As regulatory supply chain scrutiny increases, it’s vital for businesses to be ready to demonstrate the human rights due diligence practices they adhere to.
By Marina Dorileo, Content Innovation Lead at Enhesa
This article was originally published on the Enhesa website in September 2024.
Supply chain transparency is an increasingly regulated area of business operations — and that includes the need for companies to exercise excellent human rights due diligence (HRDD) processes. Not only is there greater scrutiny from investors, stakeholders, and the general public, but there’s also a growing risk of non-compliance. Fines and product seizures are increasing in frequency, as organizations scramble to keep up with rapidly evolving regulatory requirements.
But what’s behind these developments? What should companies be doing to remain aware of expectations and requirements — and what’s coming next?
In this article, Enhesa’s Content Innovation Lead Marina Dorileo delves into the complex and nuanced subject of human rights due diligence to provide a clear examination of the current state of legislation, including how we arrived where we are, the impact it has on organizations today, and what we can expect to see in the future as global regulations continue to evolve.
A potted history of human rights due diligence
We’re all familiar with the concept of human rights and its legislation. But it’s taken a fair amount of time for regulations to catch up with the more universal understanding of what human rights are and how society should honor and protect them.
This relation between business and human rights is not a new debate for the international community. In fact, it’s been going on since the 1970s. However, the concept that businesses can have human rights responsibilities in host countries (where they operate), regardless of legal requirements, is rather new and not totally accepted — as recognized by John Gerard Ruggie in his book Just Business: Multinational Corporations and Human Rights.
The traditional view of human rights law is that corporates don’t have direct obligations towards human rights, since these obligations would be from the State and businesses would be responsible under domestic law. This is starting to change, however, with the inclusion of HRDD considerations in various regulations — particularly those relating to human rights risks and violations, and supply chain transparency, moving these topics from voluntary to mandatory requirements.
To provide a little context, here’s a very brief history of human rights due diligence:
1970s
The United Nations attempts to approve a document related to the regulation of transnational corporations activities. This first attempt was, according to Ruggie, “initiated by developing countries as part of a broader regulatory program with redistributive aims known as the New International Economic Order”. The project was formally abandoned in 1992.
In 1976 the Organization of Economic Cooperation and Development (OECD) launched the Declaration and Decisions on International Investment and Multinational Enterprises. The OECD MNE was designed as recommendations to guarantee that the business's operations are consistent with government policies, focusing on human rights, employment and industrial relations, environment, combating bribery, extortion, among others.
1990s
Corporate Social Responsibility (CSR) initiatives see significant growth. One of the most prominent was the creation of the UN Global Compact (UNGC) in 2000, that was “a call to companies everywhere to align their operations and strategies with ten universally accepted principles”.
In 1998, the UN Sub-Commission on the Promotion and Protection of Human Rights conceived a working group on Business and Human Rights responsible for giving advice and submitting proposals related to the activities of transnational corporations.
2000s
In 2003, the Business and Human Rights group attempted to create a legally binding document to apply human rights law to companies. The document was approved by the Sub-Commission, but rejected by the Commission on Human Rights.
In 2005, John Ruggie was appointed as Special Representative of the Secretary-General (SRSG) on the issue of human rights and transnational corporations and other business enterprises.
In 2008, Ruggie presented the “Protect, Respect and Remedy” framework and was asked to operationalize it.
2010s
In 2011, Ruggie presented the United Nations Guiding Principles on Business and Human Rights (UNGPs), which “outline steps for States to foster business respect for human rights; provide a blueprint for companies to manage the risk of having an adverse impact on human rights; and offer a set of benchmarks for stakeholders to assess business respect for human rights.” Their endorsement by the UN Human Rights Council led to an international convergence. Various international instruments were revised to incorporate the UNGPs, which also started to be integrated into upcoming regulations across the globe.
Under the UNGPs, there’s “an independent corporate responsibility to respect human rights, which means that business enterprises should act with due diligence to avoid infringing on the rights of others,” according to Ruggie.
Defining human rights due diligence
So, what does it actually mean to carry out human rights due diligence (HRDD), and what should businesses consider to make this process effective?
According to the UNGPs, businesses must:
- Assess actual and potential human rights impacts, including how to prevent and mitigate them
- Integrate and act upon the findings of those assessments
- Track responses
- Communicate/report on their actions
It’s commonly recognized that business activities can impact various human rights and, especially, infringe on them. Additionally, businesses don’t necessarily impact human rights directly with their own activities; the impact can also be caused when they contribute to another entity or even when they maintain a relationship with an entity that is impacting human rights. Therefore, businesses should not only avoid infringing human rights directly but also abstain from complicity.
To avoid these impacts and violations, the implementation of policy commitments, due diligence processes, and remediation processes is key. Not only is there a moral imperative for businesses to not infringe human rights, but it’s also pertinent to acknowledge the risks to the enterprise, which can have its operations and image affected by involvement in human rights abuses.
The current state of HRDD
Since the endorsement of the UNGPs in 2011, there’s been growing pressure on companies to implement measures that would make their business responsibility to respect human rights a reality. Several jurisdictions across the globe have adopted legislation to protect human rights and ensure businesses are held accountable for human rights violations in their operations and — importantly — their supply chains.
Here’s an overview of salient examples adopted in recent years:
France’s Duty of Vigilance Law
In 2017, France implemented the Duty of Vigilance Act (Law n. 2017-399 of 27 March 2017), which focuses on the vigilance responsibilities of parent companies and contracting companies. The Act applies to companies and groups located in France that employ either more than 5,000 employees in France or more than 10,000 in France and abroad for two consecutive years.
Companies falling under the Act must establish, publish, implement, and monitor a “vigilance plan” to identify and prevent risks of severe violations of human rights, fundamental freedoms, health, safety, and the environment within their entire sphere of influence — including subsidiaries and subcontractors. The law's recitals specify that creating and executing the vigilance plan aligns with the concept of human rights due diligence outlined in the UNGPs.
The Act specifies five mandatory components of the Vigilance Plan:
- Risk mapping
- Procedures for regular assessment of the situation of subsidiaries, subcontractors, or suppliers
- Tailored measures to mitigate risks and prevent serious harm
- An alert mechanism developed in collaboration with trade union representatives to collect potential or actual risks
- A mechanism to monitor and evaluate the effectiveness of measures taken
On 6 May 2019, the French Minister for the Economy and Finance authorized a monitoring mission of the Duty of Vigilance Act. A report was submitted on 20 February 2020.
The report highlighted that the transition from soft law (based on voluntary approaches) to hard law had significant consequences for businesses, potentially resulting in judicial remedies and sanctions. The report also mentioned that some companies hadn’t yet formally respected their duty, while others had complied well and received public recognition.
The report identified weaknesses in the Act, such as:
- An unclear and unevenly shared understanding of the Duty of Vigilance
- Insufficient readability and visibility in the Management Report, including limited details
- An ongoing search for an alert mechanism
- The need to strengthen dialogue with trade union organizations and NGOs
It emphasized the importance of strengthening sector-wide approaches and harmonizing practices to transition the duty from an obligation to a real opportunity for businesses.
From its adoption to January 2024, the Act led to at least 16 formal notices, some of which resulted in court summonses and liability claims. Due to its wide-ranging scope, the filed claims have encompassed various adverse impacts on human rights and the environment, such as climate change, labor rights violations, deforestation, and plastic pollution.
Germany’s Act on Corporate Due Diligence in Supply Chains (LkSG)
The LkSG implements provisions of the UNGPs and the Guidelines for Multinational Enterprises from the OECD. The Act aims to enhance the protection of international human rights and the environment by setting mandatory standards for large companies and their value chains. It applies to companies registered in Germany or with a branch in the country employing at least 1,000 people.
The Act requires companies to:
- Establish an appropriate and effective risk management system to comply with due diligence obligations
- Appoint a person responsible for monitoring the risk management system
- Carry out a risk analysis to identify human rights and environmental risks in their own business area and its direct suppliers that must be revised annually
- If a risk has been identified, the company must adopt preventive measures in its own business area and direct suppliers
- Companies must implement a complaint procedure for those directly or potentially affected by its own operations or those of a direct supplier
- Companies must continually document due diligence obligation fulfilment, keep the records for at least seven years, and publicly disclose this information in an annual report
Under the LkSG, substantiated knowledge of human rights misconduct by indirect suppliers gives reason for a company to implement appropriate measures, including carrying out risk analysis and implementing preventive measures.
Finally, the LkSG requires companies to issue a policy statement on their human rights strategy. The statement must identify environment and human rights risks, along with preventive and remedial measures. It must also address expectations for employees and suppliers and be approved by senior management.
Non-compliance will incur fines for companies, which vary depending on the severity of the violation. Companies with an annual global turnover of more than EUR 400 million can be subject to fines of up to 2% of their annual global turnover. Additionally, companies can be excluded from public tenders for up to three years.
The Norwegian Transparency Act
The Norwegian Transparency Act promotes corporate respect for human rights and decent working conditions in producing goods and providing services. It establishes decent working conditions as those that safeguard fundamental human rights and health, safety, and environment in the workplace while providing a living wage.
The Act applies to all larger companies domiciled in Norway, regardless of whether they offer their products or services within the Norwegian borders. It also applies to foreign corporations selling their products or services in Norway and with tax obligations to the Norwegian government. It is estimated that the Act applies to approximately 9,000 Norwegian businesses.
A corporation is defined as a 'large company' if it meets at least two of the following requirements:
- Sales revenue of at least NOK 70 million (approximately EUR 6.01 million)
- A total balance sheet of at least NOK 35 million (approximately EUR 3 million)
- An average of 50 full-time employees in a financial year
According to the Act, enterprises must carry out human rights due diligence in line with OECD Guidelines for Multinational Enterprises, identifying and assessing actual and potential adverse impacts on fundamental human rights and decent working conditions linked to the business's operations, any part of its supply chains, and business partners.
The due diligence assessment must be performed regularly and proportionate to the size of the enterprise, its nature, the context of its operations, and the severity and probability of adverse impacts, with a report published on the company’s website by 30 June each year, including at least:
- A general description of the company's structure, area of operations, guidelines, and procedures for handling impacts on human rights and working conditions
- Information regarding risks identified through its due diligence
- Information regarding measures implemented or planned to cease risks of adverse impacts, and the results or expected results of these measures
The Act also stipulates that organizations must accommodate requests for information on human rights impacts within three weeks of the request, however there are circumstances where a company can deny such requests, such as insufficient basis for the request, if it’s clearly unreasonable, or if it’s related to personal of competitive data.
In 2023, the Norwegian Consumer Authority inspected 500 businesses under the Act and found that 100 of them didn’t publish their due diligence information. For those that did, some provided inadequate accounts of the negative conditions they found. Over a third of the surveyed businesses either did not mention such conditions or simply stated that they had not found anything negative. Additionally, there was insufficient information about implemented or planned measures, and some companies only sent out forms or codes of conduct as due diligence measures without addressing concrete risks and measures.
Following the assessment, the Norwegian Consumer Protection Authority sent letters to the non-compliant businesses.
Reporting is a fundamental requirement of the Act. In cases of non-compliance, the Authority has the power to issue prohibition and injunction decisions, as well as impose financial sanctions in the form of compulsory fines or infringement fees.
On 14 February 2023, Norway adopted a regulation allowing infringement fees of up to four percent of the company's annual turnover or up to NOK 25 million, whichever is higher.
The Swiss Ordinance on Due Diligence and Transparency (DDTrO)
Since 1 January 2022, following the adoption of the Ordinance on Due Diligence and Transparency in relation to Minerals and Metals from Conflict-Affected Areas and Child Labour (DDTrO) (221.433), companies operating in Switzerland are subject to due diligence and reporting obligations relating to conflict minerals (tin, tantalum, tungsten, and gold) and child labor.
The Ordinance applies to companies when importing or processing minerals and metals that may originate from conflict-affected and high-risk areas and where there are risks of child labor.
The supply chain is defined as a process covering both the enterprise’s own business activities and those of all upstream economic operators that have minerals or metals originating from conflict-affected or high-risk areas in their custody. It covers any party involved in their movement, preparation, and processing in the final product — or those offering products or services suspected to be produced using child labor.
Small and medium-sized enterprises that fall below two of the following thresholds within two consecutive years are exempt from the due diligence and transparency obligations regarding child labor:
- Balance sheet total of less than CHF 20 million (USD 23 million)
- Sales revenue less than CHF 40 million (USD 47 million)
- Employ less than 250 full-time positions on an average per annum
Companies that exceed these thresholds and do not fall under the low-risk exemption must review suspected cases of child labor and establish a supply chain policy to prevent child labor. The policy must specify the tools used by the enterprise to identify, assess, eliminate, and/or mitigate adverse impacts in its supply chain.
Additionally, companies must identify risks in the supply chain and assess them as part of their risk management plan. The Ordinance also requires enterprises to establish a supply chain traceability system for child labor and/or conflict minerals, as applicable. Companies required to conduct due diligence must prepare an annual report discussing their compliance with the due diligence obligations and have an annual audit performed by a firm that’s licensed by the Federal Audit Oversight Authority.
Finally, companies must establish a reporting procedure that allows interested parties to raise concerns about the existence (or possibility) of an adverse impact related to minerals and metals from conflict-affected or high-risk areas or child labor.
EU Deforestation Regulation
Various regulations might not directly address human rights due diligence, but incorporate elements of it into their texts. In the past years, we’ve seen a lot of developments in this field. A very good example in the EU is the Deforestation Regulation (EUDR), which sets mandatory due diligence rules for companies.
The EU Deforestation Regulation (EUDR) sets mandatory due diligence rules for companies that place specific commodities in the EU market associated with deforestation and forest degradation, namely soy, beef, palm oil, wood, cocoa and coffee and their derived products, including leather, chocolate, and furniture.
The required due diligence must include the collection of information, data, and documents to fulfil the requirements set in the Regulation. These include providing adequately conclusive and verifiable information that the relevant commodities have been produced in accordance with the relevant legislation of the country of production — which encompasses land use rights, third parties’ rights, labor rights, human rights protected under international law, and respect for the principle of free, prior, and informed consent (FPIC), including as set out in the UN Declaration on the Rights of Indigenous Peoples.
Additionally, due diligence must include risk assessment and mitigation measures. Among the issues that the risk assessment must take into account is the presence of Indigenous peoples in the country of production, carrying out consultation and cooperation in good faith with these peoples, and the existence of duly reasoned claims by Indigenous peoples based on objective and verifiable information regarding the use or ownership of the area used for the purpose of producing the relevant commodity.
The EUDR entered into force on 29 June 2023, however the main prohibitions and obligations don’t apply until 30 December 2024.
"The EUDR is likely to reconfigure trade and supply chains across deforestation-linked commodities over the next decade. Its impact will likely be felt across major palm oil-producing countries in Asia such as Indonesia and Malaysia, in the agribusiness industries of countries such as Brazil and Argentina, and across EU-bound cocoa exports from countries such as Côte d’Ivoire and Ghana.“
— S&P Global
CSDDD: The future of human rights due diligence legislation?
In the context of human rights due diligence being adopted into regulations in the European Union, it’s important to mention the Corporate Sustainability Due Diligence Directive (CSDDD). The CSDDD supports the EU transition towards a sustainable financial system and aims to promote sustainable and responsible business conduct in the EU. The directive was formally adopted by the EU Council on 24 May 2024, after lengthy negotiations. It was then published in the EU Official Journal on 5 July 2024 and came into force on 25 July 2024. Member states now have until 26 July 2026 to transpose it into their national laws.
What follows is a simple overview of the reach and impact of the CSDDD.
Who does it apply to?
The rules apply to EU companies with over 1,000 employees and a turnover of more than EUR 450 million. Non-EU companies with a net turnover of more than EUR 450 million are also under the scope of the Directive.
What does it cover?
This directive requires companies to mitigate the adverse impact of their activities on human rights and the environment, extending to almost all the company’s chain of activities. This includes:
- Upstream partners — including design, manufacture, transport, and extraction
- Downstream partners — dealing with distribution, transport, and storage
Activities relating to the sale, use, and disposal of products aren’t part of this definition.
What are the requirements?
Companies must integrate due diligence into their policies and risk management systems. They must also make efforts to end actual adverse impacts and prevent or mitigate potential adverse impacts.
Companies will also have to adopt a transition plan making their business model compatible with the global warming limit of 1.5°C under the Paris Agreement.
Companies are also required by the CSDDD to carry out meaningful engagement with affected stakeholders, establish and maintain a notification mechanism and complaints procedure, periodically monitor the effectiveness of the measures taken, and publicly communicate on their due diligence practices.
What are the penalties for non-compliance?
Companies that don’t comply with their due diligence obligations will be considered liable and subject to significant penalties. Fines can reach up to 5% of their net worldwide turnover.
Affected parties will also have the right to file claims against companies under national law for harm caused by intentional or negligent failure to comply with the CSDDD’s obligations. However, companies cannot be held liable if the harm was solely caused by their business partners.
When does the CSDDD take effect?
After the publication of the CSDDD in the Official Journal of the European Union in July, Member States have two years to transpose its requirements into national law, in time to ensure that the largest in-scope companies are subject to binding legal obligations within the prescribed three years of the Directive entering into force in 2027. Obligations for smaller companies will take effect in later years, being phased in over time. By 2029, all companies with more than 1,000 employees and EUR 450 million in net turnover will be covered.
Prepare for human rights due diligence today — so it doesn’t burn you tomorrow
Evidently, the demand for the disclosure of more and better information regarding business’ human rights due diligence has increased significantly. Several regulations concerning mandatory human rights reporting and human rights due diligence in supply chains have been discussed and adopted in the past years, with the very recent adoption of the EU’s CSDDD as a landmark with the potential to exponentially impact supply chains worldwide.
The growth of regulations requiring HRDD effectively characterizes the reinforced importance of the “S” in ESG — the expectation and need for companies to disclose accurate and robust data on social measures is ever-growing. “Ticking boxes” is not enough any more. Data must be evidence-based and consider the impact on suppliers and communities affected by a business’ operations.
Going much further than that, the thresholds established by new regulations don’t only apply to the organizations that fall within the applicability requirements. The large corporations directly affected inevitably must pass down those obligations within their value and supply chains to ensure they’re maintaining the level of transparency and due diligence expected of them. This means that falling beneath the threshold does not give a free pass for companies to not implement measures that otherwise would be required. We’re moving towards a system where transparency is key and due diligence is crucial to every company wanting to continue placing products and services on the market, regardless of size and location.
In a globalized market, where companies' suppliers come from many different parts of the world, the responsibility of corporations to assess and address human rights impacts is ever increasing and complicating. Even when facing a complex supply chain, with higher risks and more points of vulnerability, a company must be able to trace and implement due diligence processes until the bottom of it, using its leverage to influence its business relationships. Companies must seek to transform their business model and ensure that living wages are guaranteed, and labor standards are respected, wherever they operate and with every business relationship that they have.
The legislative framework requiring mandatory human rights due diligence is growing and it’s indisputable that companies are expected to be more transparent and will be held accountable — not only for their direct activities but also for their supply chains and business relationships.
Keep on top of sustainability topics with Enhesa
Remaining fully aware of best practices — both voluntary and mandatory — is vital for organizations to remain relevant in a fast-evolving sustainability landscape.
From climate change and corporate culture, through energy management and human rights, to whistleblower protection and waste management, “Global Guidance” covers major environmental, social, and governance topics — not to mention all the subtopics therein!
Join thousands of industry leaders by subscribing to Enhesa’s “In Focus” newsletter. Our expertly curated content delivers the latest insights, updates, and analysis straight to your inbox.