Throughout the year, there has been a steady march toward an EU requirement that companies doing business in the EU conduct broad human rights due diligence across their operations and into their supply chains. Last week, the European Parliament Committee on Legal Affairs continued that momentum, publishing a draft report and a draft Directive. While there has been great speculation as to the breadth and scope of the EU requirement, the proposed text takes a maximalist approach, going well beyond just human rights, requiring many EU-based and global businesses, including those providing financial products and services, to create substantial new internal systems and processes, and contemplating potential criminal penalties and liability for companies, managers and directors. Although this draft is not a formal proposal by the European Commission, it certainly gives an indication of what the European Parliament may be looking for.
Below are the top 10 questions that the draft text tries to answer:
I. If I am a U.S. business with global operations, including in the EU, would the directive apply to me?
Almost certainly. The draft Directive (Art. 2) applies to (a) all business enterprises incorporated, domiciled, or established in the EU, as well as (b) non-EU enterprises doing business in the EU (e.g., selling goods or services). Accordingly, regardless of where the company is headquartered, if it does business in the EU, the Directive will likely apply. There are potential exemptions for “micro-businesses,” however. The draft expressly notes that state-owned companies should be required to procure services only from companies that have complied with due diligence obligations and that Member States “are encouraged not to provide extraordinary state support to companies that do not comply with the [draft’s] objectives.”
II. Is the Directive limited to human rights in terms of its scope?
No. Although colloquially it has been referred to as an EU mandatory human rights due diligence initiative, the draft – called “Directive of the European Parliament and of the Council on Corporate Due Diligence and Corporate Accountability” - is far broader and appears to be inspired by the 2017 French corporate duty of vigilance law . It covers three categories of issues. (Art. 3) which are:
- Human rights, defined broadly to include rights identified in the International Bill of Human Rights, UN human rights instruments relating to vulnerable groups, principles in ILO core conventions, regional conventions on human rights, and “national constitutions and laws recognizing or implementing human rights.”
- Environmental risks, focusing on impacts “that may impair the right to a healthy environment,” including climate, the sustainable use of natural resources, and biodiversity and ecosystems. The draft specifically references risks involving “climate change, air and water pollution, deforestation, loss in biodiversity, and greenhouse emissions.”
- Governance risks, focusing on “the good governance of a country, region or territory,” which defined to encompass corruption and bribery, and situations in which a business “becomes improperly involved in local political activities, makes illegal campaign contributions or fails to comply with the applicable tax legislation.”
While companies may have due diligence processes that consider some of these issues, few cover all of them.
III. What does the Directive actually require?
At its core, the draft (Art. 4) requires EU Member States to introduce rules to compel companies to “carry out due diligence with respect to human rights, environmental and governance risks in their operations and business relationships.” A “risk” in this context is defined (Art. 3) as a potential or actual adverse impact on individuals, a group, and other organizations.
Specifically, the draft requires (Art. 4) that businesses “identify and assess,” on an ongoing basis and “by means of an appropriate monitoring methodology whether their operations and business relationships cause or contribute to any human rights, environmental or governance risks.” If the business concludes that it does not cause or contribute to these risks, it must publish a statement to that effect, along with its risk assessment, which must be reviewed if new risks emerge or the business enters new business relationships that can pose risks. If the business identifies risks, it must establish a due diligence strategy that:
- specifies the risks that are likely present and their level of severity and urgency;
- publicly discloses "detailed, relevant and meaningful information" about its value chain, "including names, locations and other relevant information concerning subsidiaries, suppliers and business partners";
- indicates the policies and measures the business intends to adopt to try to cease, prevent or mitigate the identified risks;
- develops an approach to prioritization if all of the risks cannot be addressed at once; and
- states the methodology being followed in creating the strategy, including the stakeholders consulted.
In addition, businesses must publicly describe how their due diligence strategy relates to their business strategy, use contract clauses and codes of conduct to ensure that the human rights, environmental and governance policies of their business partners are aligned with their own due diligence strategy, and “regularly verify” that suppliers and subcontractors comply with their relevant obligations. The strategy must be made public and communicated to workers and business relationships (Art. 6), and the effectiveness of the due diligence strategy should be reviewed once per year (Art. 8).
Coupled with the broad substantive scope, encompassing human rights, the environment, and governance, few companies are in a position to meet this core requirement. It requires a detailed mapping of operations and business relationships, a methodology to assess associated potential impacts, the development of policies, procedures and mitigating measures across operations and third parties, and audits to assess compliance. It also compels extensive substantive expertise across a range of subjects. Indeed, it is almost transformative in its demand, requiring that responsible business conduct becomes an imperative integrated into the company’s activities on a global basis.
IV. Is this core requirement limited to assessing my EU operations only, or is it broader? For instance, does it cover risks associated with non-EU business activities?
The Directive is not clear on who the reporting entity should be – e.g., whether it can be one or more subsidiaries of a company doing business or based in the EU, or must be the global parent. Nor is it clear whether the “operations” are limited to EU operations, or are global operations unrelated to the EU. However, it is clear that the Directive is extends beyond a company’s own operations, and at least will extend to all business relationships associated with activities conducted in the EU. Further, the preamble makes clear that the responsibility to identify and assess business relationships includes “all necessary efforts to identify all” suppliers, and “due diligence should not be limited to the first tier downstream and upstream in the supply chain but should encompass all suppliers and sub-contractors, particularly those that, during the due diligence process, might have been identified by the undertaking as posing major risks.”
V. In developing due diligence strategy, can we rely on our own internal assessment activities, or must we consult external stakeholders?
The draft provides (Arts. 5 and 8) that companies must consult with stakeholders, including trade unions when establishing, implementing and reviewing their due diligence strategy. In fact, it says that trade unions have a “right … to be involved in the establishment and implementation of the due diligence strategy.” The draft strongly implies that a failure to engage in stakeholder consultations would be considered a legal breach subject to potential penalties.
VI. Must the report be signed or approved at the board level, like Modern Slavery Act statements? Are there other corporate governance requirements?
The draft provides (Art. 11) that there is a collective responsibility among management and boards for ensuring that the diligence processes are consistent with the Directive. In fact, to add an extra set of teeth, the draft indicates that managers and directors could be individually liable for company breaches of the due diligence requirement.
Further, to provide boards of directors with “appropriate knowledge, training and experience in due diligence matters,” the draft requires (Art. 12) that large companies establish an advisory committee, composed of stakeholders and experts, to inform the board “on due diligence matters and propose measures to cease, monitor, disclose, address, prevent and mitigate risks.” While some companies have CSR or human rights advisory committees that provide advice to management or boards, the draft essentially compels such a group for larger companies.
VII. What happens when someone believes a company is connected to serious risks, or has caused or contributed to a negative impact?
The draft requires (Art. 9) that companies establish grievance mechanisms that allow stakeholders to “voice concerns regarding the existence of human rights, environmental or governance risks.” It stating expressly that grievance mechanisms should meet the criteria in UNGP Principle 31 (e.g., it must be legitimate, accessible, predictable, safe, equitable, transparent, rights compatible and adaptable). While the grievance mechanisms can be created jointly with other enterprises or organizations, it should be developed and managed based on consultation and cooperation with stakeholders, including workers’ representatives.
The draft also states (Art. 10) that EU countries should make sure that a company that determines that it has caused or contributed to harm should “provide for or cooperate with remediation,” which may include financial or non-financial compensation, rehabilitation, or “contribution to investigation,” and prevent additional harm through guarantees of non-repetition.
VIII. Are there penalties for failing to conduct adequate diligence, or just for negative impacts? And if negative impacts are caused by entities in a value chain, can a company be liable for those?
Liability can accrue for a failure to meet the diligence requirements, and can include the activities of business relationships. The draft Directive states that EU members must designate a competent governmental authority to oversee the Directive (Art. 14), and the competent authority can conduct investigations to ensure compliance (Art. 15). Where the competent authority identifies a failure to comply, the business has an opportunity to take remedial action, but will suffer a penalty if it does not do so. Repeated infringements can lead to criminal penalties (Art. 19).
However, when the dictates of the Directive are met, that is not a defense to civil liability for harms caused or contributed to by a company or its business relationships (Art. 20). The preamble does state that the “jurisdiction of EU courts should be extended to business-related civil claims brought against EU undertakings on account of harm caused within their value chain on account of human rights violations,” but it does not propose specific language in that respect.
IX. Will there be guidance in terms of reporting obligations?
The draft Directive repeatedly states that guidelines should be created to assist in fulfilling the due diligence requirements. That includes guidance provided in consultation with Member States and the OECD (Art. 16), the establishment of a committee of EU competent authorities to facilitate “coordination and convergence of regulatory and supervisory practices” (Art. 18), and giving Member States discretion to encourage sectoral due diligence action plans to coordinate due diligence strategies within different sectors (Art. 13). Of note, and as expected, the draft states that the guidelines should take “due account” of other existing international standards, including the UNGPs the OECD Guidelines for Multinational Enterprises and specific due diligence guidance.
X. What are the next steps?
The draft report will be sent to the European Commission, with a request that the Commission submits a formal legislative proposal following the recommendations set out in the draft report. The draft report also will be sent to the Council of Ministers and the Governments of EU Member States, though the Commission has discretion regarding how much of the draft it wants to include in a future legislative proposal. Assuming the Commission submits a legislative proposal, which seems quite likely, it will be debated by the EU Parliament and the Council. Although the process is moving quickly by EU standards, it seems unlikely that finalization and adoption will take place in the next 12 months. Once finalized, Directives require Member States to include the requirements in domestic laws, and the draft provides States 24 months to do so after the Directive is adopted. One point that remains to be seen is how this EU initiative will interact with the various national laws already adopted (France, Netherlands) or to be adopted in 2021 (Germany, Switzerland, Norway).