The Long Awaited Draft Directive on Corporate Sustainability Due Diligence
The long-awaited European Commission proposal on a draft directive on human rights due diligence has arrived, and represents the next step toward human rights becoming a business imperative. The draft Directive on Corporate Sustainability Due Diligence (“Draft Directive”) comes almost one year after the European Parliament adopted a “resolution with recommendations to the Commission on corporate due diligence and corporate accountability” that would obligate companies operating in the EU to conduct due diligence along their value chains. The Draft Directive takes a slightly narrower approach in some respects, but broader in others. No doubt, it will be the subject of debate throughout the year. Nonetheless, if adopted in its current or a similar form – adoption of some version of a directive seems inevitable - it still would compel many companies, both based in the EU and doing business there, to adopt new systems, processes, governance and public reporting, and further propel human rights diligence to become engrained in core business activities.
Some critical takeaways, explained in more detail below:
The Draft Directive requires that companies: integrate due diligence into their policies; assess actual and potential negative impacts; institute measures to prevent and mitigate those impacts, and exit relationships or business lines if risks cannot be sufficiently mitigated or prevented; adopt processes to evaluate the effectiveness of those measures; report publicly on the assessment activities, risks, mitigating measures, and processes to evaluate effectiveness; and adopt grievance mechanisms. The Draft Directive applies to certain core human rights and environmental issues, defined by widely accepted conventions. It does not include “governance,” as appeared in earlier proposals.
- Value Chain:
The Draft Directive applies to the value chains of “established business relationships,” whether direct or indirect, which are “lasting” in terms of “intensity or duration and which do not represent a negligible or merely ancillary part of the value chain.” Therefore, companies would be required to focus on those entities with whom they have the strongest direct and indirect relationships.
- Board Liability:
The Draft Directive substantially increases the obligations of Directors under their “duty of care” obligations to take into account human rights, climate change and environmental impacts, and to take active steps to ensure that the company is evaluating, addressing, and reporting on its human rights and environmental risks and impacts just as they do with financial reporting and material business risks. Specifically, boards must oversee the company’s due diligence policy and program to address actual and potential impacts.
The Draft Directive contemplates sanctions and penalties for failing to conduct adequate due diligence. Regarding civil liability, it requires Member States to ensure that companies can be held liable for damages if they fail to prevent, mitigate, and terminate a negative impact that “should have been identified, prevented, mitigated, brought to an end or its extent minimised.” That applies to company operations, those of their subsidiaries, and those of their long-term value chain partners. However, regarding business partners, where a company does take appropriate action through contractual clauses or mitigating measures, it will not be liable for damages for the adverse impact of an indirect partner with whom it has an established business relationship unless the action taken was unreasonable in mitigating or preventing the impact.
Member States will be required to establish a supervisory authority that will monitor the activities of regulated companies, and can act when substantiated concerns are raised. Companies will be regulated in the Member State where they have a registered office, or where they generate the most revenue. Member States can conduct investigations where they believe breaches by a company of its obligations have occurred, must allow individuals and entities to raise “substantiated concerns” about a company’s failure to comply with domestic laws that carry out the Directive, and must ensure they have access to a court or other impartial body to raise their concerns.
The last few years have witnessed a sprint toward mandatory human rights due diligence throughout Europe, with a marked acceleration in 2021. Domestic laws requiring that companies assess human rights and sometimes environmental risks in their supply or value chains have now been enacted, in one form or another, in France, Germany, Norway, and Switzerland. Legislative efforts are progressing in Spain, the Netherlands, and elsewhere, and government leaders across the continent have pledged similar efforts. Scores of major European companies and investors have likewise voiced their support for mandatory human rights diligence laws. The Commission references this proliferation of initiatives in support of a Union-wide approach. According to the Commission, “if due diligence requirements are significantly different among Member States, this creates legal uncertainty, fragmentation of the Single market, additional costs and complexity for companies and their investors operating across borders as well as other stakeholders. EU action can avoid this and therefore has added value.”
Indeed, in February 2020 the EU published a lengthy study on regulatory options for due diligence legislation, followed shortly thereafter by a commitment from EU Justice Commissioner Didier Reynders to introduce rules for mandatory corporate environmental and human rights due diligence in early 2021. In September 2020, the EU’s Committee on Legal Affairs published a report that included a draft directive focusing on mandatory human rights, environmental, and governance due diligence throughout a company’s value chain, relying largely on principles in the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises. Following a public consultation, in March 2021, the European Parliament adopted a resolution requesting that the Commission submit a legislative proposal on mandatory supply chain due diligence based on the new proposed directive annexed to the resolution.
The European Parliament proposal took a maximalist approach. The proposal applied to EU-based businesses, as well as non-EU based businesses active in the EU’s internal market. It covered large businesses and publicly listed or high-risk small and medium-sized enterprises (“SMEs”). It was not limited to certain sectors, and included state-owned enterprises. It encompassed human rights, as well as environmental and “governance” risks, with governance including corruption, undue political influence, and tax evasion. It applied to companies, their affiliates, and their value chains—upstream and downstream—without limitation. The core requirements, which are similar among mandatory diligence laws, included member state obligations to introduce rules to compel businesses to identify and assess on an ongoing basis and through risk-based monitoring whether their operations and business relationships cause, contribute to, or are directly linked to potential or actual adverse impact. Under that proposal, businesses were required to: specify those actual or potential impacts, as well as their level of severity, likelihood, and urgency; map and publish details about their value chains upstream and downstream; adopt business processes to prevent or mitigate the risks of negative impacts; evaluate the effectiveness of those processes; and report publicly on the risks, responsive measures, and how companies are assessing the effectiveness of those measures. The proposal did not require director oversight or that directors affirm company public reports, but envisaged that for due diligence to be embedded in the culture and structure of an undertaking, the boards should adopt and implement a sustainability and due diligence strategy, that boards should have appropriate knowledge, training, and experience in due diligence matters, and that large companies must establish an advisory committee to inform the board about due diligence matters. It required companies to institute grievance mechanisms, and provided that liability could accrue for a failure to meet the diligence requirements, that meeting the requirements of the Directive would not be a defense to civil liability, and that liability could accrue from the activities of business relationships. Finally, it noted that each EU country would have to designate a competent governmental authority to oversee application of the Directive and empower that authority to conduct investigations to ensure compliance.
The Draft Directive
Originally, it was expected that the Commission would present its draft in July 2021, then October, and then December 2021. Obviously, the Draft Directive has been the product of significant debate, as it has pared back the European Parliament proposal (hereafter the “proposal”) in many key respects. In terms of the salient components:
Scope. As with the proposal, the Draft Directive applies to EU-based and non-EU based businesses operating in the EU. However, whereas the original proposal applied to large companies and publicly listed or high-risk SMEs, the Draft Directive takes a slightly different approach.
As set forth in Article 2, it covers: EU-based companies with (a) more than 500 full-time equivalent (“FTE”) employees and more than €150 million in annual turnover; or (b) 250 to 500 FTEs and more than €40 million in annual turnover, with at least 50% of that turnover generated from those specific sectors that correspond to the OECD’s sector-specific due diligence guidances. Specifically, as of today, that includes: (i) textiles, clothing, and footwear, including leather and related products; (ii) agriculture, forestry, fisheries, food manufacturing, and the trade of agricultural raw materials, animals, food, and beverages; and (iii) mineral resources wherever they are extracted, including oil, gas, coal, metals, ores and non-metallic minerals, the manufacturing of metal products, non-metallic mineral products and fabricated metal products (except machinery and equipment), and the trade of mineral resources and mineral products, including metals, ores, fuels, and chemicals. For non-EU based companies, the Directive would also apply: (a) if they generated a net turnover of more than €150 million in the EU over the past year; or (b) they generated more than €40 million in annual turnover in the EU, and where at least 50% of their net worldwide turnover was generated in one or more of the sectors above. No employee threshold applies to non-EU based companies. According to the Commission, that would cover about 13,000 EU companies and about 4,000 third-country companies. It excludes SMEs, however.
Notably, the list of sectors for smaller or mid-sized companies appears to exclude several, such as technology, life sciences, finance, and construction, which have been associated with negative human rights impacts. Further, the employee and/or turnover thresholds are lower than the new German Supply Chain Due Diligence Act, France’s Duty of Vigilance Law, and the Swiss domestic ordinance, and thus would require amendments to those laws.
Substantive Scope. The Draft Directive (Art. 4) takes a narrower approach than the proposal. It includes human rights and the environment, as did the proposal, the UN draft business and human rights treaty, and the French Duty of Vigilance Law. However, it does not include “governance” despite numerous links between corruption and human rights, and a recent Parliament recommendation to adopt an EU global anti-corruption strategy that acknowledges the link between human rights and corruption. The absence of a governance requirement would perhaps make it somewhat easier for companies to meet the core requirements of the Directive, though given the existing enforcement approach to anti-corruption, many companies have anti-corruption programs in place already.
Further, it is unclear which human rights it actually covers. It enumerates certain core human rights as defined in instruments such as the International Bill of Human Rights, the UN Convention on the Rights of the Child, and certain ILO Conventions, and the Palermo Protocol to prevent trafficking in persons. Importantly, it then includes an important catch-all that substantially expands the list, encompassing rights protected by an enumerated human rights agreement “which directly impairs a legal interest protected in those conventions.”
Regarding the environment, it covers provisions reflected in major international Conventions, including the Convention on Biological Diversity, the Minamata Convention, the Basel Convention, and others. In substance, it covers biodiversity, endangered species, mercury-added products and waste, exporting hazardous waste and waste disposal, certain chemicals and pollutants, and other areas. Oddly, it does not include climate change or the Paris Agreement. However, Article 15 provides that Member States must ensure that EU-based companies covered by the Draft Directive “adopt a plan to ensure that the business model and strategy of the company are compatible with the transition to a sustainable economy,” and with limiting of global warming to 1.5 °C under the Paris Agreement. The plan also should include whether climate change is a risk for the company’s operations, and if it is a “principal risk,” emission reduction objectives. Of note, neither the German nor the Norwegian laws appear to cover the full scope of environmental issues contemplated, and the Swiss ordinance—which focuses on child labor—covers neither the environment nor all of the human rights referenced in the Draft Directive.
Value Chain Coverage. Like the proposal, the Draft Directive covers company operations, subsidiaries, and other business relationships. It also covers both upstream and downstream business relationships, to some extent. However, unlike the draft proposal, the Draft Directive primarily applies to the value chains of “established business relationships,” namely those, whether direct or indirect, which are lasting in nature and which do not “represent a negligible or merely ancillary part of the value chain” (Art. 3(f)). On the one hand, that should help limit the obligations of companies to conduct due diligence on all aspects of their value chains, allowing them to focus on those entities most significant to their products and services. In some respects, this concept is akin to the French Duty of Vigilance Act, which draws from the commercial law concept “relation commerciale établie” (established commercial relationship). By comparison, the German and French laws only focus on the supply chain (e.g., upstream), and not on downstream customers and end-users, and thus both would require expansion in those respects.
On the other hand, where there is an established direct business relationship, the intent is for the entire value chain of that business relationship to fall within the scope of the Draft Directive. Article 1(1)(a) makes clear that the intent is to place “obligations for companies regarding actual and potential human rights and environmental adverse impacts, with respect to their own operations, the operations of their subsidiaries, and the value chain operations carried out by entities with whom the company has an established business relationship” (emphasis added). That concept is explained further in the recitals (paragraph 21): “If the direct business relationship of a company is established, then all linked indirect business relationships should also be considered as established regarding that company.” Accordingly, the Draft Directive seeks to compel companies to assess risks and use their leverage not just on established direct relationships, but also on that third party’s relationships. However, given that the concept of extending obligations to the value chains of established direct relationships is not included in the formal definition of “established business relationship” in Article 3(f), it remains to be seen whether it would be construed as such in practice.
Core Requirements. Similar to the proposal, the Draft Directive (Art. 5) provides that Member States must enact laws that require companies to integrate due diligence into “all corporate” policies, and have in place a due diligence policy that reflects the company’s diligence approach, a code of conduct, and a description of the processes to implement due diligence and verify compliance with the code. In essence, this requirement dictates that companies must enact formal diligence processes.
In addition, most of the core diligence requirements (Art. 4) are similar to the proposal. Indeed, the diligence concept in the Draft Directive largely reflects the scheme in the OECD Due Diligence Guidance for Responsible Business Conduct and OECD sector-specific due diligence guidance, which typically take a four part approach: assess actual and potential negative impacts; institute measures to prevent and mitigate those impacts; adopt processes to evaluate the effectiveness of those measures; and report publicly on the assessment activities, risks, mitigating measures, and processes to evaluate effectiveness. Specifically, under the Draft Directive, states must adopt legislation that requires that companies:
- Conduct due diligence regarding whether their operations and established business relationships cause, contribute to, or are directly linked to potential or actual adverse impacts (Art. 6);
- Take steps to prevent or mitigate the risks of such negative impacts, including through action plans, contractual clauses with business partners, and necessary investments, and where adverse impacts could not be prevented or mitigated, the company cannot enter into new or extended relationships related to those impacts (Art. 7);
- Bring to an end actual negative impacts that have been, or should have been identified, whether through the payment of damages to individuals or compensation to affected communities, through corrective action plans, contract clauses, investment into management or production processes and infrastructure, terminating business relationships where relevant adverse impacts cannot be ended or mitigated, and ceasing relevant future business activities (Art. 8);
- Adopt grievance mechanisms that allow concerns to be raised directly by affected individuals or through trade unions or civil society organizations (Art. 9);
- At least every 12 months and when there are reasonable grounds to believe that significant new risks are present, assess the effectiveness of their processes to identify, mitigate, prevent, and terminate negative impacts in their operations and those of their established business relationships, through qualitative and quantitative indicators (Art. 10); and
- Report on the nature of the diligence steps, potential and actual impacts, and the actions taken on those, in a manner to be further defined by the Commission (Art. 11).
While much of this is similar, at least conceptually, to last year’s proposal, the Draft Directive expands—in Articles 7 and 8—the notion that companies must take action to mitigate and present negative impacts, including curtailing business activities and relationships. In its explanatory memorandum, the Commission cautions that a reasonableness standard should apply, indicating that “[t]his Directive should not require companies to guarantee, in all circumstances, that adverse impacts will never occur or that they will be stopped. . . . The company should take the appropriate measures which can reasonably be expected to result in prevention or minimisation of the adverse impact under the circumstances of the specific case. Account should be taken of the specificities of the company’s value chain, sector or geographical area in which its value chain partners operate, the company’s power to influence its direct and indirect business relationships, and whether the company could increase its power or influence.” While Articles 7 and 8 use the term “appropriate” and “proportionate,” Article 6—reflecting the due diligence requirement—does not reference a risk-based approach. Accordingly, the Commission’s statement of intention ultimately may not be easy to reconcile with the provisions themselves, nor the Draft Directive’s liability provisions, discussed below.
Guidance. The Draft Directive contemplates a wide range of guidance to assist companies. These include the Commission issuing model contract clauses (Art. 12), providing sector-specific guidelines (Art. 13), supporting due diligence in the Union and third countries and facilitating joint stakeholder initiatives (Art. 14), and Member State assistance to SMEs (Art. 14). The Draft Directive also notes that companies can rely on industry schemes and multi-stakeholder initiatives (“MSIs”) in their diligence efforts, and the Commission may issue guidance for evaluating the fitness of those industry schemes and MSIs, likely drawing from the OECD’s alignment assessment methodology and process (also used in the EU’s conflict minerals regulation). That should assist companies who already look to well-established MSIs aligned with the Directive and internationally recognized guidance, such as the Global Network Initiative and the Voluntary Principles on Security and Human Rights, at least to some extent.
Board Oversight. Somewhat surprisingly, the Draft Directive increases the obligations of Directors beyond what the proposal contemplated. It notes that as part of their “duty of care” to act in the best interests of the company, boards of large EU-based companies must take into account human rights, climate change and environmental consequences, “including in the short, medium and long term.” Further, boards must oversee the company’s due diligence actions, the due diligence policy, and the company’s core due diligence approach, including adopting corporate strategies to address actual and potential impacts (Art. 25, 26).
In essence, the Draft Directive would redefine a board member’s responsibilities. It would include not just financial results, but human rights and environmental issues, including specifically climate change. This reflects a clear determination that the Commission sees human rights and environmental issues as a core business requirement, and directors will be expected to take active steps to gain confidence that the company is evaluating, addressing and reporting on its human rights, climate and environmental risks and impacts in a manner that is responsible and accurate, just as they do with financial reporting and in connection with material business risks.
Liability & Enforcement. As with the proposal, the Draft Directive contemplates sanctions and penalties for failing to conduct adequate due diligence. Regarding civil liability, it requires (Art. 22) Member States to ensure that companies can be held liable for damages if they fail, as set out in Articles 7 and 8, (a) to prevent, mitigate, and terminate negative impacts they, their subsidiaries, and their established business relationships cause or contribute to, and (b) if as a result an adverse impact led to damage where it “should have been identified, prevented, mitigated, brought to end or its extent minimised.” However, regarding value chain entities, where a company takes appropriate action through contractual clauses or mitigating measures, it will not be liable for damages for the adverse impact of an indirect partner with whom it has an established business relationship unless the action taken was unreasonable in mitigating or preventing the impact. That exclusion does not apply to direct value chain entities.
This civil liability provision is significant. Although the Commission acknowledges that it will be difficult to prevent all risks through global value chains, the Draft Directive essentially eradicates the concept of parent liability. It also makes companies potentially liable for the acts of value chain partners in the first tier and beyond it where the company does not act to appropriately identify risks and/or take appropriate preventative actions. For non-EU companies, it also means that they potentially could be held civilly liable in EU courts for acts that they, their subsidiaries, and value chain entities commit. In addition, there could be a rise in litigation initiated against Directors, for non-compliance with the further duties placed on them by the Directive (as noted above).
Further, as with the proposal, Member States will be required to establish a supervisory authority that will monitor the activities of regulated companies, and can act when substantiated concerns are raised (Art. 17). Companies will be regulated in the Member State where they have a registered office, and if they have branches in multiple states (or do not have a branch) by the Member State where they generate the most revenue (Art. 17). Member States can conduct investigations where they believe breaches by a company of its obligations have occurred. Where a violation exists, the company may have a period of time to take remedial action, though the company still may be subject to fines (which will be based on the company’s turnover (Art. 20)) and civil liability (Art. 22). Member States also must allow individuals and entities to raise “substantiated concerns”—where there is a reason to believe, based on objective facts, that a company is failing to comply with domestic laws that carry out the Directive—and ensure they have access to a court or other impartial body to raise their concerns (Art. 19). There is no clear line of what may be a “substantiated concern,” however, which is likely at least part of the reason the Commission proposes to set up a network of supervisory authorities to help coordinate oversight and the sharing of practices (Art. 21).
The text of the Commission will now be presented to both the Council of the European Union and the European Parliament, and they must come to an agreement on a consolidated text. We can expect a great deal of formal and informal discussion between the Council and the European Parliament, which may delay adoption of a final, agreed text. However, in light of the broad support for mandatory human rights due diligence and corporate accountability—evidenced in the increasing adoption by Member States of such legislation—we believe that it is more a question of “when” than “if” the Directive will be adopted. It is expected that, once the Directive is adopted, EU Member States will have two years to transpose it in their national legislation. While large EU and non-EU based companies covered by the Directive—those with more than 500 full-time employees and more than €150 million in annual turnover—will have compliance obligations within two years of the Directive’s adoption, smaller companies covered because of their sectors will have three years to comply after the Directive is adopted (Art. 30).
While somewhat narrower than originally contemplated in several important respects, the Directive would be groundbreaking if adopted. Most companies based or operating in the EU, even major multi-national entities, do not currently have the full scope of systems and processes to meet the demands of the law. It would include due diligence of all relevant company affiliates, and ongoing upstream and downstream due diligence around core products; that will almost certainly mean that human rights and environmental risks would have to be assessed through standalone activities and by including substantive indicators in day-to-day transactions and business dealings. It would require human rights and environmental risk prioritization, concerned and systematic efforts to mitigate identified risks, and new programs to evaluate the extent to which those efforts are working in practice. There would be new processes required to gather information and report it to boards of directors, who will have new duties and responsibilities, and will require individuals with sufficient proficiency in relevant human rights and environmental matters to evaluate the diligence approach, the importance of the risks identified, and the strength of responsive measures.
In short, the Draft Directive is a major step toward making human rights a business imperative on a worldwide basis. Regulated companies will be compelled to integrate human rights throughout their business dealings, including employee and third party retention, product evaluation and monitoring, mergers and acquisitions, and other fundamental business activities. While that will apply to many thousands of companies, their suppliers and customers based around the world are tenfold in number, and will be subject to the diligence and mitigating measures of those regulated companies. The result will be a giant leap forward in making human rights engrained in business dealings around the world.