/or with the main functional specifications for the digital technology deployment (eg the increasingly clear unavoidable trade-off between explainability and accuracy in some AI technologies). This issue of the definitional difficulties and the incommensurability of some or most of the regulatory goals also relates to the difficulty of establishing minimum technical requirements as an award constraint—eg to require that no contract is awarded unless the tender reaches a specific threshold in the technical evaluation in relation to all or selected requirements (eg explainability). While imposing minimum technical requirements is permitted, it is difficult to design a mechanism to quantify or objectify the evaluation of some of the desired technological attributes, which will necessarily require a complex assessment. Such assessment cannot be conducted in such a way that the public buyer has an unrestricted freedom of choice, which will require clarifying the criteria and the relevant thresholds that would justify rejecting the tender. This could become a significant sticking point.

Designing technical specifications to capture whether a digital technology is ‘ethical’ or ‘trustworthy’ seems particularly challenging. These are meta-attributes or characteristics that refer to a rather broad set of principles in the design of the technology, but also of its specific deployment, and tend to proceduralise the taking into account of relevant considerations (eg which impact will the deployment have on the population affected). Additionally, in some respects, the extent to which a technological deployment will be ethical or trustworthy is out of the hands of the technology provider (eg may depend on decisions of the entity adopting the technology, eg on how it is used), and in some aspects it depends on specific decisions and choices made during contract implementation. This could make it impossible to verify at the point of the tender whether the end result will or not meet the relevant requirements—while including requirements that cannot be effectively verified prior to award would most likely breach current legal limits.

A final relevant consideration is that technical specifications cannot be imposed in a prescriptive manner, with technology providers having to be allowed to demonstrate compliance by equivalence. This limits the potential prescriptiveness of the technical specifications that can be developed by the public buyer, at least in relation to some of the desired technological attributes, which will always be constrained by their nature of standards rather than rules (or metrics) and the duty to consider equivalent modes of compliance. This erodes the practical scope of using technical specifications as regulatory instruments.

Relatedly, the difficulties in using award criteria to pursue regulatory goals stem from difficulties in the operationalisation of qualitative criteria in practice. First, there is a set of requirements on the formulation of award criteria that seek to avoid situations of unrestricted freedom of choice for the public buyer. The requirements tend to require a high level of objectivity, including in the structuring of award criteria of a subjective nature. In that regard, in order to guarantee an objective comparison and to eliminate the risk of arbitrary treatment, recent case law has been clear that award criteria intended to measure the quality of the tenders must be accompanied by indications which allow a sufficiently concrete comparative assessment between tenders, especially where the quality carries most of the points that may be allocated for the purposes of awarding the tender.

In part, the problem stems from the absence of clear standards or benchmarks to be followed in such an assessment, as well as the need to ensure the possibility of alternative compliance (eg with labels). This can be seen, for example, in relation to explainability. It would not suffice to establish that the solutions need to be explainable or to use explainability as an award criterion without more. It would be necessary to establish sub-criteria, such as eg ‘the solution needs to ensure that an individualised explanation for every output is generated’ (ie requiring local explainability rather than general explainability of the model). This would still need to be further specified, as to what type of explanation and containing which information, etc. The difficulty is that there are multiple approaches to local explainability and that most of them are contested, as is the general approach to post hoc explanations in itself. This puts the public buyer in the position of having to solve complex technical and other principled issues in relation to this award criterion alone. In the absence of standard methodologies, this is a tall order that can well make the procedure inviable or not used (with clear parallels to eg the low uptake of life-cycle costing approaches). However, the development of such methodologies parallels the issues concerning the development of technical standards. Once more, when such standards, benchmarks or methodologies emerge, reliance on them can thus (re)introduce risks of commercial determination, depending on how they are set.

Contract design and implementation

Given the difficulties in using qualitative selection, technical specifications and award criteria to embed regulatory requirements, it is possible that they are pushed to to the design of the contract and, in particular, to their treatment as contract performance conditions, in particular to create procedural obligations seeking to maximise attainment of the relevant regulatory goals during contract implementation (eg to create specific obligations to test, audit or upgrade the technological solution in relation to specific regulatory goals, with cyber security being a relatively straightforward one), or to pass on, ‘back-to-back’, mandatory obligations where they result from legislation (eg to impose transparency obligations, along the lines of the model standard clauses for AI procurement being developed at EU level).

In addition to the difficulty inherent in designing the relevant mechanisms of contractualised governance, a relevant limitation of this approach to embedding (self-standing) regulatory requirements in contract compliance clauses is that recent case law has made clear that ‘compliance with the conditions for the performance of a contract is not to be assessed when a contract is awarded’. Therefore, at award stage, all that can be asked is for technology providers to commit to such requirements as (future) contractual obligations—which creates the risk of awarding the contract to the best liar.

More generally, the effectiveness of contract performance clauses will depend on the contractual remedies attached to them and, in relation to some of the desirable attributes of the technologies, it can well be that there are no adequate contractual remedies or that the potential damages are disproportionate to the value of the contract. There will be difficulties in their use where obligations can be difficult to specify, where negative outputs and effects are difficult to observe or can only be observed with delay, and where contractual remedies are inadequate. It should be stressed that the embedding of regulatory requirements as contract performance clauses can have the effect of converting non-compliance into (mere) money claims against the technology provider. And, additionally, that contractual termination can be complicated or require a significant delay where the technological deployment has created operational dependency that cannot be mitigated in the short or medium term. This does not seem necessarily aligned with the regulatory gatekeeping role expected of procurement, as it can be difficult to create the adequate financial incentives to promote compliance with the overarching regulatory goals in this way—by contrast with, for example, the possibility of sanctions imposed by an independent regulator.

Conclusion

The analysis has stressed those areas where the existing rules prevent the imposition of rigid regulatory requirements or demands for compliance with pre-specified standards (to the exclusion of alternative ones), and those areas where the flexibility of the rules generates heightened risks of regulatory capture and commercial determination of the regulatory standards. Overall, this shows that it is either not easy or at all possible to use procurement tools to embed regulatory requirements in the tender procedure and in public contracts, or that those tools are highly likely to end up being a conduit for the direct or indirect application of commercially determined standards and industry practices.

This supports the claim that using procurement for digital regulation purposes will either be highly ineffective or, counterintuitively, put the public buyer in a position of rule-taker rather than rule-setter and market-shaper—or perhaps both. In the absence of non-industry led standards and requirements formulated eg by an independent regulator, on which procurement tools could be leveraged, each public buyer would either have to discharge a high (and possibly excessive) regulatory burden, or be exposed to commercial capture. This provides the basis for an alternative approach. The next step in the research project will thus be to focus on such mandatory requirements as part of a broader proposal for external oversight of the adoption of digital technologies by the public sector.

Procurement conferences & webinars: dates for the diary

Before your agenda fills up for the coming Spring and Summer, consider putting the following dates on your diary. These are all events where I will be participating. It would be lovely to have a chance to meet (again).

25-26 April 2023 - Public Procurement Conference – Centralization and new trends. Organised by Prof Carina Risvig Hamer and held at the Law Faculty of the University of Copenhagen. It promises to provide two full days of discussions on emerging and challenging procurement governance issues.

27 April 2023 - PhD Conference in Public Procurement & Competition Law. Also organised by Prof Carina Risvig Hamer and Magdalena Socha, and held at the Law Faculty of the University of Copenhagen. A good opportunity for PhD students to present work-in-progress and receive feedback, and for everyone to have a grasp of where emerging research is leading.

23 May 2023 - Can Procurement Be Used to Effectively Regulate AI? [Webinar online] 2pm UK / 3pm CET / 9am EST. This will be a panel discussion co-organised by the University of Bristol Law School and The George Washington University Law School, as part of my current research project on digital technologies and procurement governance [further details to be announced soon].

4 July 2023 - AI and Public Governance Commercialisation: What Role for Public Procurement? [Public lecture, in person]. Bristol, UK 2pm (followed by coffee and cake reception). This will be a lecture to mark the end of my research project, where I will pick out some of the main themes and findings [recording available online thereafter].

Micro-purchases as political football? -- some thoughts on the UK's GPC files and needed regulatory reform

The issue of public micro-purchases has just gained political salience in the UK. The opposition Labour party has launched a dedicated website and an aggressive media campaign calling citizens to scrutinise the use of government procurement cards (GPCs). The analysis revealed so far and the political spin being put on it question the current government’s wastefulness and whether ‘lavish’ GPC expenses are adequate and commensurate with the cost of living crisis and other social pressures. Whether this will yield the political results Labour hopes for is anybody’s guess (I am sceptical), but this is an opportunity to revisit GPC regulation and to action long-standing National Audit Office recommendations on transparency and controls, as well as to reconsider the interaction between GPCs and procurement vehicles based on data analysis. The political football around the frugality expected of a government in times of economic crisis should not obscure the clear need to strengthen GPC regulation in the UK.

Background

GPCs are debit or credit cards that allow government officials to pay vendors directly. In the UK, their issue is facilitated by a framework agreement run by the Crown Commercial Service. These cards are presented as a means to accelerate payment to public vendors (see eg current UK policy). However, their regulatory importance goes beyond their providing an (agile) means of payment, as they generate the risk of public purchases bypassing procurement procedures. If a public official can simply interact with a vendor of their choice and ‘put it on the card’, this can be a way to funnel public funds and engage with direct awards outside procurement procedures. There is thus a clear difference between the use of GPCs within procurement transactions (eg to pay for call-offs within a pre-existing framework agreement) and their use instead of procurement transactions (eg a public official buying something off your preferred online retailer and paying with a card).

Uses within procurement seem rather uncontroversial and the specific mechanism used to pay invoices should be driven by administrative efficiency considerations. There are also good reasons for (some) government officials to hold a GPC to cover the types of expenses that are difficult to procure (eg those linked to foreign travel, or unavoidably ‘spontaneous’ expenses, such as those relating to hospitality). In those cases, GPCs substitute for either the need to provide officials with cash advances (and thus create much sounder mechanisms to control the expenditure, as well as avoiding the circulation of cash with its own corruption and other risks), or to force them to pay in advance from their private pockets and then claim reimbursement (which can put many a public sector worker in financial difficulties, as eg academics know all too well).

The crucial issue then becomes how to control the expenditure under the GPCs and how to impose limits that prevent the bypassing of procurement rules and existing mechanisms. From this perspective, procurement cards are not a new phenomenon at all, and the challenges they pose from a procurement and government contracting perspective have long been understood and discussed—see eg Steven L Schooner and Neil S Whiteman, ‘Purchase Cards and Micro-Purchases: Sacrificing Traditional United States Procurement Policies at the Alter of Efficiency’ (2000) 9 Public Procurement Law Review 148. The UK’s National Audit Office (NAO) also carried out an in-depth investigation and published a report on the issue in 2012.

The regulatory and academic recommendations seeking to ensure probity and value for money in the use of GPCs as a (procurement) mechanism generally address three issues: (1) limits on expenditure, (2) (internal) expenditure control, and (3) expenditure transparency. I would add a fourth issue, which relates to (4) bypassing existing (or easy to set up) procurement frameworks. It is worth noting that the GPC files report provides useful information on each of these issues, all of which requires rethinking in the context of the UK’s current process of reforming procurement law.

Expenditure limits

The GPC files show how there are three relevant value thresholds: the threshold triggering expenditure transparency (currently £500), the maximum single transaction limit (currently £20,000, which raised the pre-pandemic £10,000), and the maximum monthly expenditure (currently £100,000, which raised the pre-pandemic limits if they were lower). It is worth assessing these limits from the perspective of their interaction with procurement rules, as well as broader considerations.

The first consideration is that the £500 threshold triggering expenditure transparency has remained fixed since 2011. Given a cumulative inflation of close to 30% in the period 2011-2022, this means that the threshold has constantly been lower in comparative purchase parity. This should make us reconsider the relevance of some of the findings in the GPC files. Eg the fact that, within its scope, there were ‘65,824 transactions above £500 in 2021, compared to 35,335 in 2010-11’ is not very helpful. This raises questions on the adequacy of having a (fixed) threshold below which expenditure is not published. While the NAO was reluctant to recommend full transparency in 2011, it seems that the administrative burden of providing such transparency has massively lowered in the intervening period, so this may be the time to scrape the transparency threshold. As below, however, this does not mean that the information should be immediately published in open data (as below).

The single transaction limit is the one with the most relevance from a procurement perspective. If a public official can use a GPC for a value exceeding the threshold of regulated procurement, then the rules are not well aligned and there is a clear regulatory risk. Under current UK law, central government contracts with a value above £12,000 must be advertised. This would be kept as the general rule in the Procurement Bill (clause 86(4)), unless there are further amendments prior to its entry into force. This evidences a clear regulatory risk of bypassing procurement (advertising) obligations through GPC use. The single transaction limit should be brought back to pre-pandemic levels (£10,000) or, at least, to the value threshold triggering procurement obligations (£12,000).

The maximum monthly expenditure should be reassessed from an (internal) control perspective (as below), but the need to ensure that GPCs cannot be used to fraction (above threshold) direct awards over short periods of time should also be taken into consideration. From that perspective, ensuring that a card holder cannot spend more than eg £138,760 in a given category of goods or services per month (which is the relevant threshold under both current rules and the foreseen Procurement Bill). Current data analytics in basic banking applications should facilitate such classification and limitation.

(internal) expenditure controls

The GPC files raise questions not only on the robustness of internal controls, but also on the accounting underpinning them (see pp 11-12). Most importantly, there seems to be no meaningful internal post-expenditure control to check for accounting problems or suspected fraudulent use, or no willingness to disclose how any such mechanisms operate. This creates expenditure control opacity that can point to a big governance gap. Expenditure controls should not only apply at the point of deciding who to authorise to hold and use a GPC and up to which expenditure limit, but also (and perhaps more importantly), to how expenditure is being carried out. From a regulatory theory perspective, it is very clear that the use of GPCs is framed under an agency relationship and it is very important to continuously signal to the agent that the principal is monitoring the use of the card and that there are serious (criminal) consequences to misuse. As things stand, it seems that ex post internal controls may operate in some departments (eg those that report recovery for inappropriately used funds) but not (effectively) in others. This requires urgent review of the mechanisms of pre- and post-expenditure control. An update of the 2012 NAO report seems necessary.

Expenditure transparency

The GPC files (pp 10-11) show clear problems in the implementation of the policy of disclosing all expenditure in transactions exceeding £500, which should be published published monthly, 2 months in arrears, despite (relatively clear) guidance to that effect. In addition to facilitating the suppression of the transparency threshold, developments in the collection and publication of open data should also facilitate the rollout of a clear plan to ensure effective publication without the gaps identified in the GPC files (and other problems in practice). However, this is also a good time to carefully consider the purpose of these publications and the need to harmonise them with the publication of other procurement information.

There are conflicting issues at hand. First, the current policy of publishing 2 months in arrears does not seem justified in relation to some qualified users of that information, such as those with an oversight role (or fraud investigation powers). Second, in relation to the general public, publication in full of all details may not be adequate within that time period in some cases, and the publication of some information may not be appropriate at all. There are, of course, intermediate situations, such as data access for journalists of research academics. In relation to this data, as well as all procurement data, this is an opportunity to create a sophisticated data-management architecture that can handle of multi-tiered access to different types of information at different times, by different stakeholders and under different conditions (see here and here).

bypassing procurement frameworks

A final consideration is that the GPC files evidence a risk that GPCs may be used in ways that bypass existing procurement frameworks, or in ways that would require setting up new frameworks (or other types of procurement vehicle, such as dynamic purchasing systems). The use of GPCs to buy goods off Amazon is the clearest example (see pp 24-25), as there is nothing in the functioning of Amazon that could not be replicated through pre-procured frameworks supported by electronic catalogues. In that regard, GPC data should be used to establish the (administrative) efficiency of creating (new) frameworks and to inform product (and service) selection for inclusion therein. There should also be a clear prohibition of using GPCs outside existing frameworks unless better value for money for identical products can be documented, in which case this should also be reported to the entity running the relevant framework (presumably, the Crown Commercial Service) for review.

Conclusion

In addition to discussions about the type and level of expenditure that (high-raking) public officials should be authorised to incur as a political and policy matter, there is clearly a need and opportunity to engage in serious discussions on the tightening of the regulation of GPCs in the UK, and these should be coordinated with the passage of the Procurement Bill through the House of Commons. I have identified the following areas for action:

  • Suppression of the value threshold triggering transparency of specific transactions, so that all transactions are subjected to reporting.

  • Coordination of the single transaction threshold with that triggering procurement obligations for central government (which is to also apply to local and other contracting authorities).

  • Coordination of the maximum monthly spend limit with the threshold for international advertising of contract opportunities, so that no public official can spend more than the relevant amount in a given category of goods or services per month.

  • Launch of a new investigation and report by NAO on the existing mechanisms of pre- and post-expenditure control.

  • Creation of a sophisticated data-management architecture that can handle of multi-tiered access to different types of information at different times, by different stakeholders and under different conditions. This needs to be in parallel or jointly with proposals under the Procurement Bill.

  • There should also be a clear prohibition of using GPCs outside existing frameworks unless better value for money for identical products can be documented. GPC data should be used to inform the creation and management of procurement frameworks and other commercial vehicles.

Regulating public and private interactions in public sector digitalisation through procurement

© Kenneth Hagemeyer.

As discussed in previous entries in this blog (see here, here, here, here or here), public procurement is progressively being erected as the gatekeeper of the public interest in the process of digital technology adoption by the public sector, and thus positioned as digital technology regulator—especially in the EU and UK context.

In this gatekeeping role, procurement is expected to ensure that the public sector only acquires and adopts trustworthy technologies, and that (private) technology providers adhere to adequate technical, legal, and ethical standards to ensure that this is the case. Procurement is also expected to operate as a lever for the propagation of (soft) regulatory tools, such as independently set technical standards or codes of conduct, to promote their adoption and harness market dynamics to generate effects beyond the public sector (ie market-shaping). Even further, where such standards are not readily available or independently set, the procurement function is expected to formulate specific (contractual) requirements to ensure compliance with the overarching regulatory goals identified at higher levels of policymaking. The procurement function is thus expected to leverage the design of public tenders and public contracts as tools of digital technology regulation to plug the regulatory gap resulting from the absence of binding (legal) requirements. This is a tall order.

Analysing this gatekeeping role and whether procurement can adequately perform it is the focus of the last part of my current research project. In this latest draft book chapter, I focus on an analysis of the procurement function as a regulatory actor. The following chapter will focus on an analysis of procurement rules on the design of tender procedures and some elements of contractual design as regulatory tools. Combined, the analyses will shed light on the unsuitability of procurement to carry out this gatekeeping role in the absence of minimum mandatory requirements and external oversight, which will also be explored in detail in later chapters. This draft book chapter is giving me a bit of a hard time and some of the ideas there are still slightly tentative, so I would more than ever welcome any and all feedback.

In ‘Regulating public and private interactions in public sector digitalisation through procurement: the clash between agency and gatekeeping logics’, my main argument is that the proposals to leverage procurement to regulate public sector digitalisation, which seek to use public sector market power and its gatekeeping role to enforce standards of technological regulation by embedding them in public contracts, are bound to generate significant dysfunction due to a break in regulatory logic. That regulatory logic results from an analysis of the procurement function from an agency theory and a gatekeeping theory perspective, which in my view evidence the impossibility for procurement to carry out conflicting roles. To support this claim, I explore: 1) the position of the procurement function amongst the public and private actors involved in public sector digitalisation; 2) the governance implications of the procurement function’s institutional embeddedness; and 3) the likely (in)effectiveness of public contracts in disciplining private and public behaviour, as well as behaviour that is mutually influenced or coproduced by public and private actors during the execution of public contracts.

My analysis finds that, in the regulation of public-private interactions, the regulatory logic underpinning procurement is premised on the existence of a vertical relationship between the public buyer and (potential) technology providers and an expectation of superiority of the public buyer, which is thus (expected to be) able to dictate the terms of the market interaction (through tender requirements), to operate as gatekeeper (eg by excluding potential providers that fall short of pre-specified standards), and to dictate the terms of the future contract (eg through contract performance clauses with a regulatory component). This regulatory logic hits obvious limitations when the public buyer faces potential providers with market power, an insufficient offer of (regulated) goods and services, or significant information asymmetries, which result in a potential ‘weak public buyer’ problem. Such problem has generally been tried to be addressed through procurement centralisation and upskilling of the (centralised) procurement workforce, but those measures create additional governance challenges (especially centralisation) and are unlikely to completely re-establish the balance of power required for the effective regulation by contract of public sector digitalisation, as far as the provider side is concerned.

Parking the ‘weak public buyer’ problem, my analysis then focuses on the regulation of public-public interactions between the adopting public sector entity and the procurement function. I separate them for the purposes of the analysis, to point out that at theoretical level, there is a tension between the expectations of agency and gatekeeping theories in this context. While both of them conceptualise the relationship as vertical, they operate on an opposite understanding of who holds a predominant position. Under agency theory, the public buyer is the agent and thus subject to the instructions of the public entity that will ultimately adopt the digital technology. Conversely, under gatekeeping theory, the public buyer is the (independent) guarantor of a set of goals or attributes in public sector digitalisation projects and is thus tasked with ensuring compliance therewith. This would place the public buyer in a position of (functional) superiority, in that it would (be expected to) be able to dictate (some of) the terms of the technological adoption. This conflict in regulatory logics creates a structural conflict of interest for the procurement function as both agent and gatekeeper.

The analysis then focuses on how the institutional embeddedness of procurement exacerbates this problem. Where the procurement function is embedded in the same administrative unit or entity that is seeking to adopt the technology, it is subjected to hierarchical governance and thus lacks the independence required to carry out the gatekeeping role. Similarly, where the procurement function is separate (eg in the case of centralised or collaborative procurement), in the absence of mandatory requirements (eg to use the centralised procurement vehicle), the adopting public entity retains discretion whether to subject itself to the (gatekeeper) procurement function or to carry out its own procurement. Moreover, even when it uses centralised procurement vehicles, it tends to retain discretion (eg on the terms of mini-competitions or for the negotiation of some contractual clauses), which also erodes the position of the procurement function to effectively carry out its gatekeeping role.

On the whole, the procurement function is not in a good position to discipline the behaviour of the adopting public entity and this creates another major obstacle to the effectiveness of the proposed approach to the regulation by contract of public sector digitalisation. This is exacerbated by the fact that the adopting public entity will be the principal of the regulatory contract with the (chosen) technology provider, which means that the contractual mechanisms designed to enforce regulatory goals will be left to interpretation and enforcement by those actors whose behaviour it seeks to govern.

In such decentred interactions, procurement lacks any meaningful means to challenge deviations from the contract that are in the mutual interest of both the adopting entity and the technology provider. The emerging approach to regulation by contract cannot properly function where the adopting public entity is not entirely committed to maximising the goals of digital regulation that are meant to be enforced by contract, and where the public contractor has a concurring interest in deviating from those goals by reducing the level of demand of the relevant contractual clauses. In the setting of digital technology regulation, this seems a likely common case, especially if we consider that the main regulatory goals (eg explainability, trustworthiness) are open-ended and thus the question is not whether the goals in themselves are embraced in abstracto by the adopting entity and the technology provider, but the extent to which effective (and costly or limiting) measures are put in place to maximise the realisation of such goals. In this context, (relational) contracts seem inadequate to prevent behaviour (eg shirking) that is the mutual interest of the contractual parties.

This generates what I label as a ‘two-sided gatekeeping’ challenge. This challenge encapsulates the difficulties for the procurement function to effectively influence regulatory outcomes where it needs to discipline both the behaviour of technology providers and adopting entities, and where contract implementation depends on the decentred interaction of those two agents with the procurement function as a (toothless) bystander.

Overall, then, the analysis shows that agency and gatekeeping theory point towards a disfunction in the leveraging of procurement to regulate public sector digitalisation by contract. There are two main points of tension or rupture with the regulatory logic. First, the regulatory approach cannot effectively operate in the absence of a clear set of mandatory requirements to bind the discretion of the procurement function during the tendering and contract formation phase, as well as the discretion of the adopting public entity during contract implementation phase, and which are also enforceable on the technology provider regardless of the terms of the contract. Second, the regulatory approach cannot effectively operate in the absence of an independent actor capable of enforcing those standards and monitoring continuous compliance during the lifecycle of technological adoption and use by the public sector entity. As things stand, the procurement function is affected by structural and irresolvable conflicts between its overlaid roles. Moreover, even if the procurement function was not caught by the conflicting logics and requirements of agency and gatekeeping (eg as a result of the adoption of the mandatory requirements mentioned above), it would still not be in an adequate position to monitor and discipline the behaviour of the adopting public entity—and, relatedly, of the technology provider—after the conclusion of the procurement phase.

The regulatory analysis thus points to the need to discharge the procurement function from its newest gatekeeping role, to realign it with agency theory as appropriate. This would require both the enactment of mandatory requirements and the subjection to external oversight of the process of technological adoption by the public sector. This same conclusion will be further supported by an analysis of the limitations of procurement law to effectively operate as a regulatory tool, which will be the focus of the next chapter in the book.