Business and human rights laws: CS3D and other important developments

After a protracted and hotly contested legislative process, the forthcoming EU Corporate Sustainability Due Diligence Directive (CS3D) is set to become law having been formally approved by the EU Parliament during its plenary session on 24 April. It will represent the latest, and arguably the most significant, business and human rights law to emerge since the UN Human Rights Council adopted the UN Guiding Principles on Business and Human Rights (UNGPs) in 2011. CS3D is by no means alone, however, as various other stringent laws continue to emerge incorporating human rights related requirements into broader due diligence obligations concerning a range of issues such as conflict minerals, deforestation and battery supply chains.

Owing to such legislation both in Europe and beyond, a growing number of companies around the world are either currently obliged, or soon will be required, to conduct human rights and environmental due diligence (HRDD or HREDD) and to report publicly on human rights impacts linked to their own business operations and value chains. An even broader cohort of companies are subject to pressure to implement human rights policies and procedures in response to the expectations of shareholders, financiers, customers and other counterparties who themselves may be subject to business and human rights legislation.

The global picture

Once enacted, CS3D will become the centrepiece of business and human rights laws in various jurisdictions that include disclosure requirements, mandatory due diligence laws, and import bans.

Disclosure-style laws are perhaps most common across the globe. These essentially require companies to periodically report on human rights risks linked to their businesses and value chains, and the steps that the company has put in place to address such risks, either in relation to specific human rights issues – as in the case of the UK, Canadian and Australian modern slavery laws – or in connection with a broader set of sustainability disclosures, as in the case of the EU Corporate Sustainability Reporting Directive (CSRD).

Import bans have also increased in prominence, notably in the US where Customs and Border Protection (CBP) now frequently exercises statutory powers to prohibit the importation of products into the US on the grounds of forced labour concerns. Securing the release of CBP-imposed ‘withhold release orders’ can be onerous, and invariably requires the company concerned to proffer evidence as to the sufficiency of its due diligence procedures to mitigate forced labour-related supply chain risks.

In Europe, a number of states have enacted mandatory HRDD laws, including the French Duty of Vigilance Law (Loi Vigilance), German Supply Chains Act (Lieferkettensorgfaltspflichtengesetz), and Norwegian Transparency Act. While these laws differ in terms of scope and specific requirements, all oblige companies to take steps to identify how they may negatively impact on rights-holders through their own operations and business relationships, and to implement measures to prevent or mitigate such impacts. Such requirements impose unprecedented compliance obligations for businesses, in circumstances where non-adherence may lead to civil liability or regulatory enforcement action.

The impact of CS3D

In the EU, existing national HRDD requirements are likely to be harmonised by CS3D, which will oblige all EU member states to adopt laws imposing HRDD obligations on certain EU and non-EU companies, with the intention of creating a ‘level playing field’. The core focus of these requirements is on identifying and limiting the human rights and environmental impacts of a company’s operations, and those of its subsidiaries and value chains.

CS3D was finally approved by the EU Council on 15 March 2024 and EU Parliament on 24 April, after a version previously agreed in trilogue negotiations between the EU Parliament, Council and Commission, which applied to a much broader cohort of EU and non-EU companies, failed to reach a majority. CS3D’s due diligence requirements will become binding on larger companies from 2027, with a subsequent extension to smaller companies.

Specifically, CS3D will apply to EU companies with more than 1,000 employees and a worldwide turnover of more than €450m, as well as non-EU companies with a turnover of more than €450m generated in the EU. In-scope companies will be required to implement HRDD measures extending to their ‘chain of activities’, which includes the company’s own operations, as well as the activities of its ‘upstream’ business partners (related to the production of goods or the provision of services) and ‘downstream’ business partners (but concerning the distribution, transport, and storage of products for or on behalf of the company).

CS3D also requires companies to adopt and put into effect a climate transition plan which aims to ensure, through best efforts, that the business model and strategy of the company are compatible with the limiting of global warming to 1.5°C in line with the Paris Agreement.

A company that fails to meet its due diligence obligations under CS3D may face regulatory enforcement and/or civil liability, though importantly a company would not incur civil liability for ‘damage’ caused only by a business partner. Further, while CS3D prescribes potentially significant financial penalties of up to 5% of a company’s net worldwide turnover, any fine would need to take into account factors such as the gravity of the infringement and severity of impacts, as well as whether the company has taken remedial action.

Other EU legislation

Beyond CS3D, businesses in the EU or trading with EU counterparties need to respond to an array of distinct due diligence requirements imposed by other laws that apply in specific contexts and to individual sectors:

For example, the Conflicts Minerals Regulation (CMR), which came into force on 1 January 2021, prescribes supply chain due diligence obligations for EU importers of tin, tantalum and tungsten, their ores, and gold originating from conflict-affected and high-risk areas. The CMR obliges EU-based importers of these minerals and metals to comply with HRDD obligations and to retain documentation demonstrating compliance. In particular, importers must follow the five-step framework of the OECD’s Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, which includes a risk assessment and third-party audits to verify implementation of the CMR’s

HRDD obligations.

The Batteries Regulation, which entered into force on 17 August 2023, aims to promote a circular economy and to reduce the environmental and social impact of batteries. Among other things, the Batteries Regulation (which took effect on 18 February 2024) obliges companies that place batteries with a capacity above 2 kWh on the EU market to establish a risk based HREDD policy concerning their cobalt, natural graphite, lithium and nickel supply chains. Companies are also required to conduct risk assessments in relation to potential impacts in the supply chain, take measures to prevent and mitigate such impacts, and establish a grievance mechanism. Compliance with these obligations must also be verified by a conformity assessment body admitted in the relevant member state.

On 29 June 2023, the Deforestation Regulation entered into force. Its objective is to curb deforestation and forest degradation caused by the expansion of agricultural land used to produce commodities such as cattle, wood, rubber, oil palm, soy, cocoa or coffee. From 30 December 2024, companies must ensure commodities placed on – or exported from – the EU market are ‘deforestation-free’, meaning they were produced on land that has not been subject to deforestation after 31 December 2020. The due diligence obligations imposed on companies include carrying out regular risk assessments and record keeping. The competent authorities of member states will carry out checks to establish whether companies are complying with their obligations under the regulation. Member states can determine the penalties for infringements, including fines of up to 4% of the company’s annual turnover and confiscation of the relevant products.

Following  the EU Parliament and Council reaching provisional agreement on the text of the Forced Labour Regulation on 13 March 2024, the Parliament granted its formal approval on 23 April, with the Council’s vote expected later this year. The Regulation prohibits companies (wherever incorporated) from placing products made with forced labour on the EU market or exporting them from the EU. To achieve this, competent authorities of member states are required to assess the likelihood of forced labour violations based on available information and, where appropriate, initiate investigations into the products and companies concerned. Where competent authorities establish a violation, they can order the company to withdraw the relevant products from the EU market. Member states can lay down the rules for penalties for non-compliance.

Following its adoption by the EU Council on 18 March 2024, the European Critical Raw Materials Act (CRMA) will now enter into force. The CRMA establishes a framework for ensuring a secure and sustainable supply of critical raw materials which are important for the EU’s green and digital aims, such as lithium and cobalt. Among other things, the CRMA proposes a framework to select and implement strategic projects which may benefit from streamlined permitting and access to finance. While the CRMA does not provide for specific due diligence obligations, one criterion for recognising a project as ‘strategic’ is whether it can be implemented sustainably, including concerning respect for human rights. Satisfaction of this criterion would be assessed taking into account compliance with CS3D.

Conclusion

Many multinational companies have implemented and will continue to enhance HRDD programs in response to various laws that may apply to entities in their corporate groups, as well as to give effect to their own voluntary human rights commitments. However, the legislative landscape is evolving quickly. While CS3D will (to a large degree) harmonise existing HRDD obligations across the EU and may also serve as a point of reference for other countries looking to enact similar legislation, it is critical that companies take steps to assess the specific obligations of each law which may apply to them. Failure to understand the overlaps and divergences which exist in terms of the differing legislative requirements may present liability risks.