Joint statement: EU Corporate Sustainability Due Diligence Directive must be strengthened to ensure tech sector accountability
PI joined 75+ organisations to call on EU policy makers to rework the draft EU Corporate Sustainability Due Diligence Directive so it is able to address human rights abuses in the tech sector. PI had previously made submissions to the consultation on the draft Directive proposal by the European Commission.
The EU Corporate Sustainability Due Diligence Directive (CSDDD) must be improved in four key ways:
- Lower the size and turnover threshold for companies to be covered by the Directive
- Expand the list of rights and international instruments enumerated in the Directive to include those often impacted by and relevant to technology
- Companies' entire value chain must fall within scope of the Directive, including downstream impacts
- Make stakeholder engagement a mandatory pillar of effective corporate due diligence
We, the undersigned organisations, seek to draw your attention to aspects of the draft Corporate Sustainability Due Diligence Directive (the Directive), and its application to the use of technology and the technology sector, which require strengthening if the Directive is to realise its full potential in respect of this critical global sector that is today responsible for some of the most egregious human rights harms.
The technology and surveillance industries have ushered in an entirely new sphere of actual and potential human rights abuses, defying traditional detection, enforcement and remedy mechanisms, and leaving existing legal frameworks to play constant catch-up in the effort to identify, curb, and remedy these abuses. There is increasing recognition that technology companies have so far largely evaded scrutiny of their human rights impacts, due to the complexity of their products and services, the opacity with which they frequently operate, the unusual nature of their commercial relationships, and the variety of human rights harms which they cause, contribute to, or are linked to.
Many specific elements of the Directive that could be strengthened have already been identified by civil society, legislators, responsible companies, and investors in their assessments of and recommendations to improve the Directive. The Directive excludes a significant number of the most problematic technology company actors, activities, and impacts from its scope, among other limitations, which we set out below. Furthermore, reported attempts in negotiations to exclude or limit coverage of downstream value chain impacts in EU business’ due diligence duty are extremely concerning, as this would drastically reduce the Directive’s efficacy in tackling technology-related abuse.
There are four key areas which need amending if the Directive is to effectively contribute to transforming the tech sector:
Scope of companies subject to the law
The threshold for companies covered under the Directive, in relation to their size and turnover, should be revised and significantly lowered for all companies. Further, under the current framework of defining lower thresholds for ‘high impact sectors’, the tech sector needs to be included in the Directive’s list of such sectors, as proposed in the Committee on Legal Affairs’ draft report on the proposal. Many high-impact tech companies, especially those providing surveillance or facial recognition software (among others), will be omitted from the Directive’s ambit under its current drafting, despite their profound potential to cause, contribute to and be linked to human rights harms. Inclusion of those financing tech and other companies must also be retained and strengthened in the Directive’s personal scope, and current limitations of their due diligence duty lifted.
Scope of rights
The scope of due diligence obligations must cover all human rights. The list of rights and international instruments and conventions enumerated in the Directive should be considerably expanded to include those often impacted by and relevant to technology, such as freedom of expression, and all protective instruments for human rights defenders. It should be made clear the lists are non-exhaustive and there is no hierarchy between sections 1 and 2 of the Annex, Part I, if the current separation is to be retained.
Further, the Directive should explicitly mandate companies to examine the intersectionality of rights and contexts of marginalisation. This includes requirements for companies to assess, address and remedy their impacts on marginalised groups and specifically to undertake gender-responsive human rights, good governance and environmental due diligence.
Value chains and business relationships
The technology sector is often characterised by the sporadic nature of relationships which, despite their transience, have profound human rights implications. Facial recognition technology, for example, typically begins with a coding process by one firm for a buyer, and while their relationship is not ‘established’, the initial code contributes to a potentially very harmful end product. The Directive should follow the UN Guiding Principles (UNGPs) and OECD Guidelines, which stipulate that a business’ responsibility to respect human rights, good governance and the environment covers its whole value chain, with a focus on severity and likelihood of risks. It must not limit the value chain scope of companies’ due diligence duty to certain types of business relationships, to impacts in the upstream supply chain, or otherwise, as this would allow impunity to persist. Coverage of risks and harms across the full value chain, especially in the downstream, needs to be retained and strengthened if the Directive is to address technology-related abuse, which often occurs in technology companies’ downstream value chains. This includes risks and harms to people (users, consumers and non-users), society and the planet e.g. from a company’s products and services, their (end-)use and misuse by others, as well as in distribution or product disposal.
Stakeholder engagement & access to justice and remedy
In the technology sector (as in all others), engagement with affected rights- and stakeholders is essential for effectively determining human rights risks, impacts and appropriate action. The Directive needs to transition from characterising stakeholder engagement as an option available to companies in the process of identifying, addressing and remedying human rights risks, to being a mandatory pillar of effective corporate due diligence. Protection for the rights of those critical stakeholders who come forward for engagement – including those who may deliver hard truths to the sector, such as human rights defenders and workers’ organisations – should be explicitly included in the Directive without reservation. Further, marginalised groups must be included in the process.
Crucially, there needs to be robust enforcement of the Directive through administrative penalties and civil liability for harms, without any blanket exemptions for companies but including explicit provisions to lift barriers to access to justice, which are pervasive in the technology sector as in so many other sectors.
The Directive is a pioneering step towards ensuring people and their rights – and not just profits – are placed at the centre of the technology industry. Ultimately, the Directive should ensure the stipulations provided by the UNGPs and OECD Guidelines are reflected in this legislation as the minimum standard with which companies must comply. Further, on adoption of the Directive, it will be critical that guidelines for the technology sector, and more specifically the surveillance industry, are developed through consultation with all stakeholders, including digital and human rights groups, as envisioned in Article 13.
We further encourage the European Commission, Parliament and EU Council to seek sector-specific inputs, particularly from digital rights experts, human rights groups and defenders, and individuals with first-hand experience of the technology sector’s negative impacts. This will help ensure the Directive is fit for its ambitious purpose and a model for other jurisdictions, ushering in the long-awaited start of true corporate accountability in the technology sector. We remain available should you find benefit in further discussion.
Signatories
- 7amleh - The Arab Center for the Advancement of Social Media
- Access Now
- Acción Constitucional
- Africa Freedom of Information Centre
- Al Monsifoon Trading & Consulting Co
- Amnesty International
- Anti Hoax Society (MAFINDO)
- Anti-Slavery International
- Association for Progressive Communications
- Bangladesh NGOs Network for Radio and Communication (BNNRC)
- BlueLink Foundation, Bulgaria
- Body & Data
- Business and Human Rights Resource Centre
- Bytes For All, Pakistan
- Cambodian Center for Human Rights (CCHR)
- Cambodian League for the Promotion and Defense of Human Rights (LICADHO)
- CATAPA
- Centre for Information Technology and Development (CITAD)
- Centro de Derechos Humanos, Universidad Diego Portales, Santiago de Chile
- Citizen D / Državljan D
- Collaboration on International ICT Policy for East and Southern Africa (CIPESA)
- Commission nationale consultative des droits de l’homme (CNCDH) (NHRI)
- Danish Institute for Human Rights (DIHR) (NHRI)
- Derechos Digitales
- Digital Empowerment Foundation
- Digital Freedom Fund
- Digital Rights Foundation
- Digital Rights Nepal
- EDINNOV
- Electronisk Forpost Norge (EFN)
- European Center for Not-For-Profit Law Stichting (ECNL)
- European Coalition for Corporate Justice (ECCJ)
- European Digital Rights (EDRi)
- Fantsuam Foundation
- FIAN Germany
- FIDH / International Federation for Human Rights
- Free Expression Myanmar
- Front Line Defenders
- Fundación Acceso
- Fundación InternetBolivia.org
- Fundación Karisma
- Glidji Tech entrepreneur
- Global Witness
- Government College Women University, Sialkot, Pakistan
- guifi·net Foundation
- Heartland Initiative
- Inclusion Now, Pakistan
- Institute for Policy Research and Advocacy (ELSAM), Indonesia
- Institute of Technology & Science, Mohan Nagar, Ghaziabad, India
- International Center for Not-for-Profit Law (ICNL)
- International Service for Human Rights (ISHR)
- Investor Alliance for Human Rights
- JCA-NET (Japan)
- KICTANet
- Media Matters for Democracy
- Myanmar Internet Project
- Nabeel Yasin Training and Consulting center
- Open Society Foundations
- Pangea
- Privacy International
- Public Health Research Society Nepal (PHRSN)
- Ranking Digital Rights
- ROOTS Bangladesh
- Skill share hub
- Southeast Asia Freedom of Expression Network (SAFEnet)
- Südwind, Austria
- Swedwatch
- Thai Netizen Network
- Unwanted Witness Uganda
- Venezuela Inteligente / Conexión Segura
- VOICE
- Vredesactie
- WikiRate
- Women in Digital
- Women of Uganda Network (WOUGNET)
- Women's International League for Peace and Freedom
- World Benchmarking Alliance
- World Wide Web Foundation
- Zenzeleni Networks NPC