What US businesses need to know about the proposed EU law on corporate due diligence
This blog is part of a series 'Towards Mandatory Human Rights Due Diligence'.
The European Commission has announced plans to introduce legislation compelling corporations to take action on human rights and environmental risks arising within their supply chains. Expected to be introduced in 2021, the law is likely to have significant impacts on the business practices of U.S. firms operating in the EU.
The new rules, announced by the EU Justice Commissioner in April, are being framed as part of the European Green Deal. The Commissioner said that Europe needs a sustainable post-COVID-19 recovery, and that responsible business conduct must become the new norm.
With supply chain-related laws materializing or being considered across several different European jurisdictions, including in France, the Netherlands, Switzerland, Germany, Norway and Finland, the law is also intended to provide a degree of uniformity and certainty for businesses operating in Europe.
The Commission will consult on the proposed legislation over the coming months, and it is therefore still unclear exactly what form the law will take. However, recent legal developments at both European and national levels suggest that U.S. companies may be held accountable for the conduct of separate legal entities linked to their value chains, and face serious financial penalties for non-compliance.
What will the law cover?
The EU is seeking to fill the vacuum where corporate misconduct is transnational, but where the host state has been unwilling or unable to take action.[i] European Commissioners have said that regulation will build on existing international standards, namely, the UN Guiding Principles on Business and Human Rights (UNGPs) and the OECD Due Diligence Guidance for Responsible Business Conduct.
At a minimum, the legislation is likely to oblige U.S. firms bound by the law to map and analyse their supply chains, report publicly on social and environmental risks, and provide evidence of strategies to mitigate these risks.
The law is expected to be cross-sectoral and companies will be expected to demonstrate how they are mitigating such risks, even when they occur outside of Europe. This means that US extractives, agribusiness, pharmaceuticals, finance and apparel brands operating in Europe may be held accountable for failure to prevent serious harm occurring in their value chains.
The expansive scope of the new legislation
Given the Commission’s objective of instituting responsible business practices across the EU Single Market, it seems unlikely that businesses operating in Europe but domiciled in the U.S. or elsewhere will be exempted.
Large U.S. companies operating in the EU are already required to follow certain EU regulations such as the General Data Protection Regulation (GDPR), which was designed with a deliberate global reach and provides for obligations related to data protection and digital security.[ii]
U.S. and EU anti-corruption regulations are already subject to extraterritorial application: American corporations have been held liable for the abuses of subsidiaries based elsewhere. The U.S. Dodd-Frank Act likewise includes reporting requirements related to specific human rights risks in supply chains such as conflict minerals. And the importation of goods into the U.S. produced through forced labour is also prohibited, as set out in the 2015 Trade Facilitation and Trade Enforcement Act (formerly the Tariff Act).
This move may, however, significantly expand the scope of potential challenges to the corporate veil. Companies may be deemed partly responsible and potentially liable for the abusive conduct of entities that have a separate legal personality, be they subsidiaries, suppliers or contractors.
While the U.S Customs & Border Protection Agency is increasingly active in enforcing forced labour prohibitions, it is largely foreign-based suppliers importing to the U.S who are subject to sanctions. The new EU law will instead likely target multinationals who contribute to or exacerbate social or environmental risks through their own practices.
How will the law be enforced?
The EU Justice Commissioner confirmed that the new law will include civil and administrative sanctions. Recent precedents suggest that substantial fines are likely. For instance, GDPR enforcement powers allow for fines of up to €20 million or 4% of a firm’s global annual revenue per violation. Two of the largest fines to date have been issued to Google (€50 million) and Marriot International (€110 million), both headquartered in the US.
A recent EU-commissioned study recommended providing for enhanced access to judicial remedy for victims of rights abuses, which may include administrative, civil and possibly even criminal law sanctions.
A company should be able to demonstrate, in its defence, that it has met the appropriate duty of care provided it is ‘undertaking the level of due diligence required in the particular circumstances; i.e. this would be a context-specific risk-based approach’. The due diligence required would need to be proportionate to the size of the company and the severity of the negative impact.
The announcement serves as a tacit admission that previous voluntary corporate due diligence measures have proved insufficient to prevent social and environmental harms. The European Union is now focusing on public accountability and liability.
In a recent Resolution, the European Parliament called for measures to prevent and mitigate future crises and ensure sustainable value chains. International investors and business associations have also called for regulatory measures. The Commission now looks set to deliver on these demands.
Ben Rutledge is a Research Fellow at the Corporate Responsibility Initiative, Harvard Kennedy School. The views expressed above are those of the author alone and do represent the views of the Harvard Kennedy School.
[i] The 2017 French Duty of Vigilance law already mandates that large companies, including multinational enterprises with a presence in France, must publish a due diligence plan detailing steps taken to ensure respect for human rights in their operations and supply chains. This covers the activities of sub-contractors and suppliers with whom it maintains an established commercial relationship. Legal experts and human rights advocates in Europe have recommended that the new EU law go further, and cover not just first tier contract partners, but suppliers along the whole value chain.