What’s the issue?

As a result of growing societal expectations on companies to avoid causing or contributing to harm public engagement and reporting – by local communities, activists, non-governmental organizations, journalists, workers, whistleblowers and others – on companies’ due diligence practices has increased. But because of this public engagement and reporting, stakeholders and others associated with them have suffered retaliation. Retaliation comes in many forms, ranging from intimidation and threats, slander and defamation, strategic lawsuits against public participation (SLAPPs), electronic or physical surveillance, property damage or loss, travel bans, physical violence, assassinations, and discrimination, disadvantage or adverse treatment in relation to employment.

Increasingly so, there is credible information to indicate that acts of retaliation are taken by companies themselves – for example by engaging in SLAPPS against NGOs – or encouraged or sanctioned by them – for example where their business relationships, such as suppliers, contractors or government authorities, are at cause of violent attacks or other forms of reprisal.

In short, people expose corporate misconduct, and they get attacked for it. The problem is global: attacks take place both within the regions where many global brands are headquartered, such as the EU, but also elsewhere. Attacks are also global in that they are taken, encouraged or sanctioned by EU-based companies or by companies associated with them but domiciled elsewhere, or by companies providing products and services to the EU market. The goal is to silence people, by threatening or harming them or those close to them.

This reality poses an important question: how should individuals, groups and organisations that expose business-associated risks and impacts be protected against retaliation? What measures could and should companies take to address such risks, in particular when investing in countries where repressive governments rule? What measures should the EU put in place to ensure that people can safely report under the proposed mandatory due diligence legislation? And how should EU member states, in transposing the law, reflect these risks and address retaliation that has occurred?

Why is this important?

Under the proposed EU legislation, civil society will have a key role to play in providing information on companies’ due diligence processes – whether through direct engagement with the companies concerned in the context of stakeholder engagement, through whistleblowing disclosures, media reporting, lawsuits, public advocacy campaigns or by other means. This role is important because it can lead to the detection, investigation and prosecution of violations of EU law that would otherwise remain hidden. But experience shows that stakeholders are unlikely to provide information if they feel threatened, and if there are few or no measures to protect them against retaliation and undue pressure. To ensure effective implementation of the proposed legislation on mandatory due diligence, addressing risks of retaliation in a consistent manner should be a priority.

Companies will also need to manage these risks if they want to show that they have done their due diligence: retaliation often happens in countries where impacted individuals and communities have limited possibilities to express dissenting views and may be routinely punished for doing so. In these contexts, it is unlikely that key due diligence requirements – in particular meaningful stakeholder engagement – can be met unless companies have put in place targeted security measures to hear stakeholder views, in particular the critical.

What can be done?

Safe stakeholder engagement has been part of the current discussions over the proposed law, but this concept has yet to be further defined. There is both a need and an opportunity to clarify what safe stakeholder engagement – beyond the narrow scope of public consultations – means in practice and how this aspect should be considered as part of companies’ due diligence. Above all, there is a need to incorporate legal safeguards against retaliation into the proposed law and implementation guidance. The emerging body of guidance on engaging with stakeholders and addressing risks of reprisals in business contexts is a useful source for both companies and the Commission in this regard.

Protection against retaliation for reporting corporate misconduct has, to some extent, already made its way onto the EU’s legal and policy agenda. For example, depending on how the EU’s Whistleblower Protection Directive is transposed into national law, protection could be afforded to some individuals for reporting on corporate misconduct across supply chains. The EU’s Human Rights Defender Guidelines and associated funding mechanism could support others that have suffered harm for disclosing companies’ adverse impacts. Directives that establish requirements to inform and consult employees could offer a certain degree of protection for employees based in Europe when performing their functions as worker representatives. Nevertheless, the existing protections currently form a haphazard and uneven patchwork, and it is unclear to what extent existing EU directives and guidelines could be relied upon by the new due diligence law to address risks of retaliation against the individuals and groups that are typically most at risks.

Beyond making single references to safe stakeholder engagement or referencing partly relevant directives in passing, how can the Commission cast the net wide enough to encourage the protection of a broad group of stakeholders working to expose corporate misconduct? Should companies, the EU itself and member states adopt a one-size-fits-all approach to manage risks of retaliation against all stakeholders, or should existing protection be kept as is and new protection (in particular against those stakeholders that are typically outside its scope, such as local communities and individuals in the global South, and NGOs, lawyers and journalists) be developed?

A submission prepared by the author to the EU Commission addresses these questions and puts forward practical recommendations for how companies, the EU and member states can work to reduce risks of retaliation and contribute to the effective implementation of the mandatory human rights due diligence law.

About the author:

A former staff member of the UN Human Rights Office, Tove Holmström is an independent consultant based in Paris, France. Her work addresses responsible business conduct, with a particular focus on retaliation in the context of access to remedy. In this field she has, amongst other, worked with the Organization for Economic Co-operation and Development (OECD), the Independent Consultation and Investigation Mechanism of the Inter-American Development Bank, the Project Complaints Mechanism of the European Bank for Reconstruction and Development, IDB Invest, and the UN Special Rapporteur on the situation of human rights defenders. She is the author of the “MICI toolkit”, a guide on measures to address the risk of reprisals in complaint management, and is regularly consulted by development lending institutions, grievance mechanisms, companies and other actors hat are seeking to develop policies to better assess and address risks of reprisals against their stakeholders, including complainants and other cooperating persons. From 2018 to 2020, she served as an independent expert at the internal accountability mechanism of the French Development Agency (Agence Française de Développement).