As our society races through the digital age at breakneck speed, the legal frameworks that underpin it often find themselves playing catch-up. Currently, there are due diligence procedures that address aspects such as legal compliance and financial viability. However, these procedures often struggle to overcome the challenges posed by the technology sector, such as lengthy supply chains, diverse product mixes, and various sales models. These shortfalls make achieving effective corporate sustainability due diligence particularly difficult in the technology sector.
This blog post explores some of the limitations of the Corporate Sustainability Due Diligence Directive (CSDDD), with regard to its response to the technology sector. The CSDDD is expected to be finally adopted in the spring of 2024. I propose solutions to these issues, with my discussion based on the final text of 15 March 2024 (which is expected to undergo no further changes before adoption).
Why is corporate sustainability due diligence important in the technology sector?
Corporate sustainability due diligence is important because it is a tool to identify, prevent and mitigate corporations’ actual and potential impacts on human rights, the environment, and financial flows in their operations and business relationships. This ensures good risk management and fosters better corporate decision-making.
In the technology sector, corporate sustainability due diligence is particularly vital, given the sector’s increasing socio-economic impact. Companies in this sector can develop technologies with the potential for mass surveillance, privacy violations, censorship, and discrimination. Without adequate regulation, these technologies can be misused to perpetrate human rights abuses and environmental harm such as social media censorship impeding freedom of speech and environmental damage from e-waste dumping.
Although there are existing legal frameworks in this area, such as the UN Guiding Principles on Business and Human Rights (UNPGs) and the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct, as soft law, these are not binding. This results in a significant enforcement challenge, as adherence is voluntary and lacks legal consequences. The CSDDD, being compulsory and providing for legal repercussions, may serve to address the enforcement gap present in existing frameworks.
There have been several cases in the technology sector underscoring the negative consequences of insufficient regulation, including illegal surveillance, biased AI algorithms and hate speech weaponization. Effective and binding regulation under corporate sustainability law is imperative to mitigate these harms. However, the CSDDD's reach in the technology sector is limited.
Missing the scope?
On 15 March 2024, after several weeks of delays, the Council approved the CSDDD with massive reductions to its scope. The Directive regulates the number of EU-operating companies covered based on turnover and workforce. The final compromise eliminated almost 70 per cent of the companies covered by the initial proposal.
The adopted version removed the ‘high-impact sector’, which included companies in textile, food and mineral resources. Although the technology sector was notably missing from this, the previous approach expanded the scope to include businesses in high-risk human rights or environmental conflict industries, regardless of meeting the turnover and workforce requirements. Nevertheless, the revised text allows reintroducing the high-impact approach later if needed.
Even before the proposal was drastically reduced, civil society, trade unions, and consumer groups criticized its narrow scope. They argued that the UNGPs and the OECD Guidelines, on which the proposal is based, do not limit their scope by company size or sector. In these guidelines, the impact depends on operational conduct and precautionary measures.
To be included in the scope is especially significant for the technology sector where the smallest company can have tremendously negative impacts on people and the environment. For instance, a police department used AI surveillance technology from a tech company to monitor 600,000 social media users, aiming to predict future criminals. However, the technology wrongly associated tweeting about Islam with potential extremism, highlighting the data protection, freedom of speech, and discrimination risks posed by such technologies.
To combat this the CSDDD must consider the growing influence of technological developments. For instance, regarding the previous ‘high-impact sector’ approach, the technological sector can be added to it to broaden the scope and reflect the specific risks associated with its operations.
The thresholds should be removed. The Directive should rather be applied to all companies and used to decide which companies meet the required standards for responsible business conduct. For instance, the implementation of due diligence processes to identify, prevent and mitigate is scalable and can be applied regardless of size and sector. The expectations regarding the extent of the documentation and scale of the due diligence process can be adjusted according to size, sector, and specific business risks. This can enhance precise risk management, increase transparency, improve reputation, and build trust with stakeholders for all companies.
Not enough inclusion of downstream impact?
Companies can impact their surroundings both through their operations and their supply chain (upstream impacts), and when their services and products leave the company (downstream impacts). While many companies have downstream impacts like pollution, the technology sector stands out for its downstream effects, such as in surveillance technology. The utilization and spread of such technologies can profoundly impact privacy, security, and individual freedoms widely beyond initial use.
However, the CSDDD, while aiming to address both upstream and downstream relations, falls short by limiting its scope to a company's ‘chain of activities’. This approach only addresses certain segments of the value chain, omitting obligations for indirect business partners like financial services, short-term business relationships, and providers from downstream activities such as product disposal.
This exclusion particularly affects the technology sector, which often utilizes AI systems and digital technology to fragment outsourced tasks, resulting in short-term, easily replaced business relationships. For instance, a tech company given a single contract to create codes for a surveillance tool, might not qualify as a business relationship after the CSDDD.
A possible solution lies in expanding the Directive to incorporate all business relationships through a risk-based approach. This is more aligned with the UNPGs which emphasize the severity of risk rather than the duration of a business relationship as the primary consideration for due diligence requirements.
Additionally, tech companies can deploy digital management systems such as suppliers’ portals. These can oversee supplier activities even in short or unstable business relationships and are already applied by companies like Huawei.
The technology paradox
The CSDDD encourages the use of technology, such as satellites and drones, for product surveillance along value chains to reduce the costs of data gathering, monitoring, and assessment. This approach highlights the dependence on technology for cost-effective implementation within various sectors. For instance, the Nordic textile industry is exploring blockchain technology to fulfil regulatory requirements related to supplier transparency and product liability.
While the CSDDD emphasizes verifying technology-derived data and responsible usage, it overlooks the critical need to regulate the providers of such technologies. This oversight reveals a paradox: the Directive aims to enhance sustainability through technology, yet it fails to address the regulation of the technology sector that underpins these efforts. To truly achieve its objectives, the CSDDD should navigate this contradiction by implementing regulations that ensure technology providers contribute positively and responsibly to sustainability practices.
On the path to corporate sustainability?
Although the Directive has its flaws regarding the technology sector, it is a step in the right direction for regulating Europe's transformation towards sustainability, striving to standardize expectations and provide legal certainty. This is a move strongly supported by the business community – as evidenced by an EU Commission report showing over 70 per cent of surveyed businesses favouring mandatory due diligence.
With the Directive on the brink of becoming law, it presents a critical opportunity for tech companies to align with new regulations and increasing stakeholder demands for mandatory legislation. As the CSDDD illuminates both our achievements and the obstacles in reaching sustainability, the technology sector, already engaged in voluntarily sustainable practices, is well-positioned to lead these changes. While the Directive may not single-handedly reshape the future, every informed discussion and action it inspires moves us closer to sustainable business practices, both in the technology sector and beyond.