The business of business is business. Well not quite. Not when business activities contribute to environmental destruction, make violations of human rights more likely, or destabilize legitimate democratic governments. June 2021 marks the tenth anniversary of the unanimous endorsement by the Human Rights Council of the United Nations Guiding Principles on Business and Human Rights (UNGPs), that have put forward due diligence as a way how businesses can operationalize social responsibilities to respect human rights. Human rights due diligence essentially means that a business must take all necessary, adequate, and effective measures to identify and assess their actual and potential adverse human rights impacts throughout their value chains; prevent, mitigate, or cease these impacts; track and monitor the effectiveness of the actions they have taken; and be accountable to the public. Companies must also be required to remedy harms that have occurred. The OECD Guidelines for Multinational Enterprises integrated the UNGPs’ due diligence concept and expanded the scope of due diligence to other matters such as environmental protection and anti-bribery.

A European legislation project

While the UNGPs and their incorporation into the OECD Guidelines mark a major step forward in efforts to prevent and address business-related abuses, they remain extra-legal standards, and, despite their widespread acceptance by the business community, only few businesses have in fact taken substantial initiatives to properly implement due diligence as an operational routine. In the light such disappointing results, some countries have moved forward to introduce mandatory due diligence legislation, such as France with its due diligence law (loi du 27 mars 2017 relative au droit devoir de vigilance des sociétés mères et des entreprises donneuses d'ordre) or Germany’s “Lieferkettengesetz” that is scheduled to come into force beginning in 2023.

Now it is the European Union that will act. The European Commission has announced draft legislation for this summer. The Commission must consider an ambitious text on mandatory due diligence that was proposed by the European Parliament earlier on. In March 2021, this text was supported by a large majority – the Parliament’s resolution was adopted by 504 votes to 79, with 112 abstentions. With the substantial majority in favor of mandatory due diligence, the European Commission clearly has the mission to propose a law that would effectively impose corporate due diligence on companies. It cannot afford making compromises regarding enforcing due diligence obligations through adequate sanctions, liability, and public supervision. Therefore, the draft text must go beyond the legislative efforts made by Germany and France, whose due diligence laws, in my opinion, have relatively weak enforcement provisions. However, it could well be that the Commission must draft a text that is a bit different than the European Parliament’s proposal, the latter having been strongly inspired by the UNGPs.

Legal security issues

The criticism that was raised against the European Parliament’s text, for most of the part, did not challenge the idea of mandatory due diligence, but rather its realization. Recall, that the sanctions, initially present in the French due diligence law, were struck out by the French Constitutional Council on grounds of legal certainty: Obligations must be very precise, if they are to be enforced with sanctions. Now, similar concerns are being raised against the European text, for example by the European Company Law Experts Group in its comment of April 19, 2021. The criticism reveals the intricacies of transposing aspirational due diligence norms such as the UNGPs into hard law. The strength of the UNGPs resides in the UNGPs’ very flexible and pragmatic operational concepts, such as “using leverage”, “integrating findings”, “directly linked” or “negative human rights impact”. While these concepts provide a sufficiently clear method for managing due diligence, they are not precise enough for the purposes of hard law. Due diligence in an aspirational text is an exclusively forward-looking risk management method, while in hard law, due diligence becomes something fundamentally different, namely a standard, against which the discharge of obligations is analysed based on an ex-post assessment of facts with a view of attributing legal consequences for not respecting duties. To cope with this challenge, the proposal of the EU Parliament employs several workarounds, for example by using several annexes to determine the precise scope of responsibility. Clearly, the principle of legal certainty requires accurately formulated obligations if they are to be enforced legally. The problem is that once these concepts are more closely defined, they risk losing their very advantage of being a flexible and pragmatic operational method for management. Instead, mandatory corporate due diligence could become too prescriptive and result in highly bureaucratic activity which may become counterproductive if due diligence is not supported by an enterprise’s corporate culture and does not receive adequate attention from an enterprise’s top management level. That is why legislative bodies must be very careful when regulating management control systems such as due diligence. Mandatory due diligence must, on the one hand, remain flexible enough so that a due diligence system can be adapted to a company’s size, business models and industry sector, but at the same time there must be a tangible liability risk so that companies will feel compelled to establish effective due diligence routines.

An opportunity for companies

There is no doubt that introducing mandatory due diligence will be costly, both for companies and for the state. Nevertheless, hard law solutions have undeniable advantages for creating level playing fields. But what is more, to fulfill due diligence obligations, companies will need to devise new management processes and establish new governance structures that could result in an expansion of an enterprise’s analytical capacities. For example, the existing European sector specific due diligence regulations (the so called “Timber, and “Conflict Minerals” regulations) make it necessary for companies to consolidate or develop information systems that enable businesses to increase their knowledge of the value chains, in which they operate. Where the law imposes such due diligence obligations on companies, the business case for using technology and new governance methods, such as science-based product traceability or distributed ledger becomes more compelling. Due diligence laws also typically require companies to increase interaction with stakeholders, who could be affected by an enterprise’s activities. Routinely exchanging with stakeholders and letting them voice their concerns through an enterprise’s grievance mechanisms allow a company to address a potentially serious problem related to its business activities at a very early stage, well before a problem can widen to a conflict or even a crisis.

I would go so far to say that the introduction of mandatory corporate due diligence in the EU would become a historical turning point regarding the way the law accompanies the progress of business enterprise. Until today, private law tended to help owners of companies to secure the wealth generated by business activity, while insulating them from responsibilities resulting from risk of harm to other people and the environment. This has been achieved, essentially, through limited liability and contract law, which have both enabled an encouraged outsourcing strategies and the creation of elaborate corporate group structures. While these methods have shielded owners from risk, they have also limited the need for companies to have precise knowledge of what is going on in the value chains that are relevant for their products and services. An EU-wide mandatory due diligence regime would require businesses to consider risks of harm, from which they had insulated themselves in the past. In other words, the risk of harm would be “back in business”, namely as an operational concern of strategic importance. Preventing such risk would become routine management activity. This would be good for all, including for business.