SHA – how technology can ruin transparency of public procurement proceedings


Directive 2014/24/EU of 26 February 2014 on Public Procurement only states that “where a tender is signed with the support of a qualified certificate that is included on a trusted list, the contracting authorities shall not apply additional requirements that may hinder the use of those signatures by tenderers”. Unfortunately, the National Appeals Chamber (KIO) took a different view of the issue.

The digitisation of public procurement in the day-to-day activities of contracting authorities and contractors is slowly becoming a digital nightmare. Compliance with the electronic communication obligation in a tender procedure is complicated from the technical point of view, and most market players do not have the specialist knowledge needed to understand the specifics of the functioning of electronic tools. This is creating conditions in which an undesirable tradition in Polish public procurement is being sustained, which is making formalism the primary objective of the proceedings. It is even a commonly held view that in principle the obligation to conduct the proceedings electronically is hindering, rather than facilitating, access to tenders on the single market. (For more on this see the articles: E-procurement caught up in formalism, Electronic bid bond has negative consequences for bids, the Public Procurement Office’s position on power of representation to file the ESPD, What is the situation regarding power of representation to file the ESPD?).

The KIO has not resisted this trend either. In recent rulings (KIO 2428/18 and KIO 2639/18), it formulated a principle that does not exist in public procurement law, of responsibility of a contractor applying for a tender for use of a qualified electronic certificate supplied by a trusted supplier. The statement of reasons in case KIO 2639/18 has not been released yet. Only social media contain information that the KIO found that it was lawful to exclude a contractor who had signed an ESPD using a qualified electronic signature certificate, but had done so in a manner preventing the signature from being authenticated.

Without knowledge of the arguments that led the KIO to that conclusion, the adjudication cannot be commented upon in terms of its merits other than by asking which provision in the Public Procurement Law or Directive 2014/24 the KIO found to be the basis for exclusion on the described grounds. In particular, according to the provision in the directive cited at the beginning of this article, requirements cannot be set which hinder use of a signature that uses a qualified certificate (art. 22(6)(c)(ii) of that directive).

On the other hand, the KIO’s reasoning can be traced in case 2428/18. This line of reasoning is that the obligation to draw up documents in a tender procedure in electronic form and sign them using a secure electronic signature (art. 10(5) of the Public Procurement Law) does not only mean that a contractor has to obtain and use an electronic signature offered by a supplier registered on the NCCert list. It also means that a contractor has to verify whether SHA-1 or SHA-2 was used.

The KIO formulated this view not on the basis of the Public Procurement Law or the directive, but on the basis of Art. 137(1) of the Trust Services and Electronic Identification Act of 5 September of 2016 (see article National Appeals Chamber (KIO) stories: how the KIO was fooled with regard to an electronic signature).

The first objection with respect to the KIO’s standpoint is that after all the KIO has the authority under the Directive on Review Procedures (2007/66/EEC) to adjudicate in public procurement cases. More precisely, it reviews appeals against decisions made by contracting authorities due to breach of Community law with respect to public procurement or breach of the implementing national provisions (Art. 1 of the Directive on Review Procedures). Art. 180 of the Public Procurement Law provides for this scope of adjudication of the KIO: “an appeal can only be filed in cases of actions or failure to act on the part of a contracting authority in public procurement proceedings, where the action is an obligation of the contracting authority under the act”.

For this reason, when examining the actions of contracting authorities and the obligations imposed on contractors, the KIO should not consult provisions other than those in the Public Procurement Law. When consulting the Trust Services and Electronic Identification Act, the KIO only performed an interpretation of a section of that act, without regard to other provisions in the act. The provisions disregarded were in particular those specifying to whom the standards laid down in the act apply. Meanwhile, the act firstly specifies the activities of trust service suppliers, and secondly states that the interim provision in Art. 137(1) applies to trust service suppliers, software manufacturers, and public entities with respect to adaptation of infrastructure for which trust services are used in connection with the switch from SHA-1 to a different algorithm. The act does not in fact make any mention of SHA-2, which the KIO required the contractor to use to sign the bid. The Trust Services Act does not provide under any circumstances for a penalty in the form of an electronic signature signed using SHA-1 subsequent to the date specified in Art. 137 being invalidated or found to be ineffective.

More importantly, the KIO’s ruling evidently conflicts with Art. 22(6)(c)(ii) of the Public Procurement Directive (and accordingly Art. 40(6)(c)(ii) of the Public Sector Tender Directive), as well as the standpoint of the CJEU on the grounds for exclusion of a contractor. This is because the CJEU does not allow exclusion as a result of a contractor not fully complying with an obligation which is not expressly provided for in the tender documentation or current law (for examples the judgments in C-27/15 Pippo Pizzo and C-35/17 Saferoad). This is a practice that breaches the principle of transparency and moreover the principle of equal treatment, taking into consideration competition in other member states.

The above means that the KIO’s legal interpretation in case 2428/18 cannot be treated as a guide for contracting authorities and contractors in future tenders. Therefore, as public procurement laws currently specify a range of requirements concerning the tools and devices used to conduct public procurement proceedings electronically, and certain technical actions are required to fulfil them, the key principles for the functioning of a single public procurement market remain unchanged. For this reason, interpretation of all new elements implemented into tender procedures by technology must always take into account the goal of removal of obstacles to access to the tender, according to the principles of equal treatment, fair competition, proportionality, and transparency. They cannot be treated as an ace up someone’s sleeve serving to eliminate a rival for reasons that are not material for the objective of the proceedings.

Mirella Lechna, legal adviser, Infrastructure, Public Procurement & PPP practice, Wardyński & Partners