Joint statement: EU Corporate Sustainability Due Diligence Directive must be strengthened to ensure tech sector accountability

We, the undersigned organisations, seek to draw your attention to aspects of the draft Corporate Sustainability Due Diligence Directive (the Directive), and its application to the use of technology and the technology sector, which require strengthening if the Directive is to realise its full potential in respect of this critical global sector that is today responsible for some of the most egregious human rights harms.

The technology and surveillance industries have ushered in an entirely new sphere of actual and potential human rights abuses, defying traditional detection, enforcement and remedy mechanisms, and leaving existing legal frameworks to play constant catch-up in the effort to identify, curb, and remedy these abuses. There is increasing recognition that technology companies have so far largely evaded scrutiny of their human rights impacts, due to the complexity of their products and services, the opacity with which they frequently operate, the unusual nature of their commercial relationships, and the variety of human rights harms which they cause, contribute to, or are linked to.

Many specific elements of the Directive that could be strengthened have already been identified by civil society, legislators, responsible companies, and investors in their assessments of and recommendations to improve the Directive. The Directive excludes a significant number of the most problematic technology company actors, activities, and impacts from its scope, among other limitations, which we set out below. Furthermore, reported attempts in negotiations to exclude or limit coverage of downstream value chain impacts in EU business’ due diligence duty are extremely concerning, as this would drastically reduce the Directive’s efficacy in tackling technology-related abuse.

There are four key areas which need amending if the Directive is to effectively contribute to transforming the tech sector:

Scope of companies subject to the law

The threshold for companies covered under the Directive, in relation to their size and turnover, should be revised and significantly lowered for all companies. Further, under the current framework of defining lower thresholds for ‘high impact sectors’, the tech sector needs to be included in the Directive’s list of such sectors, as proposed in the Committee on Legal Affairs’ draft report on the proposal. Many high-impact tech companies, especially those providing surveillance or facial recognition software (among others), will be omitted from the Directive’s ambit under its current drafting, despite their profound potential to cause, contribute to and be linked to human rights harms. Inclusion of those financing tech and other companies must also be retained and strengthened in the Directive’s personal scope, and current limitations of their due diligence duty lifted.

Scope of rights

The scope of due diligence obligations must cover all human rights. The list of rights and international instruments and conventions enumerated in the Directive should be considerably expanded to include those often impacted by and relevant to technology, such as freedom of expression, and all protective instruments for human rights defenders. It should be made clear the lists are non-exhaustive and there is no hierarchy between sections 1 and 2 of the Annex, Part I, if the current separation is to be retained.

Further, the Directive should explicitly mandate companies to examine the intersectionality of rights and contexts of marginalisation. This includes requirements for companies to assess, address and remedy their impacts on marginalised groups and specifically to undertake gender-responsive human rights, good governance and environmental due diligence.

Value chains and business relationships

The technology sector is often characterised by the sporadic nature of relationships which, despite their transience, have profound human rights implications. Facial recognition technology, for example, typically begins with a coding process by one firm for a buyer, and while their relationship is not ‘established’, the initial code contributes to a potentially very harmful end product. The Directive should follow the UN Guiding Principles (UNGPs) and OECD Guidelines, which stipulate that a business’ responsibility to respect human rights, good governance and the environment covers its whole value chain, with a focus on severity and likelihood of risks. It must not limit the value chain scope of companies’ due diligence duty to certain types of business relationships, to impacts in the upstream supply chain, or otherwise, as this would allow impunity to persist. Coverage of risks and harms across the full value chain, especially in the downstream, needs to be retained and strengthened if the Directive is to address technology-related abuse, which often occurs in technology companies’ downstream value chains. This includes risks and harms to people (users, consumers and non-users), society and the planet e.g. from a company’s products and services, their (end-)use and misuse by others, as well as in distribution or product disposal.

Stakeholder engagement & access to justice and remedy

In the technology sector (as in all others), engagement with affected rights- and stakeholders is essential for effectively determining human rights risks, impacts and appropriate action. The Directive needs to transition from characterising stakeholder engagement as an option available to companies in the process of identifying, addressing and remedying human rights risks, to being a mandatory pillar of effective corporate due diligence. Protection for the rights of those critical stakeholders who come forward for engagement – including those who may deliver hard truths to the sector, such as human rights defenders and workers’ organisations – should be explicitly included in the Directive without reservation. Further, marginalised groups must be included in the process.

Crucially, there needs to be robust enforcement of the Directive through administrative penalties and civil liability for harms, without any blanket exemptions for companies but including explicit provisions to lift barriers to access to justice, which are pervasive in the technology sector as in so many other sectors.

The Directive is a pioneering step towards ensuring people and their rights – and not just profits – are placed at the centre of the technology industry. Ultimately, the Directive should ensure the stipulations provided by the UNGPs and OECD Guidelines are reflected in this legislation as the minimum standard with which companies must comply. Further, on adoption of the Directive, it will be critical that guidelines for the technology sector, and more specifically the surveillance industry, are developed through consultation with all stakeholders, including digital and human rights groups, as envisioned in Article 13.

We further encourage the European Commission, Parliament and EU Council to seek sector-specific inputs, particularly from digital rights experts, human rights groups and defenders, and individuals with first-hand experience of the technology sector’s negative impacts. This will help ensure the Directive is fit for its ambitious purpose and a model for other jurisdictions, ushering in the long-awaited start of true corporate accountability in the technology sector. We remain available should you find benefit in further discussion.

Signatories

1. 7amleh - The Arab Center for the Advancement of Social Media
2. Access Now
3. Acción Constitucional
4. Africa Freedom of Information Centre
5. Al Monsifoon Trading & Consulting Co
6. Amnesty International
7. Anti Hoax Society (MAFINDO)
8. Anti-Slavery International
9. Association for Progressive Communications
10. Bangladesh NGOs Network for Radio and Communication (BNNRC)
11. BlueLink Foundation, Bulgaria
12. Body & Data
13. Business and Human Rights Resource Centre
14. Bytes For All, Pakistan
15. Cambodian Center for Human Rights (CCHR)
16. Cambodian League for the Promotion and Defense of Human Rights (LICADHO)
17. CATAPA
18. Centre for Information Technology and Development (CITAD)
19. Centro de Derechos Humanos, Universidad Diego Portales, Santiago de Chile
20. Citizen D / Državljan D
21. Collaboration on International ICT Policy for East and Southern Africa (CIPESA)
22. Commission nationale consultative des droits de l’homme (CNCDH) (NHRI)
23. Danish Institute for Human Rights (DIHR) (NHRI)
24. Derechos Digitales
25. Digital Empowerment Foundation
26. Digital Freedom Fund
27. Digital Rights Foundation
28. Digital Rights Nepal
29. EDINNOV
30. Electronisk Forpost Norge (EFN)
31. European Center for Not-For-Profit Law Stichting (ECNL)
32. European Coalition for Corporate Justice (ECCJ)
33. European Digital Rights (EDRi)
34. Fantsuam Foundation
35. FIAN Germany
36. FIDH / International Federation for Human Rights
37. Free Expression Myanmar
38. Front Line Defenders
39. Fundación Acceso
40. Fundación InternetBolivia.org
41. Fundación Karisma
42. Glidji Tech entrepreneur
43. Global Witness
44. Government College Women University, Sialkot, Pakistan
45. guifi·net Foundation
46. Heartland Initiative
47. Inclusion Now, Pakistan
48. Institute for Policy Research and Advocacy (ELSAM), Indonesia
49. Institute of Technology & Science, Mohan Nagar, Ghaziabad, India
50. International Center for Not-for-Profit Law (ICNL)
51. International Service for Human Rights (ISHR)
52. Investor Alliance for Human Rights
53. JCA-NET (Japan)
54. KICTANet
55. Media Matters for Democracy
56. Myanmar Internet Project
57. Nabeel Yasin Training and Consulting center
58. Open Society Foundations
59. Pangea
60. Privacy International
61. Public Health Research Society Nepal (PHRSN)
62. Ranking Digital Rights
63. ROOTS Bangladesh
64. Skill share hub
65. Southeast Asia Freedom of Expression Network (SAFEnet)
66. Südwind, Austria
67. Swedwatch
68. Thai Netizen Network
69. Unwanted Witness Uganda
70. Venezuela Inteligente / Conexión Segura
71. VOICE
72. Vredesactie
73. WikiRate
74. Women in Digital
75. Women of Uganda Network (WOUGNET)
76. Women's International League for Peace and Freedom
77. World Benchmarking Alliance
78. World Wide Web Foundation
79. Zenzeleni Networks NPC