The Directive is the latest, and by far the most important, step to date in the development of an EU-wide mHREDD law1. It provides that businesses must conduct due diligence to identify – and then cease or mitigate – the actual and potential human rights and environmental impacts of their operations, subsidiaries and business relationships in the value chain. As such, the Directive will enshrine in EU law binding due diligence requirements that draw heavily from the UN Guiding Principles on Business and Human Rights (UNGPs).
Scope of the Directive
The Directive extends to both EU and non-EU entities2. Two types of EU incorporated companies are covered: (a) those with more than 500 employees and a net annual turnover in excess of €150 million; and (b) those with more than 250 employees and a net annual turnover in excess of €40 million (midcap firms) where at least half of that turnover is generated from certain high-impact sectors (such as textiles, agriculture and mineral extraction).3 The Directive only extends to midcap companies after a two year transition period.
Non-EU companies will need to comply with the Directive if they generated: (a) more than €150 million in the EU in the year preceding the last financial year; or (b) more than €40 million in the EU in the year preceding the last financial year (midcap firms), where at least half of the company’s worldwide turnover was derived from the high-impact sectors.4
Due diligence requirements
The Directive requires EU Member States to impose obligations on companies to conduct mHREDD through: (a) integrating due diligence into their policies; (b) identifying actual or potential adverse impacts; (c) preventing and mitigating potential adverse impacts; (d) ending and mitigating the extent of actual adverse impacts; (e) establishing a complaints procedure; (f) monitoring the effectiveness of due diligence measures; and (g) communicating publicly on due diligence.
The scope of the mHREDD obligation extends to a company’s own operations, those of its subsidiaries and its “established business relationships” in the value chain (Article 1). The term “established business relationships” initially seems akin to the concept of “relations commerciales établies” under the French Loi de Vigilance. However, “established business relationship” is defined in the Directive as a “direct or indirect” business relationship “which is expected to be lasting, in view of its intensity or duration and which does not represent a negligible or merely ancillary part of the value chain”. Accordingly, the Directive’s mHREDD obligation extends beyond just those entities with whom the company has a direct contractual relationship (e.g. tier 1 suppliers) to other value chain participants.
The Directive’s principal mHREDD obligations are set out in Articles 5 to 11:
- Policies (Article 5): Companies will need to develop a due diligence policy, and integrate due diligence into all their corporate policies.
- Identifying actual and potential adverse impacts (Article 6): Companies will be required to take “appropriate measures” to identify actual and potential impacts arising from their operations, subsidiaries or established business relationships in the value chain. For those companies with a turnover of less than € 150 million but caught by the Directive by virtue of their activities in a high-impact sector, the obligation extends to their impacts in that sector only. For financial undertakings, defined to include financial institutions and (re)insurance firms, the requirement to identify adverse impacts must be carried out prior to the provision of their financial services.
- Preventing potential adverse impacts (Article 7): Companies will be required to take “appropriate measures” to prevent, or if prevention is not immediately possible, adequately mitigate, identified potential impacts that they have or should have identified pursuant to article 6. Where relevant, prevention of any adverse impacts may include: (a) developing and implementing a prevention action plan with “reasonable and clearly defined” timelines for implementation; (b) contractual assurances from business partners; (c) necessary investments (e.g. in management, infrastructure or production processes); (d) targeted and proportionate support for SMEs; or (e) collaboration with other entities.
- Ending actual adverse impacts (Article 8): Where any actual adverse impacts are identified, companies will be required to take “appropriate measures” to bring these to an end or, if that is not possible, companies will be obliged to minimise the extent of the impact. Steps to be taken will include, as relevant: (a) payment of compensation; (b) the development and implementation of a corrective action plan with “reasonable and clearly defined” timelines; (c) contractual assurances from business partners; (d) necessary investments; (e) support for SMEs; or (f) collaboration with other entities.
- Complaints procedure (Article 9): Companies will need to establish complaints procedures so that affected persons, trade unions and civil society organisations can submit complaints concerning actual or potential adverse impacts.
- Monitoring (Article 10): Companies will be required to conduct periodic assessments (at least annually) of their own operations and measures, and those of their subsidiaries and established business relationships (where related to their value chains) to determine the effectiveness of the mHREDD measures put in place.
- Communicating (Article 11): Companies not currently subject to the EU Non-Financial Reporting Directive will be required to publish an annual statement on their websites each year by 30 April. The Commission will adopt criteria for such reporting.
Suspension and termination of relationships
Of particular interest, is that articles 7(5) and 8(6) provide that where a company is unable to prevent or adequately mitigate potential impacts, or bring to an end or minimise actual impacts, it should refrain from extending or entering into new commercial relations with a relevant business partner where the impact has arisen. Further, the company must, to the extent legally possible, temporarily suspend commercial relations with the partner while pursuing efforts to (as appropriate) prevent, mitigate, minimise or bring to an end the impact, or terminate the relationship if the potential or actual impact is considered severe5. Financial institutions are not required to terminate a financial services contract where doing so may reasonably be expected to cause substantial prejudice to the counterparty.6
It is unclear how businesses may comply with these provisions whilst also seeking to increase leverage over the business partner to mitigate the relevant impact as envisaged by the commentary to UNGP 19. Further, as noted by the UNGPs, in some situations suspending or ending a commercial relationship may itself raise further human rights impacts which need to be assessed and managed. Engagement with a business partner is usually preferable with termination generally considered a last resort.
Sanctions and enforcement
Under Article 17(1), EU Member States must designate a national supervisory authority to supervise compliance with legislation implementing the Directive. Such supervisory authorities are to have the power to initiate investigations on their own motion or as a result of “substantiated concerns” submitted by any person that a company is failing to comply with national law implementing the Directive.7
In terms of powers, supervisory authorities may: (a) order the cessation of any infringements; (b) impose pecuniary sanctions, calculated by reference to the company’s turnover;8 or (c) adopt interim measures to avoid the risk of severe and irreparable harm.9 When determining the appropriate sanction, the authority must take “due account” of any remedial steps undertaken by the company pursuant to article 7 and 8 (see above) or in response to a direction from the authority.10 However, the Directive is express that remedial action by the company will not preclude sanctions, or indeed civil liability.
Few provisions will attract as much attention as those which address civil liability. Under Article 22, Member States will be obliged to ensure that a company is liable for damages if it: (a) fails to comply with articles 7 and 8 (which require companies to take action to address actual or potential adverse impacts); and (b) such failure led to damage.
Interestingly, companies will not be liable for damages caused by an adverse impact “arising out of the activities of an indirect partner with whom it has an established business relationship (emphasis added)” so long as the company has taken the specific measures prescribed in articles 7 and 8 of the Directive concerning contractual assurances, unless it was unreasonable in the circumstances to expect that the action taken (including to verify compliance by business partners with a contractual obligation) would be adequate to prevent, mitigate, bring to an end or minimise the extent of the adverse impact.
This incorporates an objective ‘reasonableness’ standard into the defence. While it will be for the relevant courts to determine what is reasonable in all the circumstances, it is clear that companies will not be able to simply incorporate contractual obligations into their contracts with direct business partners without more, relying upon ‘contractual cascading’ to ensure these obligations reach indirect business partners. In many cases, depending on the risks, this will not be reasonable and therefore sufficient for the defence. As noted above, the Directive requires periodic monitoring of the effectiveness of measures put in place.
Combatting climate change
Article 15 requires Member States to ensure that large companies (i.e. EU entities with a net turnover of more than € 150 million and more than 500 employees, and non-EU entities which generated more than € 150 million in net turnover in the EU in the previous financial year) adopt a plan to ensure that the company’s business model and strategy is compatible with the transition to a sustainable economy and limiting global warming to 1.5 degrees Celsius in line with the Paris Agreement. The plan should identify “the extent to which climate change is a risk for, or an impact of, the company’s operations”. Further, if climate change is (or should have been) identified as a principal risk for, or a principal impact of, the company’s operations, the plan shall include emission reduction objectives. Finally, Member States must legislate so these obligations are considered by companies in assessing directors’ variable remuneration linked to the company’s “business strategy, long term interests and sustainability”.
Under Article 25, Member States will also be required to ensure that directors of EU companies are obliged to take into account sustainability matters including human rights, climate change and the environment in the “short, medium and long term” when fulfilling their duty to act in the best interests of the company.12 Once this provision has been transposed into the domestic law of Member States, non-compliance may lead to a breach of directors’ duties.
The Directive will now proceed through a formal legislative process and will be debated in the EU Parliament and EU Council of Ministers. Once it becomes law, EU Member States will have two years to transpose the Directive’s requirements into domestic legislation.