The European Commission’s recent publication of its proposed Corporate Sustainability Due Diligence Directive (the Directive) is the first regional attempt to mandate comprehensive human rights and environmental due diligence (HREDD), and to include administrative penalties and civil liability where companies fall short. This represents a significant step forward for corporate accountability in advancing the mandate of the United Nations Guiding Principles on Business and Human Rights (UNGPs), and may act as a precedent for other jurisdictions.

It is critical the technology sector, given its pervasive impacts across society, is adequately addressed by this initiative. Recent examples of tech-related harms which have dominated headlines include: the weaponisation of hate speech causing online and offline rights violations, illegal surveillance resulting in loss of privacy, censorship of dissent impeding freedom of expression, bias built into AI and automated decision-making leading to the further marginalisation of already vulnerable communities, and the dumping of e-waste without adequate focus on facilitating repair and refurbishment impacting the environment.

Against this background, the Business & Human Rights Resource Centre's initial analysis of the Directive from a tech perspective suggests it represents an important step in bolstering corporate accountability generally, but gaps in the draft must be addressed if tech-related companies and their impacts are to be fully covered.

1.Personal scope

The Directive only applies to EU-operating companies over a certain size, based on turnover and workforce. It also applies to companies with a lower threshold if they belong to one of the named high-impact sectors. Technology or digital companies have not been included in the current list of high-impact sectors. The Directive should apply to all EU-operating companies, with a specific understanding that, while the responsibility to respect human rights and the environment applies to all businesses, the means through which a company meets the required standard will vary according to size and severity of impacts, among other factors. At a minimum, technology should be added to the list of high-impact sectors and all thresholds considerably lowered.

2.Listing of rights

Under the Directive, companies are required to assess and address ‘violations’ of the rights (a term not fully in line with the UNGPs), obligations and prohibitions listed in the Annex to the Directive. The current list fails to explicitly include rights such as freedom of expression, health and education, which are particularly vulnerable in the world of technology. In addition, listing specific rights while other rights are only covered through a catch-all clause creates ambiguities and an artificial hierarchy. An alternative would be to focus on an extended list of applicable conventions instead which would require companies to comprehensively focus on the myriad of rights impacted by technology, or at least also expand the list of rights spelt out and make clearer it is still non-exhaustive, if the current approach is to be kept.

3.Value chain and business relationships

In undertaking effective HREDD, technology companies should be required to address impacts along the full value chain. Downstream impacts of technology are felt by millions of users and non-users alike, such as in the case of surveillance technology. While due diligence under the Directive, in principle, has to extend to both upstream and downstream relations, current restrictions mean the draft also falls short regarding downstream assessment. For instance, the Directive places emphasis on limiting the scope of companies’ due diligence within its value chain to "established business relationships", defined in terms of intensity or duration. This may be insufficient for the tech sector too, where, for example, tech entities may be contracted to develop codes at different points in production. To prevent the corrosion of the quality and effectiveness of the HREDD process for tech and digital companies, the Directive should ensure emphasis on all parts of value chains and include all business relationships following a risk-based approach.

4.Stakeholder engagement

Under the Directive, requirements for stakeholder engagement can be read as optional in the context of HREDD. It should be central. Further, vulnerable groups, affected communities and gender representation need specific mention in the Directive to ensure the impacts on users and non-users are adequately addressed. Given the increasing use of technology to repress human rights defenders, their specified inclusion in the Directive will be critical. The Directive would be strengthened by explicit inclusion of vulnerable groups, including human rights defenders, in mandatory engagement processes, to address key impacts of the tech sector.

5.Consequences

The Directive provides for administrative sanctions and civil liability if companies fail to comply. However, a range of exceptions or mitigating circumstances is included. This may enable technology companies to shrug off their responsibilities. For instance, companies selling facial recognition technologies may not be liable for damages caused by an adverse impact arising out of the activities of an indirect partner or buyer, provided the company has taken contractual and verification measures (the argument put forward by these companies currently). The Directive would be more effective if companies are required to demonstrate they fulfilled their obligations by taking all necessary, adequate and effective measures in good faith.

The Directive represents a watershed moment in the corporate accountability movement; it must not be wasted in respect of a sector with some of the most pervasive impacts of the modern age.

-----

The Business & Human Rights Resource Centre will publish a briefing paper that digs deeper into these concerns in the coming weeks with the hope that the Directive can be bolstered to require thorough examination by tech firms of the broad impact of technology on our rights and lives.

Follow updates on the Directive