I. Introduction
Recently, important developments have taken place as an increasing number of mandatory human rights and environmental due diligence (mHREDD) laws and legislative proposals have been put forward in various jurisdictions in Europe and beyond,Footnote 1 supported by civil society,Footnote 2 trade unionsFootnote 3 and a growing number of business organizationsFootnote 4 and companies.Footnote 5
In Europe more specifically, the majority of stakeholders consulted in the 2020 European Commission Study on Due Diligence Requirements Through the Supply Chain (EC study)Footnote 6 supported the introduction of an EU-level general mHREDD requirement.Footnote 7 This was perceived by stakeholders across the board as the regulatory option which would yield the greatest positive social, environmental and human rights impacts, and nearly 70% of companies surveyed anticipated that mHREDD legislation would benefit business.Footnote 8 Based on the findings of this study, the European Commissioner for Justice, Didier Reynders, announced that a legislative initiative on mHREDD would be put forward.Footnote 9 In March 2021, the European Parliament adopted a resolution with recommendations to the European Commission on corporate due diligence and corporate accountability, including the text for a draft directive in the annex.Footnote 10 On 23 February 2022, the European Commission published its proposed Directive on Corporate Sustainability Due Diligence (EC Draft Directive),Footnote 11 which sets out mHREDD duties for large European and non-European companies as well as mid-cap companies active in specified ‘high impact’ sectors, and includes state-based oversight mechanisms alongside civil remedies.
These legal developments are expressly based on the concept of human rights due diligence (HRDD) set out in the UN Guiding Principles on Business and Human Rights (UNGPs) where it is defined as the process through which companies can ‘identify, prevent, mitigate and account for’ the actual and potential adverse human rights impacts that they may cause or contribute to through their own activities, or which may be directly linked to their operations, products or services by their business relationships.Footnote 12 The concept was subsequently introduced in various international instruments such as the ILO Tripartite Declaration of Principles concerning Multinational Enterprises and Social PolicyFootnote 13 and the OECD Guidelines for Multinational EnterprisesFootnote 14 where it was extended to other fields such as the environment.
However, the UNGPsFootnote 15 only make limited references to the concept of legal liability, and specify that ‘the responsibility of business enterprises to respect human rights is distinct from issues of legal liability and enforcement, which remain defined largely by national law provisions in relevant jurisdictions’.Footnote 16 At the same time, the UNGPs make it clear that access to remedy is an essential part of both the state duty to protect and the corporate responsibility to respect human rights. In relation to the latter, the idea embodied in the UNGPs is that due diligence should help companies mitigate their legal risk: the Commentary to Principle 17 states in this respect that:
Conducting appropriate human rights due diligence should help business enterprises address the risk of legal claims against them by showing that they took every reasonable step to avoid involvement with an alleged human rights abuse. However, business enterprises conducting such due diligence should not assume that, by itself, this will automatically and fully absolve them from liability for causing or contributing to human rights abuses.
It is in relation to these discussions on the legal defence to liability that the concept of a ‘safe harbour’ has surfaced in the context of corporate due diligence. For example, an unofficial publication of Draft Key Points for the purposes of introducing a German Federal law on strengthening corporate due diligence to prevent human rights violations in global value chains (hereafter ‘German Draft Key Points’)Footnote 17 was released in 2020 and made express reference to a ‘safe harbour’ exemption. This provision did not feature in the Supply Chains Due Diligence Act which was finally approved in Germany,Footnote 18 but references to the concept of ‘safe harbour’ remain in circulation.
For example, the ‘safe harbour’ concept was mentioned in a panel discussion on the topic of ‘Mandatory Human Rights Due Diligence: building out the key components of effective legislation’ during the 2020 UN Forum on Business and Human Rights.Footnote 19 In October 2021, the International Organisation of Employers, together with Business at OECD and BusinessEurope, released a joint position paper which mentions the removal the ‘safe harbour’ provision which was contained in the Third Revised Draft Treaty on business and human rights.Footnote 20 It was reported that during the negotiations between EU Member States regarding the EC Draft Directive, a German proposal for a ‘a get out of jail free card’,Footnote 21 described as ‘an amendment that would allow companies to be largely exempt from liability if they were part of an industry initiative to address issues along the value chain’ did not ‘get much traction and is unlikely to be included in a new compromise text’.Footnote 22
However, in the context of these discussions, important confusions have emerged as ‘safe harbour’ is often used as a synonymous for a ‘due diligence defence’. For example, since the publication of the EC Draft Directive, initial responses and social media comments have – incorrectly, we argue – implied that its Article 22(2) functions effectively as a safe harbour exemption.Footnote 23 This article argues that these two concepts should be firmly distinguished: a ‘due diligence defence’ requires the company to demonstrate the quality of its due diligence, whereas a ‘safe harbour’ excludes such an enquiry from taking place, based on the company having met a certain conditional requirement.
This article considers what is meant by a ‘safe harbour’ in this context, and how this concept differs from the concept of mHREDD as a legal standard of care which forms the basis of a legal defence to liability. In particular, Section II presents the concept of ‘safe harbour’ through three illustrative examples. Next, Section III distinguishes the concept of ‘safe harbour’ from the concepts of mHREDD as a standard of care and the ‘due diligence defence’, and considers how the ‘safe harbour’ concept relates to a ‘tick box’ approach, the UNGPs framework, and access to remedy for victims. The article concludes that the concept of ‘safe harbour’ should not be used interchangeably or synonymously with the concept of a ‘due diligence defence’ associated with a legal standard of care.
The methodology used is a literature review and comparative legal analysis. The article focuses on the (in)compatibility of a ‘safe harbour’ exemption with the concept of mHREDD, with reference to selected illustrative examples, existing research findings and ongoing legal developments. As such the article aims for a conceptual legal analysis within the framework of the UNGPs rather than comprehensively covering individual jurisdictions.
II. The Concept of a ‘Safe Harbour’ Exemption
Understanding of the Concept of ‘Safe Harbour’: Three Illustrative Examples
In certain areas of law, the phrase ‘safe harbour’ is used to describe specific conditions which, if met, exempts an entity from liability. The concept of ‘safe harbour’ has been used in different contexts and has not been centrally defined in a uniform way. However, the meaning always broadly relates to condition(s) set out or implied in a statute, which, if proved to have been met, would exempt an entity from liability in terms of the statute. This meaning will be considered here through three illustrative examples (which are not exhaustive of the way in which the phrase is used).
‘Safe Harbour’ and California Reporting Requirements: Barber v Nestlé
The first example relates to the California Supply Chain Transparency Act,Footnote 24 which requires certain companies to report on the efforts they are taking to eradicate slavery and human trafficking from their direct supply chain. The case of Barber v Nestlé Footnote 25 heralded a line of claims based on consumer protection lawsFootnote 26 relating to statements made in terms of this Act. The cases alleged that the failure to disclose that certain products may have been sourced by forced labour had materially influenced and deceived the plaintiffs in their purchasing choices.
The Court in Barber found that when adopting the Supply Chains Transparency Act, the California legislature had:Footnote 27
[C]onsidered the situation of regulating disclosure by companies with possible forced labor in their supply lines and determined that only the limited disclosure mandated by § 1714.43 is required.
It found that the information which the plaintiffs required was additional to the information required by the Act. The Court found in favour of the company that, because the company had complied with the specific requirements of the Act, the plaintiffs’ claim was barred by the ‘safe harbour doctrine’. The Court also stated:Footnote 28
Plaintiffs may wish – understandably – that the Legislature had required disclosures beyond the minimal ones required by § 1714.43. But that is precisely the sort of legislative second-guessing that the safe harbor doctrine guards against.
In other words, it was considered that the legislature stipulated which information should be included within the public statement, and by complying with these specific requirements of the Act, the company was protected by the ‘safe harbour’. In the context of this first illustrative example, the concept of ‘safe harbour’ was read into the legislation by the court, as the statute it referred to did not explicitly provide for a ‘safe harbour’ provision. It functions as a way of shielding companies from liability for failing to disclose information beyond that which is expressly required by the reporting statute.
‘Safe Harbour’ and European Data Privacy Regulation: Schrems v Data Protection Commissioner
A second example of a reference to concept of ‘safe harbour’ can be found in the context of the EU, with the decisions of the Court of Justice of the European Union (CJEU) in Schrems v Data Protection Commissioner (Schrems I).Footnote 29 The case related to the Commission’s decision which provided that companies which self-certified as adhering to US Department of Commerce ‘Safe Harbour Privacy Principles’ of 21 July 2000 (and the FAQs relating to their implementation) would be deemed to meet the conditions required for the transfer of personal data from the EU to the US. In a judgment which predated the General Data Protection Regulation (GDPR),Footnote 30 the CJEU found that the European Commission’s decision to create a ‘safe harbour’ exemption was invalid, as it did not adequately protect the fundamental rights and freedoms, particularly the right to privacy, set out in the European Convention for the Protection of Human Rights and Fundamental Freedoms. This provides an interesting example of an express ‘safe harbour’ provision which was declared invalid for failing to adequately protect human rights.
In addition, the Court held that ‘legislation not providing for any possibility for an individual to pursue legal remedies’ in this context ‘does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the [EU] Charter [of Fundamental Rights]’.Footnote 31 It elaborated as follows:Footnote 32
The first paragraph of Article 47 of the Charter requires everyone whose rights and freedoms guaranteed by the law of the European Union are violated to have the right to an effective remedy before a tribunal in compliance with the conditions laid down in that article. The very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law.
As a result, in the European context and, arguably in other contexts as well, a ‘safe harbour’ provision which precludes or limits rights-holders from bringing civil claims against a company may similarly be understood to interfere with the right to an effective remedy.
‘Safe Harbour’ in the German Draft Key Points
The most recent of our three illustrative examples is the safe harbour provision which was contained in the German Draft Key PointsFootnote 33 which related to earlier drafts of what is now the German Law on Supply Chain Due Diligence.Footnote 34 The German law which was eventually passed no longer contains the ‘safe harbour’ exemption, but it is nevertheless illuminating to consider this example for current purposes.
The German Draft Key Points were produced by the Federal Ministry of Labour and Social Affairs and the Federal Ministry for Economic Cooperation and Development and released in July 2020. The Draft Key Points sought to impose mHREDD obligations derived from the UNGPs and the OECD Guidelines for companies resident in Germany with more than 500 employees. The due diligence exercise envisaged included an identification and an analysis of the risks of potential or actual adverse impacts on internationally recognized human rights, a requirement to take appropriate measures to address these impacts and to check the effectiveness of the measures taken, the need for companies to set up a complaints mechanism, and the obligation to report annually on the various core elements of the due diligence process. The due diligence exercise was to be proportionate and reasonable in view of the nature and scope of the business activity.
In terms of enforcement, the Draft Key Points contained a civil liability provision which would allow private parties to bring actions for damages in German courts against companies alleged to have violated the due diligence obligations. The civil liability provision specified that a company would have been liable for harm which was ‘foreseeable and avoidable’. The provision also provided for a due diligence defence, whereby a company would not have been liable for damages if it could show that it had done what was appropriate under the circumstances, and that the damage nevertheless occurred. The obligation was described in the Draft Key Points as an obligation of effort (Bemühungspflicht) and not as an obligation of successful result (Erfolgspflicht).
In addition to the civil liability provision, the Draft Key Points contained a provision entitled ‘safe harbour’, which provided that where a company joined and implemented ‘an officially recognised (industry) standard’ it would be exempted from civil liability for failure to undertake the required due diligence, except in cases of intent and gross negligence. The criteria for a ‘recognised (industry) standard’ would have been listed in the legislation, and would have included that the standardFootnote 35 should cover the entire supply chain; should take into account all the core elements of due diligence; and should have been developed in the framework of a multi-stakeholder process. The text also provided that the company’s compliance with the standard was to be externally audited.
As discussed below, a ‘safe harbour’ provision which relies exclusively on industry standards poses some contradictions to the concept of HRDD, particularly as involvement in a MSI standard does not guarantee an adequate HRDD process.Footnote 36
Neither the civil liability nor the safe harbour provisions were included in the text that was subsequently adopted as the German Corporate Due Diligence Obligations in Supply Chains Act in June 2021. The latter imposes on certain large German companies due diligence obligations with regard to human rights and certain environment-related risks. The due diligence obligations extend to the companies’ own operations and to their first-tier suppliers. In some cases, it may extend further down the supply chain. Unlike the Draft Key Points, enforcement of the adopted law will take place exclusively through a state-based administrative oversight body. The authority will be empowered to act on its own accord, receive complaints, and impose fines, but with no specific powers relating to remedies for victims.
Although these illustrative examples provide different – and non-exhaustive – contexts within which the concept of ‘safe harbour’ have been used, their commonality lies in the automaticity of the exemption from liability which is characteristic of the ‘safe harbour’. This is not only highly problematic from an access to justice perspective but also, as will be demonstrated next, contrasts with the UNGPs’ understanding of the concept of HRDD as a standard of care. This was confirmed by John Ruggie who stated, in a January 2021 webinar on corporate due diligence and civil liability, that: ‘Given that [with HRDD] we are dealing with a standard of conduct, there should be, in my view, a due diligence defence, but not an automatic safe harbour’.Footnote 37
III. The Concept of ‘Safe Harbour’ in the Context of mHREDD as a Standard of Care
The Concept of mHREDD as a Standard of Care and the ‘Due Diligence Defence’
As set out in the UNGPs, the concept of HRDD refers to a standard of care that is a standard of conduct which would be expected from a reasonable company based on the specific circumstances. Such a standard of care is ‘based on the basic tort law or negligence principle – phrased differently but similar in nature across civil and common law jurisdictions – being that a person should take reasonable care not to cause harm to another person’.Footnote 38 As such, within that general understanding, mHREDD as a standard of care does not envisage creating a strict liability obligation without a defence. Such a strict liability would ostensibly require the elimination of all human rights harms, insofar as the existence of any human rights harm in the company’s operations or value chain would automatically translate into liability.
In line with the UNGPs, the new EC Draft Directive on Sustainable Corporate Due DiligenceFootnote 39 acknowledges this in Recital 15 by specifying that the main due diligence obligations set out in the Directive are ‘obligations of means’ whereby companies should take the ‘appropriate measures which can reasonably be expected to result in prevention or minimisation of the adverse impact under the circumstances of the specific case’. It further affirms that:
This Directive should not require companies to guarantee, in all circumstances, that adverse impacts will never occur or that they will be stopped. For example with respect to business relationships where the adverse impact results from State intervention, the company might not be in a position to arrive at such results.
Instead, due diligence as a standard of care necessarily offers the possibility of a due diligence defence to liability, where the legal test would focus on whether and how the company has exercised appropriate care: in other words, whether the company has taken objectively sufficient steps to ‘identify, prevent, mitigate and account for’ their actual and potential human rights abuses.Footnote 40 Any duty that is defined with reference to a standard of care would by implication allow a defendant company to show, when challenged in court, that it has in fact met the legally required standard of care. It is the level, quality and degree of the company’s efforts that would determine whether it has met the legal requirement.
Indeed, the due diligence process itself would involve an evaluation of those risks. This can be contrasted with a situation where a company is automatically strictly liable, without a defence, for any proven harm which it was legally obliged to avoid or prevent. Such a law could discourage companies from proactively taking steps to identify and address adverse impacts. In other words, companies might be incentivized to ‘disassociate and deny’, rather than ‘engage and improve’.Footnote 41
All defendants in court, whether civil or criminal, are always able to defend themselves by arguing and proving that they have not breached the law in the way that is alleged.Footnote 42 In this context, it is this civil defence on the merits that is called the ‘due diligence defence’, to be distinguished from a ‘safe harbour’ exemption which rules out an enquiry on the merits.
Below, the article sets out various ways in which the concept of a ‘safe harbour’ exemption contradicts the concept of mHREDD and the ‘due diligence defence’.
‘Safe Harbour’ as a Defence
Despite the overall support for the introduction of mHREDD at the EU level, some business representatives have expressed concerns in relation to the increased legal risks that it might pose for them. Against this backdrop, the concept of ‘safe harbour’ has started to be used in relation to HRDD, as a way in which companies can avoid liability. For instance, in an interview, Virginie Mahin, the Global Social Sustainability and Human Rights Lead at Mondelez International indicated that:Footnote 43
In cocoa, for example on child labour, we have multistakeholder industry initiatives. We have the International Cocoa Initiative where we work collectively on tackling child labour issues in the West African supply chain. […] But while there are a lot of good voluntary initiatives, we still think it would be beneficial to have a binding law at EU level to provide a level playing field, and bring along companies upstream in the supply chain, which may not be under the same consumer-facing pressure. And the law should provide that safe harbour we are talking about. That is essential to us.
Whilst acknowledging that enforcement mechanisms are key to ensuring the effectiveness of a law, Mahin also articulated concerns of legal actions being filed on the basis of the information shared by the company. She explained that:
Companies need to have confidence they can be transparent about risks in their supply chains without fearing that they will be exposed to increased risk of litigation. We need to make sure that when we are transparent, we are not exposed.
Similarly, in an interview for the EC study, a company interviewee explained the need to allow companies the freedom to recognize their issues in a transparent manner and to try and solve the issues without being immediately found liable for these issues.Footnote 44
These references to a ‘safe harbour’ accordingly point to the need expressed for companies to be transparent about how they address their human rights risks, without thereby subjecting themselves to increased legal risks. The fear that increased transparency would lead to increased legal risk might also have been fuelled by case law such as the UK case of Vedanta,Footnote 45 where the company’s own statements were deemed to be relevant to the court’s assessment of whether the parent company may have assumed a duty of care.
These comments preceded the legal proposals which are under discussion in this article. In contrast to the concerns expressed above, the legal duty is not being developed on a strict liability basis where any company that is associated with human rights harms (or reporting transparently) would automatically be liable. Instead the legal test would consider what the company has done to address these risks. Insofar as communication is an important component of HRDD, companies that are able to ‘know and show’ how they address their human rights impacts should accordingly be in a better position to rely on the due diligence defence. Moreover, since these interviews took place, increasing transparency requirements, including in the EU Corporate Sustainability Reporting Directive,Footnote 46 have evolved the legal obligations of companies to report on their HRDD.
‘Safe Harbour’ and the ‘Tick-Box’ Approach
An approach which automatically exempts companies which undertake ‘tick-box’ approaches were expressly rejected by stakeholders during the EC study.Footnote 47 It was pointed out that this approach detracts resources away from those issues which are really at risk in the circumstances, towards those which are listed in the standard or instrument.Footnote 48 Rather, stakeholders preferred a general duty which references a standard of care that would take into account the specific circumstances applicable to each company’s operating context.
A ‘tick-box’ approach is understood to refer to a list of criteria that applies across the board to companies and is unrelated to their real human rights risks or the quality of their due diligence processes. This approach allows a company to meet the legal requirement by simply ‘ticking off’ these criteria superficially, without consideration of the company’s real adverse human rights impacts and whether they are being addressed. If the relevant evaluating body does not evaluate the effectiveness of these efforts, then the company can avoid liability by simply having them in place, regardless of their adequacy, how well they are implemented in practice or their actual impacts on the lives of rights-holders.
Examples of such ‘tick-box’ criteria often include the use of contract clauses and audits. For example, the distinction between a ‘tick-box’ approach and a legal duty of care can be illustrated in the 2020 ‘Shrems II’ decision of the European Court of Justice in which the court had the opportunity to consider whether ‘standard contract clauses’ (SCCs) constituted a valid means of transferring personal data to non-EU third countries.Footnote 49 The court concluded that such SCCs could be valid, but not in all cases. Specifically, the court said that organizations must assess on a ‘case-by-case basis… whether the law of the third country… ensures adequate protection’ of the transferred data, pursuant to the SCCs and ‘additional safeguards’ where necessary.Footnote 50 The judgment highlights well the difference between a tick-box approach (in this case, the simple adoption of standardized contract clauses) and the more detailed sort of enquiry which the court deemed necessary to discharge an organization’s legal duties under the GDPR.
This finding is important in light of the provisions of the EC Draft Directive that relate to contractual assurances. In particular, Article 22(2) provides that companies would not be liable for damages:
… caused by an adverse impact arising as a result of the activities of an indirect partner with whom it has an established business relationship [where the company demonstrates that it has taken the actions referred to in sections relating to 7(2)(b) read with 7(4) and 8(3)(b) read with 8(5), relating to contractual assurances sought, contractual cascading and ‘appropriate measures to verify compliance’], unless it was unreasonable, in the circumstances of the case, to expect that the action actually taken, including as regards verifying compliance, would be adequate to prevent, mitigate, bring to an end or minimise the extent of the adverse impact. [Emphasis added]
Some initial media responses were concerned that this would constitute a ‘safe harbour’ or ‘tick-box’ approach, whereby companies would be exempt from civil liability for harms caused by indirect business partners in their value chain through the mere act of including contractual assurances. However, this is patently not the case: by referring to the ‘unreasonable[ness]’ and ‘adequa[cy]’ of the ‘action actually taken’ ‘in the circumstances of the case’, the law echoes the classic standard of care test applicable to civil disputes more generally:Footnote 51
This incorporates an objective ‘reasonableness’ standard into the defence. While it will be for the relevant courts to determine what is reasonable in all the circumstances, it is clear that companies will not be able to simply incorporate contractual obligations into their contracts with direct business partners without more, relying upon ‘contractual cascading’ to ensure these obligations reach indirect business partners. In many cases, depending on the risks, this will not be reasonable and therefore sufficient for the defence.
Whilst the EC Draft Directive’s ‘heavy reliance’ on contractual clauses and third-party verification methods to demonstrate compliance has been rightly criticized,Footnote 52 it is clear that the appropriateness of the measures taken by the company (as defined in recital 29 and in Article 3(q)) will be decisive in the court proceedings. The question therefore will be whether, under the circumstances of the specific case, and in relation only to those harms caused by indirect business partners, the company did in fact comply or fail to comply with its due diligence obligations set out in these subsections.Footnote 53
This approach is reminiscent of that taken by the court in Schrems II which recognized the use of contractual clauses but required assessment of adequacy on a case-by-case basis.Footnote 54 It is also interesting to note, in this regard, the judgment of Hamida Begum v MaranFootnote 55 where the Court of Appeal of England and Wales considered an example of what the EC Draft Directive calls ‘contractual cascading’. It found that where both contracting parties knew that the relevant contractual clause regarding the protection of safe working practices ‘would be entirely ignored’, and where ‘everyone turns a blind eye to what they know will actually happen’,Footnote 56 the company could be held liable insofar as it ‘could, and should, have insisted’Footnote 57 that the contractual provision be complied with by the contracting party in its own value chain.
However, as mentioned above, defining mHREDD as a legal duty to meet a certain standard of care necessarily implies that a company could defend itself by showing a court that it has met this duty. The key distinction is between the civil procedural definition of a defence, which any defendant can rely on in court, and a ‘safe harbour’ exemption which entirely rules out the cause of action ab initio.
Some have expressed discomfort with the use of the concept of ‘safe harbour’ in the context of mHREDD as a legal standard of care. For instance, in the EC study, an interviewee from civil society mentioned that:Footnote 58 ‘In this debate, the concept of ‘safe harbour’ is not a very helpful concept, because it is mixing things together’. It was explained that whereas the UNGPs were clear that ‘conducting [due diligence] should not be an automatic defence’, it is the ‘issue of automaticity that is the problem’ insofar as ‘“safe harbour” implies “I do this, snap, I’m free, whatever happens I’m out”’.
There is accordingly a crucial difference between the defence of having undertaken the due diligence required by a duty of care, and a ‘safe harbour’ exemption. Nevertheless, these two concepts are often used in the same sentence, or even as synonyms, by commentators in ongoing discussions.
‘Safe Harbour’ and External Verification Methods
Some examples of ‘safe harbour’ or ‘tick-box’-centred approaches allow the company to show that it has obtained a report or document (sometimes actually entitled ‘due diligence’) from auditors, lawyers or consultants, or a certification or approval from a third-party verification scheme, in order to satisfy a legal requirement. It is a common precondition of contractual or public procurement frameworks for companies to demonstrate that they have achieved external verification as regards their compliance with internationally recognized standards issued by, for example, the International Organization for Standardization (‘ISO’) on matters such as health and safety or information security. This certification process is invariably conducted by way of external audit.
With a legal duty which comprises a standard of care, a document or certificate would not in itself suffice to end the enquiry. The court may take the verification into account, but the court’s enquiry would go further and ask what the company did in practice, on the facts of the case, and whether this was enough, ‘adequate’ or ‘reasonable’, given the specific circumstances and risks.
For example, a company with an ISO 37001 (anti-bribery management systems) compliance certificate would not automatically be deemed to have ‘adequate procedures’ in place for the purposes of establishing a defence to criminal liability under section 7 of the UK Bribery Act (failure to prevent bribery). As noted in guidance published by the UK Ministry of Justice, anti-bribery procedures need to be ‘effectively implemented and enforced’.Footnote 59 In other words, satisfying the defence would require the defendant company to show that it maintained procedures which were effective in preventing bribery on an ongoing basis.
If it were the case that liability could be avoided under the UK Bribery Act through the simple act of having a compliance programme, regardless of its effectiveness (e.g., a set of ‘paper policies’ which are not applied in practice), this would be akin to a ‘tick-box’ defence. However, UK prosecutors have made clear that, in fact, having an ineffective compliance programme at the time of the offence is a public interest factor which tends in favour of the company’s prosecution.Footnote 60
In other words, maintaining anti-bribery procedures which are not applied in practice may put the company in a worse position than having no procedures at all: in such circumstances the company may be regarded as having misrepresented its commitment to bribery prevention. In 2018, the UK Competition and Markets Authority similarly made clear that ‘the mere existence of compliance activities’ would not be treated as a mitigating factor when calculating fines for anti-competitive behaviour.Footnote 61 This represents the antithesis of a ‘tick-box’ approach. Indeed, an ineffective process that is simply aimed at ‘ticking off the boxes’ would be detrimental to the company’s case.
With a ‘tick-box’ (or, arguably for our purposes, a ‘safe harbour’ approach) it is accordingly the legislator (or regulator, acting pursuant to delegated powers) who decides which kind of conduct is excused from liability, with reference to a checked list of factors (which may or may not be circumscribed in the statute or outsourced to recognized verifiers). In contrast, with a duty to exercise a standard of care, especially where a statutory or civil remedy accompanies the duty, it would be for the court (or the regulator) to decide whether the relevant conduct meets the statutory duty of care, on the facts of the case, and the weighing of the evidence.Footnote 62 This enquiry would be based on the specific circumstances applicable to the averments before the court, including the risks, the knowledge that the company had or ought to have had,Footnote 63 and what would have been expected of the reasonable company under those circumstances.Footnote 64
In this situation, exercising due diligence may help companies to ‘show… that they took every reasonable step’ but would not ‘by itself… automatically and fully absolve them from liability’.Footnote 65 Given the context and facts-specific nature of the duty of care, the legislation should not be over-prescriptive in terms of detail. This is particularly important in light of the warning of the OHCHR against the risks of a duty that is ‘overly detailed and proscriptive’ as this may lead to ‘narrow, compliance-orientated, “check-box” processes’.Footnote 66 In this respect, a study which considered whether the criminal offence of failing to prevent bribery set out in the UK Bribery Act, referenced above, could be used as a model for a HRDD regulation found that:
[A] pure procedural “check box” or “safe harbour” provision that would shield a company completely from liability if any kind of human rights due diligence was performed, would not be aligned with the concept of due diligence contained in the UNGPs.Footnote 67
Instead, the study argued that a due diligence defence to a failure to prevent mechanism would ‘allow a company to avoid liability where it can show that it had in place a robust system of human rights due diligence’.Footnote 68 The expected level of due diligence expected would be based on the specific circumstances and determined by the court with reference to a number of relevant factors including the company’s size, sector, operations, risk, and the relevant industry standards.Footnote 69
Another important argument against a ‘safe harbour’ exemption which relies on external standards, such as involvement with an MSI, having made a public statement, or having obtained a third-party verification, is that this action in itself does not substitute or guarantee an adequate HRDD process. For example, an MSI Integrity report concludes, after having researched 40 international standard-setting MSIs over the past decade, that ‘MSIs have not lived up to their promise of advancing rights holder protection against business-related abuses’ and that ‘MSIs are unlikely to ever be reliable tools to protect human rights’.Footnote 70 As a result, it has been argued that participation in MSIs cannot in itself serve as a ‘blanket proof’ approach to human rights and environmental due diligence.Footnote 71
Accordingly, these external measures are not capable of being used as ‘safe harbour’ type substitutes for the individual, ongoing HRDD that is required of each company in terms of the UNGPs. Rather, in assessing the sufficiency of a company’s actions (and its potential legal liability) reference to a company’s adherence to an MSI standard, a third-party verification, its public statement or contractual clauses, would need to comprise important parts of a context-specific review of the particular circumstances.
‘Safe Harbour’ and the UNGPs
The EC study found that due diligence as a standard of care is the kind of exercise which courts make on a daily basis.Footnote 72 In particular, it was noted that the emphasis of the case law analysis will normally be on the adequacy of the due diligence exercise in the circumstances, rather than on the formalities of the due diligence process, and that, ‘the simple fact of having a so-called “due diligence” process in place does not automatically show that the standard of care was met’.Footnote 73
By using a context-specific risk based enquiry, the standard of care approach described above aligns with the concept of HRDD in the UNGPs, which survey respondents and interviewees in the EC study stressed should not be abandoned.Footnote 74 In this respect, the UN Office of the High Commissioner for Human Rights (OHCHR) Interpretive Guide to the corporate responsibility to respect human rights defines human rights due diligence as:Footnote 75
Such a measure of prudence, activity, or assiduity, as is properly to be expected from, and ordinarily exercised by, a reasonable and prudent [person or enterprise] under the particular circumstances; not measured by any absolute standard, but depending on the relative facts of the special case. [Emphasis added].
This bears a notable similarity to the language used by Baron Alderson (a nineteenth century English judge) in defining the concept of negligence in Blyth v Birmingham Waterworks Company,Footnote 76 one of the foundational cases of English tort law:
Negligence is the omission to do something which a reasonable man, guided upon those considerations which ordinarily regulate the conduct of human affairs, would do, or doing something which a prudent and reasonable man would not do.
The judge found the defendant not liable, as the broken water pipe which flooded the claimant’s property had been caused by extraordinarily low temperatures which were not common ‘south of the polar regions’. Rather than holding the defendant liable to an absolute standard, the judge concluded that the freezing conditions represented a ‘state of circumstances… a contingency against which no reasonable man can provide’. This contextual approach remains a feature of negligence law, and reflects that adopted in the Interpretive Guide, referenced above.Footnote 77
Again noting the dangers of the ‘tick-box’ approach, the OHCHR Report on the relevance of HRDD to determinations of corporate liability notes that whilst a due diligence defence could ‘incentivize companies to meaningfully engage’ in human rights due diligence and ‘have important preventative effects’, it raises some serious concerns in ‘cases where superficial “check box” approaches to human rights due diligence might be used as a reference point instead of genuine attempts to identify, mitigate, and address human rights risks as contemplated in the UNGPs’.Footnote 78 The report highlighted in this respect the importance of ensuring the familiarity of the judges with the content of the UNGPs in relation to the human rights due diligence expectations in order to enable them to ‘distinguish genuine efforts by business enterprises to identify and address risks from superficial efforts, and make their decisions accordingly’.Footnote 79
Removal or Privatization of Remedy
Access to remedy forms the third pillar of the UNGPs. The UNGPs highlight that that ‘[e]ffective judicial mechanisms are at the core of ensuring access to remedy’Footnote 80 and that non-judicial remedies play a role in ‘complementing and supplementing judicial mechanisms’.Footnote 81 The evidence regarding practical, legal and financial barriers to remedy for victims of corporate human rights abuses are well documented.Footnote 82 Stakeholders in the EC study emphasized the need for any mHREDD duty to manifest itself as a civil remedy for victims. Moreover, the impact of the ability to seek judicial remedies extends beyond the ‘small handful’ of claims that are instituted, to ‘test the boundaries of the legal duty’ and ‘[o]ver time… build up clarity and anticipation’.Footnote 83
The new EC Draft Directive introduces a statutory civil remedy for damages if companies fail to meet their relevant mHREDD duties. In many other non-EU jurisdictions, claimants have, at least in theory, the availability of civil remedies in tort law.
As mentioned above, ‘safe harbour’ exemptions can operate in a way that excludes a right to action where the statutory criteria have been met. (This is contrasted with the legal standard of care where the appropriateness and sufficiency of the company’s due diligence process is evaluated as part of the court enquiry.) For example, the kind of ‘safe harbour’ provisions like the one which was envisaged in the above-mentioned German Draft Key Points would actually remove access to existing civil remedies. Rights-holders wishing to access remedy would have been in a worse position than they would have been, had they still been able to rely on the existing tort law framework.
In the Schrems I case, the relevant Directive provided for independent, state-based supervisory authorities with ‘a wide range of powers’ including ‘investigative powers’, ‘effective powers of intervention, such as that of imposing a temporary or definitive ban on processing of data’ as well as ‘the power to engage in legal proceedings’. In addition to these powerful state-based bodies, the Court found in referring to Article 47 of the EU Charter of Fundamental RightsFootnote 84 that:Footnote 85
In a situation where the national supervisory authority comes to a conclusion that the arguments put forward in support of such a claim are unfounded and therefore rejects it, the person who lodged the claim must… have access to judicial remedies enabling him to challenge such a decision adversely affecting him before the national courts.
The Court also held that in the ‘converse situation’ where the supervisory authority agrees that the claimants’ rights may have been harmed, ‘it is incumbent on the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts’.Footnote 86
It is clear from this dictum that even where a statute provides for a strong independent state-based complaints mechanism, claimants should still have access to judicial remedies before national courts.
IV. Conclusion
The concept of a ‘safe harbour’ has surfaced in several ongoing conversations around mHREDD regulations.
This article analysed situations in which the concept has been used to describe statutory conditions that, if met, limits or eliminates the ability to bring civil action against the company in court. In particular, three key examples of the use of the concept that are relevant in relation to the legislative developments on mHREDD were explored: the Barber case in relation to the California Supply Chain Transparency Act, the decision of the European Court of Justice in the Shrems I case, and the earlier German Draft Key Points which contained a safe harbour exemption.
In addition, the article outlines the differences between ‘safe harbour’ and how it differs from a ‘due diligence defence’ that is coupled with a legal standard of care. It also considered the ‘tick box’ approach as they relate to the ‘safe harbour’ approach.
Generally, a ‘safe harbour’ exemption could function to exclude access to court remedies, whereas the ‘due diligence defence’ refers to the defence that the company would have to mount in court by demonstrating that it has met a certain standard of care required by the law, on the specific facts of the case relating to the claimants. The court will assess the adequacy of the due diligence exercise on a case-by-case basis depending on the specific context, size, and risks of the company. In this way, the due diligence defence aligns with the concepts of HRDD set out in the UNGPs.
The concept of a ‘safe harbour’ in this context differs from, and in many ways contradicts the concept of a ‘due diligence defence’ for having undertaken HRDD as a legal standard of care. Nevertheless, these concepts are frequently used interchangeably within the discourse about the legislative design and implementation of mHREDD laws. It is preferable that the terminology of ‘safe harbour’ should not be used as a synonym for a ‘due diligence defence’, as this can be misleading and counter-productive to efforts towards achieving clear, coherent and effective legislation.
Conflicts of interest
The authors declare none.