Update to the EU Corporate Due Diligence and Corporate Accountability Initiative: The Provisional Draft and the 10 Questions Businesses Still Need to Know
February 22, 2021
& Nicola Bonucci
For nearly a year, there has been rapid progress toward an EU requirement that companies doing business in the EU conduct broad human rights due diligence across their operations and value chains. In April 2020, following the publication of a lengthy scoping study in February 2020, EU Justice Commissioner Didier Reynders announced that he would introduce mandatory due diligence legislation as part of the Commission’s 2021 work plan. Following that announcement, the Commission launched a “public consultation” that closed on February 8, 2021, which elicited hundreds of comments. We are now expecting a formal proposal by the Commission to be tabled, in principle, before the end of the first quarter of 2021.
In parallel to the Commission work, the European Parliament Committee on Legal Affairs published a draft report in September 2020, with a draft Directive that takes a maximalist approach in terms of breadth and scope. That initial blueprint goes well beyond just human rights, requiring many EU-based and global businesses, including those providing financial products and services, to create substantial new internal systems and processes. Last week, the Committee issued a provisional Final Committee Report. The report includes a motion for a European Parliament resolution, and recommendations for a directive, and was adopted by 21 votes in favor, one against, and one abstention. Although the Committee notes that its final text for the Directive is ready and will become available “in coming days,” it made public a “provisional version,” stating that the “next and final step is that the report will be discussed and voted in plenary in March.” It is important to note, of course, that the new “provisional” draft and the final report from Legal Affairs will not be identical—and that the final report itself is not likely to fully reflect the Directive that may be adopted (assuming that happens). In light of the way the EU reaches its decisions, it is fair to assume that the core requirements and scope in the provisional draft will reflect the final report from Legal Affairs—at least regarding the due diligence and reporting components (see below regarding civil liability).
In the fall, after the initial draft report, we prepared a list of the 10 questions that businesses should know about the directive. Rather than reinvent the wheel, we provide an update to those same questions to assist in understanding the practical implications of the new provisional draft. While the basic provisions remain largely the same, there are substantial changes to the penalty and civil liability components (see question VIII, below). Specifically, it removes a criminal liability recommendation, but includes suggested amendments to EU regulations to allow claimants to bring civil cases against EU-based businesses and non EU-based businesses operating in the EU for harms caused by entities in their overseas values chains. These suggested amendments are far-reaching, and we expect they will engender robust debate. Thus, while we do not expect the diligence and reporting components of the new provisional draft to change materially, whether the civil litigation suggestions will appear in the “final” Legal Affairs draft is less than clear.
While companies may have due diligence processes that consider some of these issues, few cover all of them.
In addition, businesses must use contract clauses and codes of conduct to ensure that the human rights, environmental and governance policies of their business partners are aligned with their own due diligence strategy, and “regularly verify” that suppliers and subcontractors comply with their relevant obligations. The strategy must be made public and communicated to workers and business relationships (Art. 6), and the effectiveness of the due diligence strategy should be reviewed once per year (Art. 8).
Coupled with the broad substantive scope, encompassing human rights, the environment, and governance, few companies are in a position to meet this core requirement. It requires a detailed mapping of operations and business relationships, a methodology to assess associated potential impacts upstream and downstream, the development of policies, procedures, and mitigating measures across operations and third parties, and audits to assess compliance. It also compels extensive substantive expertise across a range of subjects. Indeed, it is almost transformative in its demand, requiring that responsible business conduct becomes an imperative integrated into the company’s activities on a global basis.
- If I am a U.S. business with global operations, including in the EU, would the directive apply to me?
Almost certainly. The September report encompassed all business enterprises incorporated, domiciled, or established in the EU, as well as non-EU enterprises doing business in the EU (e.g., selling goods or services). The new provisional draft (Article 2) covers (a) “large undertakings” governed by the law of or established in an EU country, (b) all publicly listed and high-risk small and medium-sized undertakings, and (c) large undertakings, and publicly listed small and medium-sized undertakings in high risk sectors, that sell goods or provide services in the EU. Accordingly, regardless of where the company is headquartered, if it does business in the EU and is of any substantial size, the Directive will likely apply. The provisional draft also requests that the Commission define identify which sectors are considered high risk.
- Is the Directive limited to human rights in terms of its scope?
No. Although colloquially it has been referred to as an EU mandatory human rights due diligence initiative, the directive—called the “Directive of the European Parliament and of the Council on Corporate Due Diligence and Corporate Accountability”—is far broader, and it appears to be inspired by the 2017 French corporate duty of vigilance law. It covers three categories of issues (Art. 3): human rights, environmental risks, and governance risks. While the original draft included specific definitions of all three categories, the provisional draft has much more general references and contemplates specific definitions in annexes. However, the preamble makes clear that the intended scope has not changed, but, perhaps, expanded. Specifically:
- Human rights includes rights identified in the International Bill of Human Rights, International Humanitarian Law, UN human rights instruments relating to vulnerable groups, principles in ILO Core Conventions, additional ILO Conventions, regional conventions on human rights, and “national constitutions and laws recognizing or implementing human rights.”
- Environmental risks includes temporary or permanent impacts on “production of waste, diffuse pollution and greenhouse emissions that lead to a global warming of more than 1.5°C above pre-industrial levels, deforestation, and any other impact on the climate, air, soil and water quality, the sustainable use of natural resources, biodiversity and ecosystems.”
- Governance risks include encompass corruption and bribery, and situations in which a business “becomes improperly involved in local political activities, makes illegal campaign contributions or fails to comply with the applicable tax legislation.”
- What does the Directive actually require?
There have not been material changes between the original draft report and the new provisional draft. At its core, the draft (Art. 4) requires EU Member States to introduce rules to compel companies to “carry out effective due diligence with respect to potential or actual adverse impacts on human rights, the environment and good governance in their operations and business relationships.” Specifically, the draft requires that businesses “identify and assess” any potential impacts on an ongoing basis and “by means of a risk based monitoring methodology that takes into account the likelihood, severity and urgency of potential or actual impacts on human rights, the environment or good governance, the nature and context of their operations, including geographic, and whether their operations and business relationships cause or contribute to or are directly linked to any of those potential or actual adverse impact.” Note that, beyond traditional supply chain laws, business relationships include upstream and downstream relationships applying to not only suppliers, but customers and end-users as well. (Art. 3) If the business concludes that it does not cause or contribute to any actual or potential impact, it must publish a statement to that effect, along with its risk assessment, which must be reviewed if new risks emerge or the business enters new business relationships that can pose risks. If the business identifies actual or potential impacts, it must establish a due diligence strategy that:
- specifies the risks that are likely present and their level of severity and urgency;
- publicly discloses "relevant information" about its value chain, "including names, locations, types of products and services supplied, and other relevant information concerning subsidiaries, suppliers and business partners in its value chain";
- indicates the policies and measures the business intends to adopt to try to cease, prevent or mitigate the identified risks; and
- develops an approach to prioritization if all of the risks cannot be addressed at once.
- Is this core requirement limited to assessing my EU operations only, or is it broader? For instance, does it cover risks associated with non-EU business activities?
The original draft was not clear on who the reporting entity should be—e.g., whether it can be one or more subsidiaries of a company doing business or based in the EU, or must be the global parent. The provisional draft (Art. 4) indicates that a subsidiary may be included within the report of a parent, but must clearly so indicate. However, as was true in the original draft, it remains unclear whether “operations” are limited to EU operations or if that term could also apply to global operations unrelated to the EU. Nonetheless, it is clear that the Directive extends beyond a company’s own operations, and, at least, will extend to all business relationships associated with activities conducted in the EU. Furthermore, the preamble makes clear that the responsibility to identify and assess business relationships includes reasonable efforts to identify suppliers and subcontractors, and “due diligence should not be limited to the first tier downstream and upstream in the supply chain but should encompass those that, during the due diligence process, might have been identified by the undertaking as posing major risks.”
- In developing due diligence strategy, can we rely on our own internal assessment activities, or must we consult external stakeholders?
The February 2021 draft, like the prior version, provides (Arts. 5 and 8) that companies must consult with stakeholders, including trade unions when establishing, implementing, and reviewing their due diligence strategy. In fact, it says that trade unions have a “right … to be involved in the establishment and implementation of the due diligence strategy.” The draft strongly implies that a failure to engage in stakeholder consultations would be considered a legal breach.
- Must the report be signed or approved at the board level, like Modern Slavery Act statements? Are there other corporate governance requirements?
This represents a significant change from the original version. The initial draft report provided that there is a collective responsibility among management and boards for ensuring that the diligence processes are consistent with the Directive. That has been removed from the current draft, which now requires (Art. 6) that the due diligence strategy or statement, including the risk assessment, be published on a centralized platform. Also gone is a requirement that large companies establish advisory committees to inform the board on due diligence matters. Now, the preamble merely encourages boards to do so.
- What happens when someone believes a company is connected to serious risks, or has caused or contributed to a negative impact?
The provisional draft, like the original, requires (Art. 9) that companies establish grievance mechanisms that allow stakeholders to “voice reasonable concerns regarding the existence of a potential or actual adverse impact on human rights, the environment or good governance.” It states expressly that grievance mechanisms should meet the criteria in UNGP Principle 31 (e.g., it must be legitimate, accessible, predictable, safe, equitable, transparent, rights-compatible, and adaptable). While the grievance mechanisms can be created jointly with other enterprises or organizations, they should allow for anonymous reporting and timely and effective responses to stakeholders, and be informed by the position of stakeholders in their creation.
The provisional draft also states (Art. 10) that EU countries should make sure that, when a company determines that it has caused or contributed to harm, it “provides for or cooperates with the remediation process,” which may include financial or non-financial compensation, rehabilitation, or “contribution to an investigation,” and prevent additional harm through guarantees of non-repetition.
- Are there penalties for failing to conduct adequate diligence, or just for negative impacts? If negative impacts are caused by entities in a value chain, can a company be liable for those?
The penalty and litigation provisions in this latest draft represent the most substantial changes from the original. While the original contemplated potential criminal penalties, that provision no longer appears. Instead, the latest draft (Art. 13) states that, if a company fails to meet the diligence requirements, Member States shall provide for sanctions, including fines. It further specifies (Art. 18) that “[t]he sanctions provided for shall be effective, proportionate and dissuasive and shall take into account the severity of the infringements committed and whether or not the infringement has taken place repeatedly.”
The February 2021 draft also states that EU members must designate a competent governmental authority to oversee the Directive (Art. 12), and the competent authority can conduct investigations to ensure compliance (Art. 13). Where the competent authority identifies a failure to comply, the business has an opportunity to take remedial action, but will suffer a penalty if it does not do so.
However, when the dictates of the Directive are met, that is not a defense to civil liability for harms caused or contributed to by a company or its business relationships (Art. 19). The provisional draft further provides that states must have liability regimes in place through which companies can be held liable and provide remediation for human rights, environmental, or good governance harms that they, “or undertakings under their control, have caused or contributed to by acts or omissions.” In a nod to responsible businesses, the provisional draft adds that Members States shall ensure that where companies prove they “took all due care in line with this Directive to avoid the harm in question, or that the harm would have occurred even if all due care had been taken,” they will not be “held liable for that harm.”
Further, the February draft includes significant suggested amendments to existing EU regulations, including “Brussels I”—on jurisdiction and the recognition of judgements in civil and commercial matters—and “Rome II”—on the law applicable to non-contractual obligations—with respect to jurisdiction for human rights-related legal claims. The draft provides that, for “business-related civil claims for human rights violations within the value chain” of a company domiciled in the EU, or operating in the EU within the scope of the provisional draft directive, a claimant may choose to file the case in the country where the harm occurred or where the defendant is domiciled or, if it is not domiciled in a Member State, where it operates. This would extend the jurisdiction of Member States’ courts to human rights cases against EU undertakings for harms caused by their subsidiaries or suppliers abroad, largely obviating the need to establish a parent duty of care or corporate veil piercing. The provisional draft also suggests a forum necessitatis provision, which would allow claimants to file cases in the courts of EU Member States where they do not otherwise have jurisdiction, if they cannot reasonably be brought in the country where the case is closely connected, provided the claim has a sufficient connection with the country where the court exists. On its face, and provided that the conditions set out above are met, the provisions as drafted suggest that human rights cases could be brought in the EU against both EU-based businesses and non-EU-based businesses that operate in the EU based on their third-country supply chain activities.
- Will there be guidance in terms of reporting obligations?
The draft makes clear that guidelines should be created to assist in fulfilling the due diligence requirements; this includes guidance provided in consultation with Member States and the OECD (Art. 14), the establishment of a committee of EU competent authorities to facilitate “coordination and convergence of regulatory, investigative and supervisory practices” (Art. 16), and giving Member States discretion to encourage sectoral due diligence action plans to coordinate due diligence strategies within different sectors (Art. 11). Of note, and as expected, the draft states that the guidelines should take “due account” of other existing international standards, including the UNGPs, the OECD Guidelines for Multinational Enterprises, and specific due diligence guidance.
- What are the next steps?
The draft directive prepared by the Committee on Legal Affairs will be tabled at a Plenary Meeting of the EU Parliament on March 8, 2021. If adopted by the Plenary, the European Parliament will forward it to the Commission, asking the Commission to submit a legislative proposal along the lines of the draft directive. The Commission has the discretion to accept the request, revise the directive, or take no action, as it sees fit. It is expected that, under any circumstances, the Commission will submit a final proposal to the Members and the European Parliament this calendar year. Member States then would need to adopt implementing laws within two years from adoption. One point that remains to be seen is how this EU initiative will interact with the various national laws already adopted (France, Netherlands) or those to be adopted in 2021 (Germany, Switzerland, Norway).