Compliance & Investigations
The draft “Mandatory Human Rights Due Diligence Law” (Sorgfalts-pflichtengesetz) – new obligations for companies in the supply chain
The coalition factions have conclusively resolved the dispute that has been going on for months on how to achieve the objective set out in the 2016 coalition agreement of protecting human rights and the environment by placing demands on corporate supply chains. The Ger-man Federal Ministry of Labour and Social Affairs has now submitted an initial government draft of a supply chains act (which is designated in the statute itself as the “Mandatory Human Rights Due Diligence Law”) (as of 1 March 2021).
Even though this draft will not become final until the reading in the Federal Parliament is completed, it is already possible to foresee in what the direction in which the legislature is thinking, which regulatory system it would like to select and what actions companies may be obliged to take. Whether this means that the concept of a supply chain register which has recently been under discussion (see our client update) will now be definitively rejected, remains an open question.
Fundamentally, the direction the legislature is most likely to take will not be to prescribe any specific obligations to act, but rather to choose an approach which imposes abstractly formulated due diligence obligations on the companies (and thus also their managerial bodies) and seeks to encourage them through various organisational and publication obligations to recognise and put a stop to any impending human rights violations in their own interest. This regulatory approach is ambitious and dangerous for the companies because it burdens them with the risk of correctly assessing the degree of their compliance without any clear legislative guard rails. The objective is therefore to create the broadest possible basis for enforcing the law, not only through official powers of intervention and the ability to impose sanctions, but also by empowering private persons to prosecute human rights violations in civil proceedings and through mandatory public accountability, thus rendering the protection of human rights more effective.
In its current form, this draft bill will most likely lead to substantial compliance and liability risks, since it does not stipulate any clear obligations for companies and their managerial bodies. Due to the preponderance of vague legal terms, it is scarcely possible for management board members and managing directors to assess with the certainty necessary for entrepreneurial decisions whether, and which, internal compliance measures meet the requirements of the law.
This creates a difficult situation due to the threat of fines. In addition, the due diligence requirements for board members and managing directors will be further tightened. Accordingly, in case of violations, there is a threat not only of companies being fined, but also of personal liability risks arising from D&O liability, whereby the legal question remains unanswered whether and to what extent corporate fines can also be asserted against managerial bodies in the course of D&O liability. At least D&O insurance typically provides for extensive exclusions or limitations in this regard.
Consequently, the companies’ expenses for supply chain compliance will increase. This is also recognised by the draft, since it quantifies the compliance costs for the economy at a considerable amount (EUR 43.47 million per year). Therefore, it can only be recommended that companies, and here in particular the compliance departments, begin right away to concern themselves with the requirements under the statute and develop implementation concepts, even if the draft is still at a relatively early stage.
Scope of application
According to the draft bill, the supply chain act is to become applicable on 1 January 2023 for companies which have, as a rule, at least 3,000 employees and their headquarters or main branch in Germany. From 1 January 2024 on, the threshold for applicability will be lowered to 1,000 employees. Leased employees must be included in the calculation if they are used for more than six months. The employees of all of the companies belonging to the group (section 15 German Stock Corporation Act) must be included in the calculation of the number of employees of the parent company. This applies even if a group company is domiciled in another country or has its headquarters or main branch there.
Naturally, small and medium-sized companies which do not fall within the scope of the statute nonetheless have to meet the requirements of the corporate social responsibility legislation that is already in force.
Regulatory system and objects of protection (“human rights”)
The draft first of all formulates a general obligation to comply with an appropriate level of due diligence with regard to human rights as stipulated by law. It then specifies the measures that are to be taken in the following provisions.
The draft’s point of reference is human rights and environmental rights that have been developed and formulated in numerous international treaties which the draft designates in an annex. These include, for example:
- the International Covenant on Civil and Political Rights of 19 December 1966,
- the International Labour Organisation Convention 29 on Forced Labour of 28 June 1930;
- the International Labour Organisation Convention 138 on Minimum Age of 26 June 1973;
- the Stockholm Convention on Persistent Organic Pollutants of 17 May 2004
and many more.
Although the draft provides extensive examples, in the end it merely defines a violation, in the form of general clauses, as any action or omission which is likely to violate the legal rights mentioned in these conventions in a particularly serious manner and which is obviously unlawful. The examples given include in particular
- the prohibition of employing a child who is either under the permissible minimum age of 15 years or the age at which the compulsory education ends, whichever is higher,
- failure to comply with the prohibition of all forms of slavery, forced labour or compulsory recruitment of children for use in armed conflict,
- failure to comply with occupational safety measures or with the principle of free association and discrimination against employees, e.g. due to their ethnicity, social background, age, gender, sexual orientation or religion,
- failure to comply with the principle of equal wages for equal work,
- causing harmful changes to the soil, water or air contamination or excessive water consumption,
- unlawful expropriations, as well as
- the manufacture of products containing mercury or
- the production of persistent organic pollutants.
Standards of conduct and definition of the term “supply chain”
Interestingly, the measures which are to be taken are subject to a relatively broad and vague reservation of appropriateness. This sounds at first like an easing of the liability standard for the companies. After all, avoiding such violations in the supply chain merely requires an appropriate activity which, according to the type and scope of the company’s activity, is based on the company’s ability to influence infringers, the gravity of the violation which is typically to be expected, its reversibility and the likelihood of a violation, as well as the nature of the company’s contribution to the causation. In point of fact, this lack of specificity confronts the companies with major problems because it remains completely unclear when they can exonerate themselves by pointing out inappropriateness, and what measures are to be considered to be appropriate. It remains open what appropriateness means in an individual case, and this will need to be clarified by the courts. Thus, for lack of clear standards, invoking inappropriateness will give to rise to liability risks which are scarcely reasonable.
The reference point of the obligations is the “supply chain”. The draft understands this to mean all contributions which the company uses to manufacture a product or render a service, from the extraction of raw materials to the delivery to the end-customer. It focuses on both the company’s own business area and the actions of contracting partners (in the language of the draft: direct suppliers) and other suppliers (in the language of the draft: indirect suppliers).
Here too, the numerous unspecific legal terms give rise to a considerable legal uncertainty. The indirect suppliers in particular will present the companies with serious problems, since as a rule they are not able to access them directly; as a rule, their impact on the indirect suppliers is merely conveyed by the direct suppliers.
Obligations to act
Of key importance is the introduction of an appropriate risk management system which must be effectively implemented; its purpose is to recognise risks of human rights violations, prevent them from being realised and put a stop to violations. The management of the company must establish the competence of a person, such as a human rights officer, to set up such a risk management system. This position will generally have to be created by the compliance department or the purchasing department. The management must inform itself on a regular basis, at last once a year, about the work of this person or these persons.
The risk management first of all involves an analysis of what human rights violations stemming from the company’s activity would come into consideration, thus identifying the risks. This analysis must be carried out at least once a year and as occasion to do so arises. The identified risks must be weighed and prioritised, above all according to their nature and severity. The result of the analysis must be communicated to the management board or the purchasing department.
After that, taking into account the interests of all those affected, in particular the company’s own employees, but also those of the supplier, the realisation of such risks must be prevented. To this end, it will be necessary to implement corresponding purchasing practices. The draft additionally designates training and the performance of control measures in a company’s own business area as measures to be taken. Its own suppliers must be contractually obliged to respect human rights, control mechanisms must be contractually agreed upon, the contracting partner must be obliged to conduct training sessions and controls must be carried out. The implementation and effectiveness of the preventative measures must be reviewed at least once a year. It is already apparent that these requirements in the supplier relationships will give rise to substantial questions. Those supplier relations which already exist will have to be examined and renegotiated with regard to the issues mentioned above. It is generally very difficult to undo contracts which have already been concluded, and the suppliers will most likely pose the question of how they will be commercially compensated for the additional compliance risks and expenses. The resultant friction can put a serious strain on the relationships with the suppliers. The existing purchasing agreement landscape will therefore have to be carefully evaluated from a legal and commercial standpoint and renegotiated.
Where violations are identified, they must be stopped immediately if they have occurred in the company’s own business area. If they occur with suppliers, the companies will have to make serious efforts to end the violations. To this end, remediation concepts with specific time plans will have to be drawn up. Breaking off business relationships is only the last resort if all other remediation measures fail. Here too, the implementation and effectiveness of the remediation measures must be reviewed at least once a year.
The companies must adopt a declaration of principles setting out the company’s human rights strategy. Above all, it must describe the results of the risk assessment and the measures taken to prevent legal violations.
According to the draft, all of the measures taken and compliance with the legal requirements must be documented on an ongoing basis and preserved for seven years. The company must post on its homepage once a year a report on the identified risks, the implementation of the due diligence obligations and its evaluation of the impact of the measures taken and their effectiveness, as well as its strategy for the future. These publications must be accessible to the public on the homepage for seven years.
Complaints and whistleblowing
The companies must install a complaint system not only for their own employees, but also for employees of their suppliers, and even for external third parties, such as persons affected by human rights violations, in the manner of a whistleblowing system, i.e. confidentiality must be guaranteed. The effectiveness of this systems must be reviewed once a year.
Standing to sue
According to the draft, trade unions and NGOs which are not acting commercially and are permanent in nature, i.e. not merely on a temporary basis, may, after being properly authorised in writing, assert claims against the companies before German courts in their own name but on behalf of those whose rights have been violated due to a violation of corporate due diligence obligations (provided that the German courts have international jurisdiction, which would generally be the case if the company has its registered office in Germany).
Effective enforcement of the due diligence obligations by the BAFA
In the future, the Federal Office for Economic Affairs and Export Control (“BAFA”) is to be entrusted with the enforcement of the Mandatory Human Rights Due Diligence Law.
In order to enable the BAFA to control and enforce the newly created due diligence obligations, it will be granted extensive responsibilities and powers. With this, the government draft goes beyond what had been discussed up to now in connection with the deliberations on a supply chain register law.
Under the government draft, the official enforcement of the obligations essentially rests on two pillars:
- For one thing, the Mandatory Human Rights Due Diligence Law provides for documentation and reporting obligations of the companies. Four months after the end of each financial year, the report is to render an account of, inter alia, the compliance with the due diligence obliga-tions and the result of their risk assessment. The BAFA will examine this report and the com-pliance with the statutory requirements. It will render an objection to any non-compliance that is identified, and the company may be called upon to carry out remedial measures.
- For another thing, the Mandatory Human Rights Due Diligence Law provides for a control of the implementation of the statutory obligations (“risk-based control” procedure). Here, the BAFA can act ex officio if it learns of possible due diligence risks in the course of its official ac-tivity (perhaps from annual reports or the complaint mechanism). As an alternative, an appli-cant (i.e. a potentially affected employee of one of the companies involved in the supply chain) who demonstrates the possibility of a due diligence violation to a sufficient degree (“substantiated”) has the right to request the opening of an investigative proceeding. In the course of the risk-based control proceeding, the BAFA then has the following control instru-ments at its disposal:
- At the heart of its statutory powers is the ability to order specific obligations to act in order to determine, remedy or prevent due diligence violations. To add further weight to the or-der, the authority may threaten to impose a coercive fine of EUR 50,000 in the event of an infringement. Additionally, an infringement can also lead to the imposition of adminis-trative fines (see below). As a milder measure, the government draft requires the companies to submit an action plan, including specific time specifications, for their remediation of due diligence violations. Moreover, the BAFA is to be authorised to summon people to provide information.
- In order to investigate a (potential) due diligence violation, the BAFA’s officials may enter business premises and inspect the documents relevant for the risk assessment during business hours.
- Also of particular relevance is the introduction of information duties. Under the government draft, at the BAFA’s request, information must be provided, and documents presented, which the authority needs for its investigation and control activities. This obligation is very far-reaching. Companies are not only obliged with regard to their own data, but may also have to disclose information of other companies along the supply chain (namely affiliated companies and direct or indirect suppliers). Whether and how that can be reconciled on a practical level with the protection of business secrets and data protection (which may be regulated differently in the third country), or whether this will result in subsequent prob-lems for the company obliged to provide information, will have to be clarified in practice on a case-by-case basis.
With the implementation of the government draft, the BAFA would receive independent and effective investigative and enforcement powers (similar to those of a customs authority), in order to be able to counter breaches of duty efficiently. Added to this is an arsenal of extremely severe sanctions.
Threatened sanctions: exclusion from participation in tenders and fines
Along with the company’s liability under civil law, once the Mandatory Human Rights Due Diligence Law is introduced, the possibility of two sanctions under public law are to be created: A serious violation of the Mandatory Human Rights Due Diligence Law can lead to an exclusion from participation in public tenders for up to three years. Moreover, even a negligent violation of due diligence obligations in the supply chain can be penalised with the imposition of fines. Along with a range of fines that is set in absolute numbers, the Mandatory Human Rights Due Diligence Law now provides for the imposition of an administrative fine of up to two percent of the average worldwide annual turnover. With this, the legislature places a very sharp sword in the hands of the public authorities: Turnover-related fines are a sanctions instrument which is has primarily been deployed under antitrust and data protection law. The draft of the Corporate Sanctioning Act (Verbandssanktionengesetz) likewise provides for turnover-related fines.
Additionally, members of governing bodies face personal recourse claims of the company if they breach their duty of care under company law to establish an appropriate compliance system for supply chain compliance.
Further specification in handouts of the BAFA
The Mandatory Human Rights Due Diligence Law is to be further specified in handouts by the competent authority, which have been announced in the government draft. From the standpoint of the companies, it is to be hoped that this will lead to a more legally sound and uniform interpretation of the statutory requirements. In any case, for the practical application of the Mandatory Human Rights Due Diligence Law, it would be desirable if a kind of “best practice” for supply chain compliance were to be created on the basis of the handouts.