Joint statement: EU Corporate Sustainability Due Diligence Directive must be strengthened to ensure tech sector accountability

PI joined 75+ organisations to call on EU policy makers to rework the draft EU Corporate Sustainability Due Diligence Directive so it is able to address human rights abuses in the tech sector. PI had previously made submissions to the consultation on the draft Directive proposal by the European Commission.

Key advocacy points

The EU Corporate Sustainability Due Diligence Directive (CSDDD) must be improved in four key ways:

  • Lower the size and turnover threshold for companies to be covered by the Directive
  • Expand the list of rights and international instruments enumerated in the Directive to include those often impacted by and relevant to technology
  • Companies' entire value chain must fall within scope of the Directive, including downstream impacts
  • Make stakeholder engagement a mandatory pillar of effective corporate due diligence
Advocacy

We, the undersigned organisations, seek to draw your attention to aspects of the draft Corporate Sustainability Due Diligence Directive (the Directive), and its application to the use of technology and the technology sector, which require strengthening if the Directive is to realise its full potential in respect of this critical global sector that is today responsible for some of the most egregious human rights harms.
The technology and surveillance industries have ushered in an entirely new sphere of actual and potential human rights abuses, defying traditional detection, enforcement and remedy mechanisms, and leaving existing legal frameworks to play constant catch-up in the effort to identify, curb, and remedy these abuses. There is increasing recognition that technology companies have so far largely evaded scrutiny of their human rights impacts, due to the complexity of their products and services, the opacity with which they frequently operate, the unusual nature of their commercial relationships, and the variety of human rights harms which they cause, contribute to, or are linked to.
Many specific elements of the Directive that could be strengthened have already been identified by civil society, legislators, responsible companies, and investors in their assessments of and recommendations to improve the Directive. The Directive excludes a significant number of the most problematic technology company actors, activities, and impacts from its scope, among other limitations, which we set out below. Furthermore, reported attempts in negotiations to exclude or limit coverage of downstream value chain impacts in EU business’ due diligence duty are extremely concerning, as this would drastically reduce the Directive’s efficacy in tackling technology-related abuse.
There are four key areas which need amending if the Directive is to effectively contribute to transforming the tech sector:

Scope of companies subject to the law

The threshold for companies covered under the Directive, in relation to their size and turnover, should be revised and significantly lowered for all companies. Further, under the current framework of defining lower thresholds for ‘high impact sectors’, the tech sector needs to be included in the Directive’s list of such sectors, as proposed in the Committee on Legal Affairs’ draft report on the proposal. Many high-impact tech companies, especially those providing surveillance or facial recognition software (among others), will be omitted from the Directive’s ambit under its current drafting, despite their profound potential to cause, contribute to and be linked to human rights harms. Inclusion of those financing tech and other companies must also be retained and strengthened in the Directive’s personal scope, and current limitations of their due diligence duty lifted.

Scope of rights

The scope of due diligence obligations must cover all human rights. The list of rights and international instruments and conventions enumerated in the Directive should be considerably expanded to include those often impacted by and relevant to technology, such as freedom of expression, and all protective instruments for human rights defenders. It should be made clear the lists are non-exhaustive and there is no hierarchy between sections 1 and 2 of the Annex, Part I, if the current separation is to be retained.
Further, the Directive should explicitly mandate companies to examine the intersectionality of rights and contexts of marginalisation. This includes requirements for companies to assess, address and remedy their impacts on marginalised groups and specifically to undertake gender-responsive human rights, good governance and environmental due diligence.

Value chains and business relationships

The technology sector is often characterised by the sporadic nature of relationships which, despite their transience, have profound human rights implications. Facial recognition technology, for example, typically begins with a coding process by one firm for a buyer, and while their relationship is not ‘established’, the initial code contributes to a potentially very harmful end product. The Directive should follow the UN Guiding Principles (UNGPs) and OECD Guidelines, which stipulate that a business’ responsibility to respect human rights, good governance and the environment covers its whole value chain, with a focus on severity and likelihood of risks. It must not limit the value chain scope of companies’ due diligence duty to certain types of business relationships, to impacts in the upstream supply chain, or otherwise, as this would allow impunity to persist. Coverage of risks and harms across the full value chain, especially in the downstream, needs to be retained and strengthened if the Directive is to address technology-related abuse, which often occurs in technology companies’ downstream value chains. This includes risks and harms to people (users, consumers and non-users), society and the planet e.g. from a company’s products and services, their (end-)use and misuse by others, as well as in distribution or product disposal.

Stakeholder engagement & access to justice and remedy

In the technology sector (as in all others), engagement with affected rights- and stakeholders is essential for effectively determining human rights risks, impacts and appropriate action. The Directive needs to transition from characterising stakeholder engagement as an option available to companies in the process of identifying, addressing and remedying human rights risks, to being a mandatory pillar of effective corporate due diligence. Protection for the rights of those critical stakeholders who come forward for engagement – including those who may deliver hard truths to the sector, such as human rights defenders and workers’ organisations – should be explicitly included in the Directive without reservation. Further, marginalised groups must be included in the process.
Crucially, there needs to be robust enforcement of the Directive through administrative penalties and civil liability for harms, without any blanket exemptions for companies but including explicit provisions to lift barriers to access to justice, which are pervasive in the technology sector as in so many other sectors.
The Directive is a pioneering step towards ensuring people and their rights – and not just profits – are placed at the centre of the technology industry. Ultimately, the Directive should ensure the stipulations provided by the UNGPs and OECD Guidelines are reflected in this legislation as the minimum standard with which companies must comply. Further, on adoption of the Directive, it will be critical that guidelines for the technology sector, and more specifically the surveillance industry, are developed through consultation with all stakeholders, including digital and human rights groups, as envisioned in Article 13.
We further encourage the European Commission, Parliament and EU Council to seek sector-specific inputs, particularly from digital rights experts, human rights groups and defenders, and individuals with first-hand experience of the technology sector’s negative impacts. This will help ensure the Directive is fit for its ambitious purpose and a model for other jurisdictions, ushering in the long-awaited start of true corporate accountability in the technology sector. We remain available should you find benefit in further discussion.

Signatories

  1. 7amleh - The Arab Center for the Advancement of Social Media
  2. Access Now
  3. Acción Constitucional
  4. Africa Freedom of Information Centre
  5. Al Monsifoon Trading & Consulting Co
  6. Amnesty International
  7. Anti Hoax Society (MAFINDO)
  8. Anti-Slavery International
  9. Association for Progressive Communications
  10. Bangladesh NGOs Network for Radio and Communication (BNNRC)
  11. BlueLink Foundation, Bulgaria
  12. Body & Data
  13. Business and Human Rights Resource Centre
  14. Bytes For All, Pakistan
  15. Cambodian Center for Human Rights (CCHR)
  16. Cambodian League for the Promotion and Defense of Human Rights (LICADHO)
  17. CATAPA
  18. Centre for Information Technology and Development (CITAD)
  19. Centro de Derechos Humanos, Universidad Diego Portales, Santiago de Chile
  20. Citizen D / Državljan D
  21. Collaboration on International ICT Policy for East and Southern Africa (CIPESA)
  22. Commission nationale consultative des droits de l’homme (CNCDH) (NHRI)
  23. Danish Institute for Human Rights (DIHR) (NHRI)
  24. Derechos Digitales
  25. Digital Empowerment Foundation
  26. Digital Freedom Fund
  27. Digital Rights Foundation
  28. Digital Rights Nepal
  29. EDINNOV
  30. Electronisk Forpost Norge (EFN)
  31. European Center for Not-For-Profit Law Stichting (ECNL)
  32. European Coalition for Corporate Justice (ECCJ)
  33. European Digital Rights (EDRi)
  34. Fantsuam Foundation
  35. FIAN Germany
  36. FIDH / International Federation for Human Rights
  37. Free Expression Myanmar
  38. Front Line Defenders
  39. Fundación Acceso
  40. Fundación InternetBolivia.org
  41. Fundación Karisma
  42. Glidji Tech entrepreneur
  43. Global Witness
  44. Government College Women University, Sialkot, Pakistan
  45. guifi·net Foundation
  46. Heartland Initiative
  47. Inclusion Now, Pakistan
  48. Institute for Policy Research and Advocacy (ELSAM), Indonesia
  49. Institute of Technology & Science, Mohan Nagar, Ghaziabad, India
  50. International Center for Not-for-Profit Law (ICNL)
  51. International Service for Human Rights (ISHR)
  52. Investor Alliance for Human Rights
  53. JCA-NET (Japan)
  54. KICTANet
  55. Media Matters for Democracy
  56. Myanmar Internet Project
  57. Nabeel Yasin Training and Consulting center
  58. Open Society Foundations
  59. Pangea
  60. Privacy International
  61. Public Health Research Society Nepal (PHRSN)
  62. Ranking Digital Rights
  63. ROOTS Bangladesh
  64. Skill share hub
  65. Southeast Asia Freedom of Expression Network (SAFEnet)
  66. Südwind, Austria
  67. Swedwatch
  68. Thai Netizen Network
  69. Unwanted Witness Uganda
  70. Venezuela Inteligente / Conexión Segura
  71. VOICE
  72. Vredesactie
  73. WikiRate
  74. Women in Digital
  75. Women of Uganda Network (WOUGNET)
  76. Women's International League for Peace and Freedom
  77. World Benchmarking Alliance
  78. World Wide Web Foundation
  79. Zenzeleni Networks NPC