International Regulatory Enforcement (PHIRE)

Downstream Due Diligence: Regulation through Litigation

December 02, 2022

By Jonathan C. Drimmer,Tara K. Giunta,

Nicola Bonucci,

& Renata Parras

As the European Union (“EU”) continues to debate whether downstream responsibilities will fall within the contours of its hefty Corporate Sustainability Mandatory Due Diligence Directive (“CSMDD”), and the EU Council just voted to limit its proposed approach to upstream suppliers, recent litigation focusing on the misuse or irresponsible usage of company products and services may be making that debate less significant.  To date, legislation and corporate efforts, consistent with the approach of the Council, have focused primarily on upstream relationships, involving supply chains at the first tier and beyond.  Relevant laws include: the trio of modern slavery acts – in California, the UK and Australia – requiring that companies identify the steps they are taking to identify and mitigate the risks of modern slavery in their operations and supply chains; forced labor import bans, such as Section 307 of the U.S. Tariff Act of 1930 or Canada’s Customs Tariff Act, which target the importation of goods; conflict minerals legislation in the U.S., focusing on supply chains involving tin, tantalum, tungsten and gold from the Democratic Republic of Congo and its contiguous countries, and in the EU, focusing on conflict-affected and high-risk areas; and the U.S. Federal Acquisition Regulations, geared toward preventing forced labor in the operations or supply chains of U.S. government contractors.

Outside of Norway’s Transparency Law, which covers the full value chain, recent domestic mandatory due diligence laws – including Germany’s Supply Chain Act, France’s Duty of Vigilance Law and the Swiss Ordinance on Due Diligence and Transparency in the Sectors of Minerals and Metals from Conflict Areas and Child Labour – likewise turn their gaze upstream, largely ignoring the human rights implications of company products and services.  Although these laws draw inspiration and guidance from the United Nations (“UN”) Guiding Principles on Business and Human Rights (“UNGPs”), the UNGPs specifically and repeatedly provide that company human rights responsibilities, including policies, due diligence, and remediation, extend to downstream use of products by consumers and end users.  As an example, UNGP 13(b), a foundational principle, states that businesses must “[s]eek to prevent or mitigate adverse human rights impacts that are directly linked to their operations, products or services by their business relationships, even if they have not contributed to those impacts.”  The Organisation for Economic Co-Operation and Development’s (“OECD”) Guidelines for Multinational Enterprises, which incorporate the UNGPs, provides the same.

It remains unclear if and when the EU will follow Norway, the UNGPs and the OECD, and include, in the final due diligence directive, complementary supply chain obligations with customer and end-user responsibilities.

But what is clear is that the potential impact of that decision is becoming less relevant.  As several recent high-profile lawsuits suggest, there is a targeted focus on companies that allegedly failed to conduct due diligence regarding their products and services, creating a de facto “regulation through litigation.”  For instance:

  • In the United States, an Ohio court recently awarded $650 million in damages to two counties that prevailed in litigation against several national pharmacy chains, arguing that the companies recklessly distributed large amounts of opioids to customers, causing a severe harm to communities and creating a public nuisance.  In essence, the plaintiffs claimed that the pharmacies contributed to the flood of pills that led to hundreds of local overdose deaths.  In response, the pharmacies argued that: they neither manufactured nor marketed opioids nor sold them to “pill mills”; opioids are lawful products regulated by the U.S. Food and Drug Administration; they filled only prescriptions that were written by physicians licensed by state authorities; and they had policies to stop the flow of pills when pharmacists had concerns about the integrity of prescriptions.  However, the plaintiffs pointed out that between 2012 and 2016, roughly 80 million opioids were dispensed in one of the counties alone – equivalent to 400 pills for every resident – and in another county some 61 million pills were distributed during that period.  The plaintiffs argued, and the jury apparently agreed, that the visible harm of opioids in local communities was a red flag that compelled the companies to undertake additional due diligence to ascertain whether and how they might be contributing to it, and take appropriate remedial steps.  Since the verdict, several national pharmacies have agreed to pay more than $10 billion to settle similar lawsuits. 


  • Also in the United States, two nearly identical class actions were filed against financial institutions for allegedly participating in and financially benefitting from Jeffrey Epstein’s sex trafficking activities.  The cases, relying on RICO and the Trafficking Victim Protection Reauthorization Act, asserted that Epstein’s sex-trafficking venture was only possible with the assistance of financial institutions that allowed him to make cash payments to victims.  The complaints also allege that, given Epstein’s reputation after his Florida arrest in 2006 and registration as a sex offender in 2008, the institutions had a responsibility to conduct inquiries to ascertain whether Epstein was still engaged in sex trafficking, review account activities consistent with know your customer (KYC) requirements to address potential anti-money laundering (AML) risks, and establish criteria for determining when a client relationship poses too high of a risk and must be terminated.  The failure to conduct due diligence around Epstein’s activities in the face of his history and use of cash, the lawsuits claim, creates liability.  Of note, the premise of the lawsuits has been followed by regulators.  In New York, authorities fined one of the named institutions based on a similar factual theory.  In Australia, regulators settled with a local bank for AUD$1.3 billion following allegations that the bank failed to monitor 12 customers who made overseas transactions consistent with child exploitation typologies in the Philippines.  In a similar vein, French authorities are conducting a war crimes investigation into a financial institution that admitted to acting as the primary foreign bank of the Sudanese government between 2002 and 2008, and allegedly helped provide the government the means to fund military and security forces connected to abuses.


  • In France, the Investigative Chamber of the Paris Court of Appeals recently confirmed the indictment of a computer engineering company and four of its executives for complicity in torture in Libya for selling a computer system to the Libyan government that was used to intercept Internet communications.  This tool allegedly was employed against Libyan political opponents who were arrested and tortured in jail.  Notably, the case was initiated by NGOs, who filed a complaint against the company, and a judicial investigation was opened in 2013.  The company and its executives also were indicted in connection with use of the technology in Egypt, related to forced disappearances.


  • Last year, in a groundbreaking case in the UK, the Court of Appeals for England and Wales ruled that a UK broker who acted on behalf of a ship owner in selling a vessel to a demolition cash buyer could potentially be liable for the death of a worker at a shipyard in Bangladesh.  The broker allegedly knew that the vessel would go to a shipyard in Bangladesh, where shipbreakers have inadequate protective equipment and inadequate demolition tools.  A worker at the yard fell to his death while working on the ship, and his wife filed a negligence claim in the UK against the broker, arguing that if her husband had the proper equipment, he may have lived.  The court allowed the case to proceed, ruling that it “has a real prospect of succeeding,” although the actual harm was caused by the conduct of the yard.  The court ruled that at trial the court will have to consider whether the broker owed a duty of care to the deceased, and by allegedly selling the vessel while knowing the working conditions at the yard would be unsafe, violated that duty.  The court noted that the low sale price of the ship suggested that the demolition cash buyer would not use a safe yard, and since the ship had a low amount of fuel and was docked in nearby Singapore, it was likely going to a shipyard in Bangladesh given the prevalence of the industry.  Finally, the court noted that the broker could have ensured that the ship was sent to a shipbreaking facility with safe working conditions, but did not do so.  In essence, the court ruled that the broker arguably should have undertaken further due diligence to identify the downstream risks, and taken appropriate mitigating measures.

As these cases and others reveal, plaintiffs and regulators are increasingly alleging, and courts are increasingly accepting, that companies owe downstream human rights duties of care to customers and end users.  That includes situations where the harms occur abroad, where sales are made to sovereign governments, where lawful regulated products are being sold, and where companies have many thousands of customers to potentially monitor.  While it remains to be seen whether, consistent with its original draft, the EU will include an affirmative downstream obligation in the final due diligence directive, the “regulation through litigation” strategy – likely to increase if the EU focuses only on upstream requirements – is driving toward a de facto duty that may have a similar effect. 

For More Information

Image: Jonathan C. Drimmer
Jonathan C. Drimmer

Partner, Litigation Department

Image: Tara K. Giunta
Tara K. Giunta

Partner, Litigation Department

Nous contacter

Nous contacter