Written by Bastian Brunk, research assistant at the Humboldt University of Berlin and doctoral candidate at the Institute for Comparative and Private International Law at the University of Freiburg.
In April of 2020, EU Commissioner Didier Reynders announced plans for a legislative initiative that would introduce EU-wide mandatory human rights due diligence requirements for businesses. Only recently, Reynders reiterated his intentions during a conference regarding “Human Rights and Decent Work in Global Supply Chains” which was hosted by the German Federal Ministry of Labour and Social Affairs on the 6. October, and asseverated the launch of public consultations within the next few weeks. A draft report, which was prepared by MEP Lara Wolters (S&D) for the European Parliament Committee on Legal Affairs, illustrates what the prospective EU legal framework for corporate due diligence could potentially look like. The draft aims to facilitate access to legal remedies in cases of corporate human rights abuses by amending the Brussels Ibis Regulation as well as the Rome II Regulation. However, as these amendments have already inspired a comments by Geert van Calster, Giesela Rühl, and Jan von Hein, I won’t delve into them once more. Instead, I will focus on the centre piece of the draft report – a proposal for a Directive that would establish mandatory human rights due diligence obligations for businesses. If adopted, the Directive would embody a milestone for the international protection of human rights. As is, the timing could simply not be better, since the UN Guiding Principles (UNGPs) celebrate their 10th anniversary in 2021. The EU should take this opportunity to present John Ruggie, the author of the UNGPs, with a special legislative gift. However, I’m not entirely sure if Ruggie would actually enjoy this particular present, as the Directive has obvious flaws. The following passages aim to accentuate possible improvements, that would lead to the release of an appropriate legal framework next year. I will not address every detail but will rather focus on the issues I consider the most controversial – namely the scope of application and the question of effective enforcement.
To begin with a disclaimer, I believe the task of drafting a legal document on the issue of business and human rights to be a huge challenge. Not only does one have to reconcile the many conflicting interests of business, politics, and civil society, moreover, it is an impossible task to find the correct degree of regulation for every company and situation. If the regulation is too weak, it does not help protect human rights, but only generates higher costs. If it is too strict, it runs the risk of companies withdrawing from developing and emerging markets, and – because free trade and investment ensure worldwide freedom, growth, and prosperity – of possibly inducing an even worse human rights situation. This being said, the current regulatory approach should first and foremost be recognised as a first step in the right direction.
I would also like to praise the idea of including environmental and governance risks in the due diligence standard (see Article 4(1)) because these issues are closely related to each other. Practically speaking, the conduct of companies is not only judged based on their human rights performance but rather holistically using ESG or PPP criteria. All the same, I am not sure whether or not this holistic approach will be accepted in the regulatory process: Putting human rights due diligence requirements into law is difficult enough, so maybe it would just be easier to limit the proposal to human rights. Nonetheless, it is certainly worth a try.
Moving on to my criticism.
Firstly, the draft is supposed to be a Directive, not a Regulation. As such, it cannot impose any direct obligations on companies but must first be transposed into national law. However, the proposal contains a colourful mix of provisions, some of which are addressed to the Member States, while others impose direct obligations on companies. For example, Article 4(1) calls upon Member States to introduce due diligence obligations, whereas all other provisions of the same article directly address companies. In my eyes, this is inconsistent.
Secondly, the Directive uses definitions that diverge from those of the UNGPs. For example, the UNGPs define “due diligence” as a process whereby companies “identify, prevent, mitigate and account for” adverse human rights impacts. This seems very comprehensive, doesn’t it? Due diligence, as stipulated in the Directive, goes beyond that by asking companies to identify, cease, prevent, mitigate, monitor, disclose, account for, address, and remediate human rights risks. Of course, one could argue that the UNGP is incomplete and the Directive fills its gaps, but I believe some of these “tasks” simply redundant. Of course, this is not a big deal by itself. But in my opinion, one should try to align the prospective mechanism with the UNGPs as much as possible, since the latter are the recognised international standard and its due diligence concept has already been adopted in various frameworks, such as the UN Global Compact, the OECD Guidelines for Multinational Enterprises, and the ISO 26000. An alignment with the UNGP, therefore, allows and promotes coherence within international policies.
Before turning to more specific issues, I would like to make one last general remark that goes in the same direction as the previous one. While the UNGP ask companies to respect “at minimum” the “international recognized human rights”, meaning the international bill of rights (UDHR, ICCPR, ICESCR) and the ILO Core Labour Standards, the Directive requires companies to respect literally every human rights catalogue in existence. These include not only international human rights documents of the UN and the ILO, but also instruments that are not applicable in the EU, such as the African Charter of Human and People’s Rights, the American Convention of Human Rights, and (all?) “national constitutions and laws recognising or implementing human rights”. This benchmark neither guides companies nor can it be monitored effectively by the authorities. It is just too ill-defined to serve as a proper basis for civil liability claims or criminal sanctions and it will probably lower the political acceptance of the proposal.
Scope of Application
The scope of application is delineated in Article 2 of the Directive. It states that the Directive shall apply to all undertakings governed by the law of a Member State or established in the territory of the EU. It shall also apply to limited liability undertakings governed by the law of a non-Member State and not established within EU-territory if they operate in the internal market by selling goods or providing services. As one can see, the scope is conceivably broad, which gives rise to a number of questions.
First off, the Directive does not define the term “undertaking”. Given the factual connection, we could understand it in the same way as the Non-Financial Reporting Directive (2014/95/EU) does. However, an “undertaking” within the scope of the Non-Financial Reporting Directive refers to the provisions of the Accounting Directive (2013/34/EU), which has another purpose, i.e. investor and creditor protection, and is, therefore, restricted to certain types of limited liability companies. Such a narrow understanding would run counter to the purpose of the proposed Directive because it excludes partnerships and foreign companies. On the other hand, “undertaking” probably does mean something different than in EU competition law. There, the concept covers “any entity engaged in an economic activity, regardless of its legal status” and must be understood as “designating an economic unit even if in law that economic unit consists of several persons, natural or legal” (see e.g. CJEU, Akzo Nobel, C-97/08 P, para 54 ff.). Under EU competition law, the concept is, therefore, not limited to legal entities, but also encompasses groups of companies (as “single economic units”). This concept of “undertaking”, if applied to the Directive, would correspond with the term “business enterprises” as used in the UNGP (see the Interpretive Guide, Q. 17). However, it would ignore the fact that the parent company and its subsidiaries are distinct legal entities, and that the parent company’s legal power to influence the activities of its subsidiaries may be limited under the applicable corporate law. It would also lead to follow-up questions regarding the precise legal requirements under which a corporate group would have to be included. Finally, non-economic activities and, hence, non-profit organisations would be excluded from the scope, which possibly leads to significant protection gaps (just think about FIFA, Oxfam, or WWF). In order to not jeopardise the objective – ensuring “harmonization, legal certainty and the securing of a level playing field” (see Recital 9 of the Directive) – the Directive should not leave the term “undertaking” open to interpretation by the Member States. A clear and comprehensive definition should definitely be included in the Directive, clarifying that “undertaking” refers to any legal entity (natural or legal person), that provide goods or services on the market, including non-profit services.
Secondly, the scope of application is not coherent for several reasons. One being that the chosen form of the proposal is a Directive, rather than a Regulation, thus providing for minimum harmonisation only. It is left to the Member States to lay down the specific rules that ensure companies carrying out proper human rights due diligence (Article 4(1)). This approach can lead to slightly diverging due diligence requirements within the EU. Hence, the question of which requirements a company must comply with arises. From a regulatory law’s perspective alone, this question is not satisfactorily answered. According to Article 2(1), “the Directive” (i.e. the respective Member States’ implementation acts) applies to any company which has its registered office in a Member State or is established in the EU. However, the two different connecting factors of Article 2(1) have no hierarchy, so a company must probably comply with the due diligence requirements of any Member State where it has an establishment (agency, branch, or office). Making matters worse (at least from the company’s perspective), in the event of a human rights lawsuit, due diligence would have to be characterised as a matter relating to non-contractual obligations and thus fall within the scope of the new Art. 6a Rome II. The provisions of this Article potentially require a company to comply with the due diligence obligations of three additional jurisdictions, namely lex loci damni, lex loci delicti commissi, and either the law of the country in which the parent company has its domicile (in this regard, I agree with Jan von Hein who proposes the use not of the company’s domicile but its habitual residence as a connecting factor according to Article 23 Rome II) or, where it does not have a domicile (or habitual residence) in a Member State, the law of the country where it operates.
That leads us to the next set of questions: When does a company “operate” in a country? According to Article 2(2), the Directive applies to non-EU companies which are not established in the EU if they “operate” in the internal market by selling goods or providing services. But does that mean, for example, that a Chinese company selling goods to European customers over Amazon must comply fully with European due diligence requirements? And is Amazon, therefore, obliged to conduct a comprehensive human rights impact assessment for every retailer on its marketplace? Finally, are states obliged to impose fines and criminal sanctions (see Article 19) on Amazon or the Chinese seller if they do not meet the due diligence requirements, and if so, how? I believe that all this could potentially strain international trade relations and result in serious foreign policy conflicts.
Finally, and perhaps most controversially in regard to the scope, the requirements shall apply to all companies regardless of their size. While Article 2(3) allows the exemption of micro-enterprises, small companies with at least ten employees and a net turnover of EUR 700,000 or a balance sheet total of EUR 350,000 would have to comply fully with the new requirements. In contrast, the French duty of vigilance only applies to large stock corporations which, including their French subsidiaries and sub-subsidiaries, employ at least 5,000 employees, or including their worldwide subsidiaries and sub-subsidiaries, employ at least 10,000 employees. The Non-Financial Reporting Directive only applies to companies with at least 500 employees. And the due diligence law currently being discussed in Germany, will with utmost certainty exempt companies with fewer than 500 employees from its scope and could perhaps even align itself with the French law’s scope. Therefore, I doubt that the Member States will accept any direct legal obligations for their SMEs. Nonetheless, because the Directive requires companies to conduct value chain due diligence, SMEs will still be indirectly affected by the law.
Value Chain Due Diligence
Value chain due diligence, another controversial issue, is considered to be anything but an easy task by the Directive. To illustrate the dimensions: BMW has more than 12,000 suppliers, BASF even 70,000. And these are all just Tier 1 suppliers. Many, if not all, multinational companies probably do not even know how long and broad their value chain actually is. The Directive targets this problem by requiring companies to “make all reasonable efforts to identify subcontractors and suppliers in their entire value chain” (Article 4(5)). This task cannot be completed overnight but should not be impossible either. For example, VF Corporation, a multinational apparel and footwear company, with brands such as Eastpack, Napapijri, or The North Face in its portfolio, has already disclosed the (sub?)suppliers for some of its products and has announced their attempt to map the complete supply chain of its 140 products by 2021. BASF and BMW will probably need more time, but that shouldn’t deter them from trying in the first place.
Mapping the complete supply chain is one thing; conducting extensive human rights impact assessments is another. Even if a company knows its chain, this does not yet mean that it comprehends every potential human rights risk linked to its remote business operations. And even if a potential human rights risk comes to its attention, the tasks of “ceasing, preventing, mitigating, monitoring, disclosing, accounting for, addressing, and remediating” (see Article 3) it is not yet fulfilled. These difficulties call up to consider limiting the obligation to conduct supply chain due diligence to Tier 1 suppliers. However, this would not only be a divergence from the UNGP (see Principle 13) but would also run counter to the Directive’s objective. In fact, limiting due diligence to Tier 1 suppliers makes it ridiculously easy to circumvent the requirements of the Directive by simply outsourcing procurement to a third party. Hence, the Directive takes a different approach by including the entire supply chain in the due diligence obligations while adjusting the required due diligence processes to the circumstances of the individual case. Accordingly, Article 2(8) states that “[u]ndertakings shall carry out value chain due diligence which is proportionate and commensurate to their specific circumstances, particularly their sector of activity, the size and length of their supply chain, the size of the undertaking, its capacity, resources and leverage”. I consider this an adequate provision because it balances the interests of both companies and human rights subjects. However, as soon as it comes to enforcing it, it burdens the judge with a lot of responsibility.
The question of enforcement is of paramount importance. Without effective enforcement mechanisms, the law will be nothing more than a bureaucratic and toothless monster. We should, therefore, expect the Directive – being a political appeal to the EU Commission after all – to contain ambitious proposals for the effective implementation of human rights due diligence. Unfortunately, we were disappointed.
The Directive provides for three different ways to enforce its due diligence obligations. Firstly, the Directive requires companies to establish grievance mechanisms as low-threshold access to remedy (Articles 9 and 10). Secondly, the Directive introduces transparency and disclosure requirements. For example, companies should publish a due diligence strategy (Article 6(1)) which, inter alia, specifies identified human rights risks and indicates the policies and measures that the company intends to adopt in order to cease, prevent, or mitigate those risks (see Article 4(4)). Companies shall also publish concerns raised through their grievance mechanisms as well as remediation efforts, and regularly report on progress made in those instances (Article 9(4)). With these disclosure requirements, the Directive aims to enable the civil society (customers, investors and activist shareholders, NGOs etc.) to enforce it. Thirdly, the Directive postulates public enforcement mechanisms. Each Member State shall designate one or more competent national authorities that will be responsible for the supervision of the application of the Directive (Article 14). The competent authorities shall have the power to investigate any concerns, making sure that companies comply with the due diligence obligations (Article 15). If the authority identifies shortcomings, it shall set the respective company a time limit to take remedial action. It may then, in case the company does not fulfil the respective order, impose penalties (especially penalty payments and fines, but also criminal sanctions, see Article 19). Where immediate action is necessary to prevent the occurrence of irreparable harm, the competent authorities may also order the adoption of interim measures, including the temporary suspension of business activities.
At first glance, public enforcement through inspections, interim measures, and penalties appear as quite convincing. However, the effectiveness of these mechanisms may be questioned, as demonstrated by the Wirecard scandal in Germany. Wirecard was Germany’s largest payment service provider and part of the DAX stock market index from September 2018 to August 2020. In June of 2020, Wirecard filed for insolvency after it was revealed that the company had cooked its books and that EUR 1.9 billion were “missing”. In 2015 and 2019, the Financial Times already reported on irregularities in the company’s accounting practices. Until February 2019, the competent supervisory authority BaFin did not intervene, but only commissioned the FREP to review the falsified balance sheet, assigning only a single employee to do so. This took more than 16 months and did not yield any results before the insolvency application. While it is true that the Wirecard scandal is unique, it showcased that investigating malpractices of large multinational companies through a single employee is a crappy idea. Public enforcement mechanisms only work if the competent authority has sufficient financial and human resources to monitor all the enterprises covered by the Directive. So how much manpower does it need? Even if the Directive were to apply to companies with more than 500 employees, in Germany alone one would have to monitor more than 7.000 entities and their respective value chains. We would, therefore, need a whole division of public inspectors in a gigantic public agency. In my opinion, that sounds daunting. That does not mean that public enforcement mechanisms are completely dispensable. As Ruggie used to say, there is no single silver bullet solution to business and human rights challenges. But it is also important to consider decentralised enforcement mechanisms such as civil liability. In contrast to public enforcement mechanisms, civil liability offers victims of human rights violations “access to effective remedy”, which, according to Principle 25, is one of the main concerns of the UNGP.
So, what does the Directive say about civil liability? Just about nothing. Article 20 only states that “[t]he fact that an undertaking has carried out due diligence in compliance with the requirements set out in this Directive shall not absolve the undertaking of any civil liability which it may incur pursuant to national law.” Alright, so there shouldn’t be a safe harbour for companies. But that does not yet mean that companies are liable for human rights violations at all. And even if it were so, the conditions for asserting a civil claim can differ considerably between the jurisdictions of the Member States. The Directive fails to achieve EU-wide harmonisation on the issue of liability. That’s not a level playing field. This problem could be avoided by passing an inclusive Regulation containing both rules concerning human rights due diligence and a uniform liability regime in case of violations of said rules. However, such an attempt would probably encounter political resistance from the Member States and result in an undesirable delay of the legislative process. A possible solution could be to only lay down minimum requirements for civil liability but to leave the ultimate drafting and implementation of liability rules to the Member States. Alternatively, the Directive could stipulate that the obligations set out in Articles 4 to 12 are intended to determine the due care without regard to the law applicable to non-contractual obligations. At least, both options would ensure that companies are liable for any violation of their human rights due diligence obligations. Is that too much to ask?