The EU is slowly but surely setting the stage for new legislation on supply chain due diligence that will be expansive in its reach and global in its impact. As it makes human rights’ due diligence a business imperative, the EU will send a signal that it is willing to harness the rules of the single market to turn not only multinationals, but also SMEs into vectors for its external policy. But this may have unintended consequences: Uncalibrated extra-territorial application could lead to regulatory overreach into complex global supply chains, or alternatively it could lead to poor practical implementation.
On 10 March 2021, the European Parliament adopted its Report on Corporate Due Diligence and Accountability. This report provides a sense of the final shape of a future EU Directive. Under the proposed text, companies would be required to carry out due diligence strategies to assess and address the risks related to the operations of their global supply chains. The covered risks are threefold: human rights (e.g. forced labour, worker safety), the environment (e.g. ecosystem degradation, unsafe levels of hazardous products), and good governance (e.g. bribery of public officials in international business transactions).
The new rules cast a wide net, applying across all sectors of economic activity and to all firms that are either registered under the laws of an EU Member State, or that are registered outside the EU but nevertheless maintain operations within the single market. Rather than impose requirements on specific companies above a certain size, the EU law would bind all companies (albeit with less strict requirements for smaller enterprises).
Companies with cross-border operations will be conferred a duty of vigilance. According to Article 4 of the European Parliament’s report – the heart of the proposed legislative text – companies would discharge this duty by conducting risk assessments and publishing the results of these due diligence reviews. Even if the result of the review is that the company does not contribute to human rights, environmental, or good governance risks, then it must still publish a “statement in that sense”. The proposed Directive would thus introduce a comply and explain principle, rather than a comply or explain principle as currently applied in the Non-financial reporting directive; yearly reports will thus become a mainstay for European companies.
In order to complete these reviews, companies will have to assess the impact of their business relationships across their entire supply chains and ensure that their business relationships put in place policies in line with their own due diligence strategy.
Under the proposed legislation, if a company does identify a potential risk, it would be required to establish a due diligence strategy. This strategy should follow a prescribed series of steps similar to existing OECD recommendations:
(1) specify and categorize the identified risks;
(2) publicly disclose detailed, relevant, and meaningful information about the company’s value chain;
(3) establish a plan with measures that will be taken to respond to the risks;
(4) set up a prioritization policy in the case of several risks warranting response; and
(5) indicate the methodology followed for assessing these risks.
It is still unclear how exactly the EU will differentiate between various degrees of relationships within supply chains. For instance, is it reasonable for a parent company to be held responsible for the actions of a supplier to the second or third degree? The wording of the original version published by the European Parliament defined ‘business relationships’ as being along the “entire value chain” and these could be both direct or indirect. The wording was tightened in the version finally adopted: the definition of ‘business relationships’ is tightened by way of reference to a direct link to a company’s business operations. But while the new draft gives “due regard for commercial confidentiality”, companies would still be required to “map their value chain”, which “includes entities with which the undertaking has a direct or indirect business relationship”.
The proposed Directive will create heavy risks for non-compliance. Public enforcement is provided for through the designation of national enforcement agencies responsible for the monitoring of companies’ due diligence implementations. Private enforcement would be rendered possible through the modification of the rules of civil liability. The report further proposes a modification of Europe’s private international law regime, changes which could amount to a small revolution as parent companies could be more easily held liable for damage caused by subsidiaries in third countries. A future increase in human rights litigation is thus highly likely.
The European Commission, which now must produce a formal legislative proposal, has already signaled its willingness to make human rights supply chain due diligence an important part of its new open, sustainable, and assertive trade policy.
However, uncalibrated due diligence obligations risk obfuscating the complex realities of today’s global supply chains. That the EU would use its globally trading companies as vectors for a value-based external policy has as a necessary consequence that these same companies may be caught in the crossfire in a climate of heightened potential for global economic conflict, as companies such as H&M have recently experienced. Furthermore, the extra burden imposed on Europe’s SMEs would appear to be unworkable. Thus, Murphy’s law that anything that can go wrong will go wrong, is likely to materialize once more as a result.