Sweden leaks secret intranet and databases to Russia

This is about a week old, but a pretty big deal. What a monumental screw up:

The Swedish administration is leaking its secret intranet and databases to Russia, via its Transport Agency, via the IBM cloud, via IBM’s subcontractor NCR (formerly AT&T) in Serbia, which is a close Russian military ally. Giving staff in Serbia administrative access to these networks practically guarantees that Russia also has access to the network. The European Union’s secure STESTA network is also connected to the leaked intranet. But this is not about geopolitics and who’s allied with whom, but about how an administration tries to quiet down and gloss over an apocalyptically stupid and monstrously damaging data leak.

That the procurement procedure did not take into account how to handle classified data (let alone the bog standard data protection rules) is beyond comprehension. Well, not really: it is another piece of evidence that even supposedly capable procurement bodies do not understand technology or the implications arising from their choices. Let alone how to deal with the risks arising from the contract.

New comparative report on separate operational units is out

Kirsi-Maria Halonen has written an excellent report for the Swedish Competition Authority on the the issue of separate operational units and how they work in different jurisdictions:

In Swedish legal literature the definitions of contracting authorities and separate operational units have often been misunderstood to be synonyms. It has been submitted that in the context of public procurement rules these separate operational units would also be separate contracting authorities. This approach seems to be contradictory to the European Commission’s views as well as views presented in the Swedish legislative proposal (Prop. 2015/16:195). According to the above- mentioned Commission’s policy guidelines the separate operational units are part of a contracting entity, not contracting entities as such. In addition, the wording of Art. 5 (2) of Directive 2014/24 clearly states that units are not contracting authorities but rather a part of it.

A difference between the concepts of a contracting authority and of a separate operational unit should be made - aggregation rules apply within the same contracting authority, but not among different contracting authorities unless such contracting authorities have decided to run a joint contract award procedure.

Full report available for download here.

Some comments to Arrowsmith's Brexit whitepaper

Prof. Sue Arrowsmith put out a whitepaper on the implications of Brexit for the UK's procurement rules. Albert has already provided a general comment on some important issues raised by the paper, such as the feasibility of a completely new procurement legal regime and what could be the transitional arrangements. 

There is not much to add to the first part of the paper - the EEA option is pretty much 'business as usual.' I suspect that EEA or no EEA option, not much will change at regulatory level for the next few years - there are too many sunken costs on the current system to warrant a wholesale change just for the sake of change. As such I will focus my commentary in other topics instead.


1. The GPA option 

While I agree with the view that the UK would find itself out of the GPA the possibility of speedy re-entry into the agreement is certainly possible as argued by Arrowsmith, it is by no means a given. In a scenario where the UK is negotiating multiple trade deals at the same time any other State will use whatever leverage it can over the UK to achieve concessions elsewhere. Access to the procurement markets within the GPA may well be thrown into the mix of the negotiations, if only because it devalues the commitments made by a UK-less EU. At this stage we should not take for granted that re-joining the GPA will be a 'walk in the park' and to that end I would recommend the sage commentary by Jean Heilman Grier on this topic. As she mentions, the UK would have to negotiate first with the EU the terms of its arrangement and only then the GPA's accession. This could leave the UK with a potentially long GPA-less transitional period.


2. Transition period

Arrowsmith suggests that for a transition period '[a] sensible and likely interim solution would, therefore, be to retain the award procedures of the regulations in place, but without provision for enforcement by non-domestic suppliers, pending eventual confirmation, modification/replacement or total repeal of the regulations [...].' I agree with the overall view that the UK must have a tat-for-tat approach to the negotiations (as do the other Member States) to protect its own interests. In this I disagree with Albert's view as restricting access to procurement markets if temporarily is a way to gain some negotiation leverage which I accept is a price to pay in that period.

Having said that I am not entirely sure about the actual suggestion made: i) is it EU/EEA economic operators are entitled to take part in procurement procedures but cannot enforce the rules - as it currently happens with foreign economic operators; or ii) is it that they simply are barred from taking part in procurement procedures? I can understand the second (although retribution would be certain) but cannot understand the first. What would be the point of having economic operators taking part in the procedure only for them not to be able to enforce the rules? Plus, if awarded the contract would they also be barred from enforcing the contract terms under English contract law?


3. The Freedom option

In addition, Arrowsmith suggests that '[...]Brexit would see the UK throw off the shackles of EU procurement law, leaving it free to design its own system.' In other words, the UK could finally design its own procurement legal system as it sees fit. While Arrowmsith's preference for a more simpler, single system based off the Utilities Directive are not new, as is a preference for higher thresholds, but describing current EU rules as shackles that need to be thrown off appears to be. Especially if we agree with Arrowsmith's view that Member States have a wide range of discretion in transposing Directives into their national legal systems. As other Member States have used such discretion (sometimes to the point beyond discretion in my view) why has the UK not done so?

After all it is the UK's Government approach to transpose Directives (in general) with a copy out approach and with as few options as possible, thus leaving scope for national/regional rules to be created. The responsibility such national/regional rules are not created in the first place can only be attributed to the respective Government(s). If Portugal, Spain, Italy, Denmark have detailed rules crafted for their own realities, why doesn't the UK do the same? I am not positing those are great legal systems, but at least in those countries lawmakers have made use of their powers in transposition to adapt Directives to the national setting. In short: it can be done.

So, even with a (possible) wide discretion, the UK Government has not opted to implement its own national rules, with the exception of the baby steps taken with contracts below thresholds - where it could regulate them at will as it would not be transposing any Directive. On the other hand, as recognised by Arrowsmith the Scottish Government has taken the opportunity to create its own 'regional' procurement regime in addition to the narrow transposition of the appropriate Directives. However, as correctly pointed out by Arrowsmith, the downside of this freedom to legislate at regional level is an increase in 'regional differences'. These, in my view and based on my own experience, will amount to protectionist measures designed to keep out 'foreign' economic operators, ie those based in another UK region. Therefore, I fear it is much more likely we would end up with a patchwork of regional systems than with the simpler, more efficient system Arrowsmith would like to have.

Finally, as for the simpler, more efficient system that could be designed outside of the EU shackles (setting aside the fact it can be designed inside/below them) it would seem our starting positions are on polar opposites. Arrowsmith appears to prefer a system with more discretion given to the contracting authority and fewer rules, so they can design whatever procedure they might want in compliance with a set of limited principles. I am the first to recognise the current rules limit truly great procurement, but they do so as a trade off - not to shackle the top 1% of contracting authorities (or procurement officers) but as a way to provide enough detail so that all contracting authorities can use them. That does not mean they cannot be improved, but it is important to recognise this trade off. And I will take a set of detailed rules that avoid really bad procurement (or try to) for most people, most of the time over ones which only suit the top 1%. 

There are other downsides to a simpler, less prescriptive system. For example, compliance costs would go up for the economic operators - instead of learning one set of rules/procedures, they would have to analyse the specific rules of every single procurement procedure as even within each contracting authority different departments/officers may prefer to do those things differently. Again, I prefer standardisation as a means to reduce transaction costs overall than the discretion to tweak each procedure to suit the contracting authority.    

In addition, if we look at the contracts below-thresholds, where such simpler approach would make more sense and where currently there are no legal restrictions, why are we currently not seeing great practice being developed? Other than the pilots I ran in Wales a few years ago and the excellent work being done by the Government Digital Service and the Digital Marketplace, are there any other examples we should be looking at? Is it not surprising that the most common practice below thresholds for a long time was a preference by contracting authorities to either just use the restricted procedure with all the transaction costs it entailed or going for non-transparent request for quotes - as those were the reality overworked procurement officers knew. Sticking to the tried and tested approach is always the default even if a careful consideration would say otherwise when there is no time or incentive to carry out such consideration. In essence, these default approaches explain why Central Government contracting authorities are under the obligation of advertising contracts above £10,000 and the baby steps to regulate contracts below-thresholds in the Public Contracts Regulations 2015.

In conclusion, even if possible, I fear a simplified, looser regulatory system would leave most stakeholders (contracting authorities, economic operators) worse off most of the time. While it could (theoretically) facilitate great practice in some instances, my experience in practice leads me to a bearish view on the overall merits of such a regime.  


4. Remedies

A final short word on remedies.  Arrowsmith is of the opinion that the current remedies system is 'burdensome.' As such, a freedom option should also consider a review of the current remedies system '[...] that offers a better balance between the costs and benefits of legal enforcement [...].' This point is particularly interesting as on p.13 Arrowsmith correctly highlights one of the problems of the current remedies system to be the UK's preference for the High Court. This is very true but, once more, it is not really the EU legal system fault's for the UK's design of its remedies system. Even within the EU legal framework it is possible to think different.

If we look at Sweden we see a competition authority with strong powers in this are. Denmark also has its own competition authority and the Procurement Boards which deal specifically with procurement matters. After a couple of run ins with the Court of Justice Spain has today a fast, efficient and cheap (for the time being) system of procurement tribunals. In Portugal, as the administrative courts are clogged up with procurement disputes the draft Public Contracts Code explictly accepts the parties may recur to arbitration instead. 

Outside the EU we can find another system which I find very appealing and would probably fit within the current rules: Canada and its Procurement Ombudsman.  Here's an interview with the then Ombudsman Frank Brunetta about his office's work. It is not hard to conceive a scenario where the current Mystery Shopper Service would be transformed into a true Ombudsman-type service with stronger powers than today. Again, this would be perfectly possible within the current rules.


5. Conclusion

In conclusion, I agree with Albert's view that most of the debate we can have at the moment is theoretical. Nonetheless, there is a value in having these discussions as they can influence decisions taken down the line. Having said that, I would like to see the same interest and energy in debating how we can improve practice (and national/regional rules) within the current legal framework. It is likely it will stay mostly unchanged for a good while and there is the odd chance they will actually not change at all. 







Links I Liked [Public Procurement]

1. New podcast available, this time with Mihaly Fazekas from the University of Cambridge. Great talk about corruption in public procurement and new strategies on how to detect it.

2. Albert wrote an excellent post on the risks of central contracts registries. Sitting on the other sited of the argument I fundamentally disagree with his premise, but he raises important points that need to be taken into account when designing these systems. We need to be aware of the trade offs imposed by contract registries. Hopefully I will have the time this week to lay down the arguments for the opposite position.

3. Netherlands wants to replace OpenXML (Microsoft standard) with ODF (open source document standard). It will be interesting to see how this one pans out. ODF is an unencumbered open source standard that Microsoft keeps not supporting well on Microsoft Office.

4. Sweden tightens procurement labour rules (allegedly). Andrea Sundstrand who I interviewed for the PPP a while back says there is nothing new in here.

5. David Cameron promises fresh shakeup of public services. We'll see how this ends.

Notes from conference on Framework Agreements

Aarhus City Hall

Aarhus City Hall

As promised last week, the Conference on Framework Agreements organised by my good friend Dr. Marta Andrecka at the University of Aarhus, produced some interesting food for thought. Personally, I am very much a fan of small conferences with a limited number delegates (20-40) talking about a specific topic. Nothing like getting a few people from different countries with similar problems talking about their experiences. In larger conferences (200+) it is easy to get lost in the myriad of threads and talks. 

So what did I learn from the day?

1. Competition is a key issue for framework agreements

Not really a new issue for me, but it is heartening to see others with similar concerns to mine about the impact of framework agreements in competition, particularly foreclosure of markets for small firms. 

2. Binding vs non-binding nature of framework agreements

This was unexpected. By looking at Directives 2004/18 and 2014/24 and practice here in the UK with its hordes of zombie (unused) frameworks I assumed that framework agreements were non-binding, that is a contracting authority could just as easily buy from another source. Turns out that under Swedish contract law framework agreements are binding. This is probably connected with the nature of the framework agreement itself: is it a contract or not, whose answer probably depends on applicable national contract laws.

The possibility of having parallel framework agreements for the same subject matter was also raised here (and in connection with competition issues) and again, it seems answers vary from country to country.

3. Are they more similar to award or selection stage?

Once more, probably connected with the nature of framework agreements. Abby Semple argued that due to the need for award criteria to be used during set up and the possibility of relying on Article 72 of Directive 2014/24, framework agreements are more akin to an award than a selection stage. I would add that if that is the case then, that in consequence they needed to always have a contractual nature, which poses some issues in certain national contract laws (ie England and Wales, where consideration is necessary for the existence of a contract). My view, is that they effectively constitute a selection stage albeit one where award criteria are used, unless we are talking about single supplier, binding framework, with all the contractual details set in advance.

4. How do we define contract value?

Another issue that touched by multiple jurisdictions is the definition of contract value. This appears to be particularly problematic in countries where frameworks do not have a binding nature and/or countries where contracts can be extended beyond the duration of the framework.

If you are interested in my presentation, you can download the PDF from the presentations page.