This evening, the EU heads of state and government are meeting in person. Council President Charles Michel had invited them to a special summit at short notice – extraordinary times call for extraordinary measures. The heads of state and government need to talk, and they want to send a signal of unity. The shock at Vladimir Putin’s actions and, perhaps even more so, at his rhetoric, runs deep.
Whether the special summit will only be a discussion or whether further sanctions will be introduced depends, according to reports, on Putin: If he escalates the conflict further, the EU and its allies will initiate the more far-reaching punitive measures. The first sanctions package was agreed upon by EU ambassadors on Wednesday: for the first time, two members of Putin’s inner circle of leaders, Defense Minister Sergei Shoigu and Anton Vaino, chairman of the presidential administration, are also affected.
There are many indications that an attack is imminent. Eighty percent of the troops massed around Ukraine are in attack positions, according to a US representative from the Department of Defense. In Ukraine itself, a state of emergency has been in effect throughout the country since midnight, and parliament confirmed the move proposed by President Volodymyr Selenskyj.
The Data Act, which the EU Commission officially proposed yesterday, is also geopolitical. Here, too, it’s about dependencies and disputes. And not least, the big question of who has access to our data. Here, Falk Steiner has done some digging for you.
It took a long time, but yesterday the EU Commission presented its draft for the long-awaited supply chain law. For industry, this clearly goes too far. However, the proposal also offers loopholes, as Charlotte Wirth shows.
After a delay of almost two years, the Commission presented its supply chain legislation yesterday. As Europe.Table reported, Commissioners Thierry Breton and Didier Reynders were ultimately able to agree on a compromise. SMEs are not directly covered by the directive, but the rules apply to the entire supply chain. Reynders spoke of an “ambitious and forward-looking” proposal that could also be implemented by the companies concerned.
The law applies to companies with 500 or more employees and annual net sales of €150 million. This affects around 13,000 companies in the EU. They must identify, minimize, and remedy any actual and potential adverse impacts on human rights and the environment. This applies not only to the company’s performance per se, but equally to subsidiaries and any partners with whom the company has a “lasting business relationship.” In other words, relationships that are intensive or long-lasting and where the partner does not merely play a minor role in the supply chain.
This is where the first loophole is hidden, fears Anna Cavazzini, a member of the Green Party. In the future, companies could change their suppliers more often in order to evade the rules. For the Commission, on the other hand, this differentiation is necessary: After all, there are large companies that work with hundreds of suppliers. The wording ensures that companies can meet their obligations in practice, according to an EU official.
High-risk industries are already covered by the directive from a lower threshold, although a more lenient due diligence requirement applies to them. Companies with 250 or more employees and sales of €40 million are affected, half of them from the high-risk business sector.
The definition of the risk sectors is narrow: The directive only covers textile and leather production, agriculture, forestry and fisheries, and the minerals and metals sector, including their extraction. By comparison, a legal opinion by the Supply Chain Initiative had listed 16 high-risk sectors, including the automotive industry, chemicals, ITC, mining, and armaments.
For the European Coalition for Corporate Justice (ECCJ), the directive falls short here. Sectors such as transport, shipping, logistics, and electronics are also problematic. In the high-risk sectors, in particular, it is also important that not only large companies are covered by the law. According to the Commission, the law was limited to these three sectors because OECD guidelines already exist for them, on which the companies concerned could base their decisions. However, the OECD has also issued such guidelines for the financial sector. Here, however, the Commission only envisages weakened rules.
Moreover, companies from high-risk industries are only covered by the directive after a two-year delay, and their due diligence obligations only apply to industry-related, severe impacts on human rights and/or the environment.
However, for German industry the proposal goes much too far. They had hoped for a directive based on the German Supply Chain Act. The BDI criticizes that the planned responsibility of companies for the entire value chain is unrealistic: The requirements would have to be “limited to direct suppliers in order to be implementable in daily practice,” said Wolfgang Niedermark, a member of the BDI’s executive board.
To enable fair competition, the EU Supply Chain Act also applies to companies from third countries. For these, a turnover of €150 million or €40 million, depending on the risk, also applies, which must be generated in the EU. According to the EU Commission, around 4,000 companies are affected.
How should corporations ensure that their subsidiaries, suppliers, and subcontractors respect their duty of care? “We have chosen a contract-based approach,” explains Breton. Companies are supposed to include appropriate clauses in their respective contracts with their partners. The Commission refers to this as “contract cascading ” – the clauses and associated obligations derive through the entire value chain, thus obligating the entire “ecosystem” to comply with environmental and human rights obligations. The Commission itself intends to provide models for such contracts. This will ensure that companies can comply with their obligations without too much effort, says Breton.
In addition, the companies must have third parties check whether the partners are really keeping to their commitments. To this end, they can make use of industry schemes and multi-stakeholder initiatives. Here, too, the Commission is guided by the Conflict Minerals Regulation.
However, this point caused criticism. Such coalitions allow companies to stagger their audits and thus save costs and reduce the administrative burden. However, membership in such a coalition does not mean that supply chains are clean. There are already problems here with conflict minerals (Europe.Table reported). However, the Commission text is clear on one point: the companies concerned must pay for the audits and cannot, therefore, pass on the costs downwards.
As far as the requirements for SMEs are concerned, Breton was able to get his way. These are not covered by the law, at least not directly. However, since the obligations for large corporations apply to the entire supply chain, SMEs are nevertheless indirectly affected. The Commission proposal does, however, provide for support measures for small and medium-sized enterprises and calls for corresponding contractual clauses to be fair, proportional, and appropriate.
Similar to the Conflict Minerals Regulation, companies must post their due diligence reports online annually. This is to ensure a certain level of transparency. However, the competent authorities are not required to make public the names of the companies and suppliers covered by the directive.
Thus, in order for civil society to verify how companies are doing with their obligations, it must first find out who is affected by the law. In contrast to conflict minerals, however, the authorities of the member states are obliged to publish the names of the companies against which they impose sanctions.
Companies are also required to establish a grievance procedure that is accessible not only to employees, but also to trade unions, employee representatives, and civil organizations. This is particularly important because workers who are exploited by subcontractors or suppliers, for example, otherwise have little access to grievance mechanisms. They first have to find out who is leading the value chain in the first place.
Civil society representatives and the EU Parliament will be particularly pleased that the Commission’s draft provides for civil liability and simplifies access to justice for victims of human rights violations or environmental damage. The liability also applies to damage caused outside the EU.
However, the Commission has laid down clear conditions. For example, companies are only liable for damage along supply chains if they have not fulfilled their duty of care. Those affected must prove that the companies have not fulfilled their obligations. NGOs such as the European Coalition for Corporate Justice (ECCJ) had called for a reversal of the burden of proof: “Previous court cases have shown that limited access to evidence, such as internal documents, makes it very difficult for victims to sufficiently support their claims in court.” If the law does not make it easier for victims to hold companies accountable, it will do little to change the current situation, ECCJ Director Claudia Saller said.
Industry representatives see things differently. Based on German law, they reject the idea that companies can be liable for damage along supply chains. “Companies can only be liable for their own activities within the supply chain,” says VDA President Hildegard Müller.
Member states are responsible for verifying due diligence. They can impose sanctions if companies do not comply with their obligations. The competent authorities are to investigate in particular in the event of reasonable doubt.
When it comes to penalties, however, the Commission repeats the mistakes of the Conflict Minerals Regulation. It is up to the member states to decide how high the penalties should be. These are only to be “effective, proportional and dissuasive.” Fines must be based on the turnover of the operation. This leaves a lot of room for interpretation for the member states. As a reminder, in the case of conflict minerals, fines range from €726 in Austria to €50,000 in Germany.
The standards of the International Labor Organization (ILO), for example, are to play a role in the inspection of suppliers. This could be difficult for companies in China, for example – because China has not ratified all ILO conventions and has not adopted any conventions on forced labor, freedom of association, and collective bargaining.
For a long time, it was not clear whether the personal liability of directors would find its way into the law. Now, however, a watered-down form of the original idea is in the text: Company bosses must draw up a plan for how the company will take into account the transition to a sustainable economy and the Paris climate goals in its corporate strategy. The remuneration of the directors is also to be linked to the implementation of this strategy.
However, the law remains very vague in this respect. It is unclear, for example, whether companies must include the entire value chain in the plans, criticizes Cornelia Heyenreich of Germanwatch. “We see the danger that with the regulation now proposed, companies could decide purely voluntarily whether they effectively enforce their emissions reduction targets internally.”
As Europe.Table had already reported, the law does not contain an article on the import ban on forced labor announced by President von der Leyen. This is now to be drafted by Trade Commissioner Valdis Dombrovskis.
Also, the two opinions of the Regulatory Scrutiny Committee have not been posted online by the Commission yesterday. However, it is clear from the legislative text that the two negative assessments have indeed led to a weakening of the directive: the panel’s feedback, for example, has led to the exclusion of SMEs. The strong restriction of personal liability for directors is also due to the RSB.
With Till Hoppe and Amelie Richter
After several months of delay, the Data Act, the third building block of European data legislation after the General Data Protection Regulation and the Data Governance Act, is now officially on its way. Only the e-privacy regulation has been stuck in the consultations for more than half a decade.
While the General Data Protection Regulation regulates the handling of personal data and data relating to individuals, the E-Privacy Regulation is intended to deal specifically with data in telecommunications processes, and the Data Governance Act provides the set of rules for intermediaries for the regulated exchange of data, the Data Act is now intended to set out the rules for access to data and obligations in dealing with it.
“We want to give consumers and businesses, even more, say over what can happen to their data by clarifying who has access to it and under what conditions,” said Commission Vice-President Margrethe Vestager. Modern products are often data producers: sensors are increasingly found in construction machinery, household appliances, medical devices, cars, as well as agricultural machinery, and large industrial production environments. “So far, only a small part of industrial data is used, and the potential for growth and innovation is enormous,” said Internal Market Commissioner Thierry Breton.
One of the core problems so far has been the lack of clarity: Who may access and use non-personal data and under what circumstances? What rights do manufacturers, users, and service providers have when, for example, combine harvesters automatically collect data on soil conditions, harvest quality, and the expected duration of the harvesting process? Modern cars are also full of data collection. Does the car manufacturer, the supplier of the sensor technology, or the owner of the car have the right to use the data? Or all three? And wouldn’t access to real driving data also be much more efficient for road construction or environmental agencies than previous monitoring procedures? Until now, these questions have largely had to be resolved between the parties involved.
The Data Act now provides answers: In principle, all products are to be manufactured in such a way that users can gain direct access to the data generated by them – and where this is not possible, providers are to provide alternative access to it.
Providers must fulfill certain conditions, such as security criteria. In addition, they must inform customers before the contract is concluded whether they intend to use data from the product themselves or pass it on to third parties. The transparency requirements also include information on whether the data is to be stored by the manufacturer itself or by a third party.
While in consumer contract law the power imbalance between supplier and consumer is traditionally balanced by law, relationships between companies have so far been largely subject to freedom of contract between the parties. But for data, the Data Act now provides for some massive interventions here. Article 13 provides safeguards for micro, small, and medium-sized enterprises when it comes to the conditions for data access.
David Bomhard from the law firm Noerr also expects “considerable effects” on previous data exchange business models. “The proposed Data Act now provides for extensive access rights to data and declares certain data access and use agreements to be illegal.”
Data law specialist Stefan Hessel of Reuschlaw also warns against mixing antitrust and civil law when it comes to prohibiting discrimination against companies in data access: In his opinion, there can be no such thing as “corporate consumer protection.
Hessel also sees a need for improvement in other areas. For example, the distinction between data holder, responsible party, and manufacturer is insufficiently regulated, and data holders are threatened with having to fulfill obligations that only manufacturers can meaningfully implement. “Since data processing flows are already very complex today, there is a risk of chaos when it comes to clarifying responsibilities and implementing them in practice,” Hessel said. “If the EU really wants to stick to the right of access also to non-personal data, it should take this complexity sufficiently into account.”
A geopolitical battle cry is placed in Chapter 7 of the Data Act. This is intended to oblige data processing providers to take all possible measures to prevent the transfer of or access to data by non-EU authorities. The Commission’s proposal for the Data Act provides for exceptions only under certain conditions, such as in the case of international agreements or if it is actually guaranteed that the legal interests of European data subjects are protected.
The provision would thus adapt the requirements in the direction of the GDPR regulations without using the same sharp mechanisms. The Data Act would thus also affect providers from the USA, whose Cloud Act has so far not provided sufficient legal certainty for EU data subjects. However, Chinese providers are likely to be even more affected: The People’s Republic enacted extensive regulations on data security only last year – with comprehensive rights for the country’s security authorities. EU Internal Market Commissioner Thierry Breton also sees the regulation as a protective measure for the local economy: “The data law ensures that industrial data is passed on, stored and processed in full compliance with European regulations.”
Data law specialist Stefan Hessel from Reuschlaw sees a need for improvement here. In view of the current discussions about the Privacy Shield successor and the upcoming decisions, he warns: “In this situation, additionally restricting the international transfer of non-personal data is a further threat to the free Internet.”
In particular, the obligations on data access are meeting with resistance in parts of the business community. Iris Plöger, a member of the BDI’s Executive Board, criticized “the fact that the EU is expanding the requirements for European business in the data law regulatory jungle. The lack of legal certainty inhibits companies from using and sharing data economically.”
“Europe should also focus on market-driven innovations and voluntary cooperation and platforms when it comes to data use. This would create incentives to share data,” says Hildegard Müller, President of the German Automotive Industry Association, criticizing the Commission’s proposal and fearing high expenses for little relevant data. “The comprehensive obligations to provide data not only do not help consumers, but also jeopardize the confidentiality of trade secrets.”
“In order to fully leverage the value creation potential of industrial and machine data, it must be possible for data to flow to both the user and the component developer,” demands ZVEI Chairman Wolfgang Weber. Depending on how it is structured, he also sees opportunities in the Data Act, for example for better access to data for research purposes. However, costs incurred for the provision of data must also be compensated.
While she welcomes the proposal’s goals, she has concerns about specific regulations, said Christel Delberghe, president of trade association Eurocommerce: “With our complex supply chains, we’re already sharing enormous amounts of data based on contracts – to the benefit of all parties.”
Monique Goyens, chair of the consumer umbrella group BEUC, on the other hand, welcomes the proposal: “The Data Act is an important piece of the puzzle to ensure that cross-industry access to data is made possible under fair conditions while giving users full rights to decide what happens to the data they generate.”
The Berlin-based provider Here Technologies fears possible legal uncertainty arising from the Data Act, as Michael Bültmann, Managing Director for Germany, emphasizes: “If there is uncertainty among companies about the conditions for the further use of their data, especially about how data is passed on, this will prove counterproductive.” In addition, the Data Act must clearly distinguish between data from individual sources and aggregated data sets.
At present, it is still unclear who in the European Parliament will be responsible for the Data Act as rapporteur. It is certain that the ITRE Industry Committee and the IMCO Internal Market Committee will be responsible – consultation with the Justice and Home Affairs Committees is considered likely.
For Tiemo Wölken (SPD/S&D), the Data Act is a “unique opportunity to place the European data economy on a completely new foundation.” He said it was a matter of clearly distinguishing Europe from the US and China: “Neither private-sector data monopolists nor state surveillance systems belong in Europe.” Angelika Niebler (CSU/EPP) also sees great opportunities, but at the same time wants to “ensure, among other things, that there are no complicated clauses like those in data protection declarations through which users can’t easily see.”
Parliamentary State Secretary Franziska Brantner welcomed the Data Act on behalf of the Federal Ministry of Economics and Technology in Berlin. She said it was a matter of setting the right course and creating incentives “so that SMEs and startups, in particular, can realize the opportunities and innovations inherent in data. The Federal Ministry of Economics will play a leading and decisive role in this.”
As the process continues, business representatives will also have to put up with some unpleasant questions, some of which they are now vehemently opposing. For example, why has there been hardly any relevant use of data in Europe so far if the conditions have been so positive so far? Adoption before the end of 2022, as originally desired by the EU Commission, is unlikely to be realistic in the current scope and after the previous delays.
Slaves produce clothes we wear, pick fruit we eat, dig for minerals used in our phones and build some of the physical infrastructure on which our economies rely. They are working all over the world: in developing and developed countries, on all continents, and in most sectors.
Catastrophic incidents such as the 2013 collapse of the Rana Plaza garment factory in Dhaka occasionally shine a flashlight onto the plight of modern slaves. But it wasn’t until reports emerged of mass Uighur labor camps in Xinjiang that many companies started to wonder about the provenance of their supplies. National legislators sprang into action: the French Loi de Vigilance (2017), Dutch Child Labour Due Diligence Act (2019) and the German Lieferkettengesetz (2021) all oblige companies to take a closer look at their supply chains.
None of them, however, covers all sectors throughout the entire supply chain, and each uses its own definitions, remedies, and enforcement mechanisms. Businesses operating at the international level are left confused, while investors and NGOs plead for a harmonized approach at least within the European Union. The EU has so far shied away from direct intervention, divided over the extent to which laws and import bans should be used. This is about to change. Commission President Ursula von der Leyen has announced a ban on products made by forced labor alongside far-reaching obligations on companies in all sectors to clean up their supply chains.
The new rules mark a fundamental shift in the way businesses will be held accountable for breaches of human rights that may be happening at the other end of the globe, unbeknown to them. And this concerns, just like data protection, not just EU firms but all companies globally doing business in the world’s largest single market.
This shift is driven to no small part by the European Parliament. In 2018, the cross-party Working Group on Responsible Business Conduct set out to introduce, at the EU level, rules that had existed only as aspirational UN Guiding Principles on Business and Human Rights and OECD Guidelines for Multinational Enterprises.
For the short time that I, as the last UK delegate in this Working Group, was privileged to work on this proposal, we consulted widely with industry representatives, investors, regulators, and NGOs. Two things became apparent: 1) voluntary guidelines are not sufficient to entice businesses to take responsibility for their supply chains and 2) the current potpourri of national rules brings about more confusion than benefits. What is needed is harmonization and legal certainty.
The Parliament recommended mandatory supply chain due diligence for companies operating in EU markets, along the entire value chain, irrespective of sector. Supply chain due diligence will include compliance with agreed social as well as environmental standards and tackle forced labor and other forms of modern slavery, human trafficking, child labor, and minimum standards of labor law. After many delays, the Directive on Corporate Sustainability Due Diligence was published by the EU Commission yesterday and will enter into force in EU member states around 2024. The significance of this legislation cannot be overstated.
First, its reach is extremely wide. It catches companies with more than 500 employees (and some SMEs) wanting to do business in the EU single market, no matter where they are incorporated. Second, it is onerous. Proper due diligence goes beyond monitoring and reporting: companies will need to identify, prevent, mitigate and account for the risks of human rights violations across all their operations and along their entire value chains. Third, consequences for non-compliance are severe. They include not only administrative fines but also damages claims unless companies can prove they have taken adequate measures.
Companies have reacted with some trepidation. They fear being caught in the cracks between tectonic plates of geopolitics. This is especially true for companies that depend on sales in markets from which they may have to withdraw their supplies. They risk the wrath of customers on both sides of the divide – as has already happened to Western fashion retailers in China.
Some have questioned the effectiveness of such laws. Will private companies really be able to force tangible change? Even if they divert supply chains, will it make a difference in countries where forced labor is state-sponsored? The answers to these questions remain outstanding. What seems clear is that as long as they profit from cheap inputs, private actors have a role to play in fighting bad practices in supply chains. This does not absolve governments from their responsibility – both in their own countries and vis-à-vis others – but ensures that accountability is spread between economic actors.
The success of the new regime crucially depends on how, and how quickly, companies react. Those who act now and see this as an opportunity, rather than a threat, can reap first-mover benefits. There is still time to shape legislation, advocate for practicable guidelines, proportionality, and clear definitions. Lawmakers need to ensure that these costs are proportionate and do not penalize those who make a good faith effort and track down problems in the supply chain.
Early movers will be able to anticipate and pre-empt the rules. It may cost more now. But positioning a brand as human rights champion is a long-term investment, just as the investment in climate change mitigation. Companies with a track record in social and environmental engagement see considerable upsides and a competitive advantage. In a recent letter to the European Commission1, 80+ firms joined NGOs and investor organizations in calling for timely implementation of the rules.
In the age of consumer and shareholder activism, European companies can no longer hide behind complex global operations. Mitigating risks means putting in place structures and processes which will ensure transparency and the ability to intervene at short notice. Contingency plans will have to be in place in case supply chains need to be re-routed. Boards will have to embrace these changes and be prepared to enforce them.
Companies just adapting to the requirements of the Lieferkettengesetz will have to extend their vigilance beyond direct suppliers. Many will have to make difficult choices between equally lucrative markets. The sooner companies embrace the new rules, the better they will be placed by the time they come into force.
Mandatory supply chain due diligence is overdue. Implemented properly, with the right incentives for businesses and investors, it could well be one of the most consequential tools the EU has ever devised. It is to be hoped that ultimately people at the bottom of supply chains will benefit from better working conditions. On the way to eradicating slavery and forced labor, this is an important step.
This evening, the EU heads of state and government are meeting in person. Council President Charles Michel had invited them to a special summit at short notice – extraordinary times call for extraordinary measures. The heads of state and government need to talk, and they want to send a signal of unity. The shock at Vladimir Putin’s actions and, perhaps even more so, at his rhetoric, runs deep.
Whether the special summit will only be a discussion or whether further sanctions will be introduced depends, according to reports, on Putin: If he escalates the conflict further, the EU and its allies will initiate the more far-reaching punitive measures. The first sanctions package was agreed upon by EU ambassadors on Wednesday: for the first time, two members of Putin’s inner circle of leaders, Defense Minister Sergei Shoigu and Anton Vaino, chairman of the presidential administration, are also affected.
There are many indications that an attack is imminent. Eighty percent of the troops massed around Ukraine are in attack positions, according to a US representative from the Department of Defense. In Ukraine itself, a state of emergency has been in effect throughout the country since midnight, and parliament confirmed the move proposed by President Volodymyr Selenskyj.
The Data Act, which the EU Commission officially proposed yesterday, is also geopolitical. Here, too, it’s about dependencies and disputes. And not least, the big question of who has access to our data. Here, Falk Steiner has done some digging for you.
It took a long time, but yesterday the EU Commission presented its draft for the long-awaited supply chain law. For industry, this clearly goes too far. However, the proposal also offers loopholes, as Charlotte Wirth shows.
After a delay of almost two years, the Commission presented its supply chain legislation yesterday. As Europe.Table reported, Commissioners Thierry Breton and Didier Reynders were ultimately able to agree on a compromise. SMEs are not directly covered by the directive, but the rules apply to the entire supply chain. Reynders spoke of an “ambitious and forward-looking” proposal that could also be implemented by the companies concerned.
The law applies to companies with 500 or more employees and annual net sales of €150 million. This affects around 13,000 companies in the EU. They must identify, minimize, and remedy any actual and potential adverse impacts on human rights and the environment. This applies not only to the company’s performance per se, but equally to subsidiaries and any partners with whom the company has a “lasting business relationship.” In other words, relationships that are intensive or long-lasting and where the partner does not merely play a minor role in the supply chain.
This is where the first loophole is hidden, fears Anna Cavazzini, a member of the Green Party. In the future, companies could change their suppliers more often in order to evade the rules. For the Commission, on the other hand, this differentiation is necessary: After all, there are large companies that work with hundreds of suppliers. The wording ensures that companies can meet their obligations in practice, according to an EU official.
High-risk industries are already covered by the directive from a lower threshold, although a more lenient due diligence requirement applies to them. Companies with 250 or more employees and sales of €40 million are affected, half of them from the high-risk business sector.
The definition of the risk sectors is narrow: The directive only covers textile and leather production, agriculture, forestry and fisheries, and the minerals and metals sector, including their extraction. By comparison, a legal opinion by the Supply Chain Initiative had listed 16 high-risk sectors, including the automotive industry, chemicals, ITC, mining, and armaments.
For the European Coalition for Corporate Justice (ECCJ), the directive falls short here. Sectors such as transport, shipping, logistics, and electronics are also problematic. In the high-risk sectors, in particular, it is also important that not only large companies are covered by the law. According to the Commission, the law was limited to these three sectors because OECD guidelines already exist for them, on which the companies concerned could base their decisions. However, the OECD has also issued such guidelines for the financial sector. Here, however, the Commission only envisages weakened rules.
Moreover, companies from high-risk industries are only covered by the directive after a two-year delay, and their due diligence obligations only apply to industry-related, severe impacts on human rights and/or the environment.
However, for German industry the proposal goes much too far. They had hoped for a directive based on the German Supply Chain Act. The BDI criticizes that the planned responsibility of companies for the entire value chain is unrealistic: The requirements would have to be “limited to direct suppliers in order to be implementable in daily practice,” said Wolfgang Niedermark, a member of the BDI’s executive board.
To enable fair competition, the EU Supply Chain Act also applies to companies from third countries. For these, a turnover of €150 million or €40 million, depending on the risk, also applies, which must be generated in the EU. According to the EU Commission, around 4,000 companies are affected.
How should corporations ensure that their subsidiaries, suppliers, and subcontractors respect their duty of care? “We have chosen a contract-based approach,” explains Breton. Companies are supposed to include appropriate clauses in their respective contracts with their partners. The Commission refers to this as “contract cascading ” – the clauses and associated obligations derive through the entire value chain, thus obligating the entire “ecosystem” to comply with environmental and human rights obligations. The Commission itself intends to provide models for such contracts. This will ensure that companies can comply with their obligations without too much effort, says Breton.
In addition, the companies must have third parties check whether the partners are really keeping to their commitments. To this end, they can make use of industry schemes and multi-stakeholder initiatives. Here, too, the Commission is guided by the Conflict Minerals Regulation.
However, this point caused criticism. Such coalitions allow companies to stagger their audits and thus save costs and reduce the administrative burden. However, membership in such a coalition does not mean that supply chains are clean. There are already problems here with conflict minerals (Europe.Table reported). However, the Commission text is clear on one point: the companies concerned must pay for the audits and cannot, therefore, pass on the costs downwards.
As far as the requirements for SMEs are concerned, Breton was able to get his way. These are not covered by the law, at least not directly. However, since the obligations for large corporations apply to the entire supply chain, SMEs are nevertheless indirectly affected. The Commission proposal does, however, provide for support measures for small and medium-sized enterprises and calls for corresponding contractual clauses to be fair, proportional, and appropriate.
Similar to the Conflict Minerals Regulation, companies must post their due diligence reports online annually. This is to ensure a certain level of transparency. However, the competent authorities are not required to make public the names of the companies and suppliers covered by the directive.
Thus, in order for civil society to verify how companies are doing with their obligations, it must first find out who is affected by the law. In contrast to conflict minerals, however, the authorities of the member states are obliged to publish the names of the companies against which they impose sanctions.
Companies are also required to establish a grievance procedure that is accessible not only to employees, but also to trade unions, employee representatives, and civil organizations. This is particularly important because workers who are exploited by subcontractors or suppliers, for example, otherwise have little access to grievance mechanisms. They first have to find out who is leading the value chain in the first place.
Civil society representatives and the EU Parliament will be particularly pleased that the Commission’s draft provides for civil liability and simplifies access to justice for victims of human rights violations or environmental damage. The liability also applies to damage caused outside the EU.
However, the Commission has laid down clear conditions. For example, companies are only liable for damage along supply chains if they have not fulfilled their duty of care. Those affected must prove that the companies have not fulfilled their obligations. NGOs such as the European Coalition for Corporate Justice (ECCJ) had called for a reversal of the burden of proof: “Previous court cases have shown that limited access to evidence, such as internal documents, makes it very difficult for victims to sufficiently support their claims in court.” If the law does not make it easier for victims to hold companies accountable, it will do little to change the current situation, ECCJ Director Claudia Saller said.
Industry representatives see things differently. Based on German law, they reject the idea that companies can be liable for damage along supply chains. “Companies can only be liable for their own activities within the supply chain,” says VDA President Hildegard Müller.
Member states are responsible for verifying due diligence. They can impose sanctions if companies do not comply with their obligations. The competent authorities are to investigate in particular in the event of reasonable doubt.
When it comes to penalties, however, the Commission repeats the mistakes of the Conflict Minerals Regulation. It is up to the member states to decide how high the penalties should be. These are only to be “effective, proportional and dissuasive.” Fines must be based on the turnover of the operation. This leaves a lot of room for interpretation for the member states. As a reminder, in the case of conflict minerals, fines range from €726 in Austria to €50,000 in Germany.
The standards of the International Labor Organization (ILO), for example, are to play a role in the inspection of suppliers. This could be difficult for companies in China, for example – because China has not ratified all ILO conventions and has not adopted any conventions on forced labor, freedom of association, and collective bargaining.
For a long time, it was not clear whether the personal liability of directors would find its way into the law. Now, however, a watered-down form of the original idea is in the text: Company bosses must draw up a plan for how the company will take into account the transition to a sustainable economy and the Paris climate goals in its corporate strategy. The remuneration of the directors is also to be linked to the implementation of this strategy.
However, the law remains very vague in this respect. It is unclear, for example, whether companies must include the entire value chain in the plans, criticizes Cornelia Heyenreich of Germanwatch. “We see the danger that with the regulation now proposed, companies could decide purely voluntarily whether they effectively enforce their emissions reduction targets internally.”
As Europe.Table had already reported, the law does not contain an article on the import ban on forced labor announced by President von der Leyen. This is now to be drafted by Trade Commissioner Valdis Dombrovskis.
Also, the two opinions of the Regulatory Scrutiny Committee have not been posted online by the Commission yesterday. However, it is clear from the legislative text that the two negative assessments have indeed led to a weakening of the directive: the panel’s feedback, for example, has led to the exclusion of SMEs. The strong restriction of personal liability for directors is also due to the RSB.
With Till Hoppe and Amelie Richter
After several months of delay, the Data Act, the third building block of European data legislation after the General Data Protection Regulation and the Data Governance Act, is now officially on its way. Only the e-privacy regulation has been stuck in the consultations for more than half a decade.
While the General Data Protection Regulation regulates the handling of personal data and data relating to individuals, the E-Privacy Regulation is intended to deal specifically with data in telecommunications processes, and the Data Governance Act provides the set of rules for intermediaries for the regulated exchange of data, the Data Act is now intended to set out the rules for access to data and obligations in dealing with it.
“We want to give consumers and businesses, even more, say over what can happen to their data by clarifying who has access to it and under what conditions,” said Commission Vice-President Margrethe Vestager. Modern products are often data producers: sensors are increasingly found in construction machinery, household appliances, medical devices, cars, as well as agricultural machinery, and large industrial production environments. “So far, only a small part of industrial data is used, and the potential for growth and innovation is enormous,” said Internal Market Commissioner Thierry Breton.
One of the core problems so far has been the lack of clarity: Who may access and use non-personal data and under what circumstances? What rights do manufacturers, users, and service providers have when, for example, combine harvesters automatically collect data on soil conditions, harvest quality, and the expected duration of the harvesting process? Modern cars are also full of data collection. Does the car manufacturer, the supplier of the sensor technology, or the owner of the car have the right to use the data? Or all three? And wouldn’t access to real driving data also be much more efficient for road construction or environmental agencies than previous monitoring procedures? Until now, these questions have largely had to be resolved between the parties involved.
The Data Act now provides answers: In principle, all products are to be manufactured in such a way that users can gain direct access to the data generated by them – and where this is not possible, providers are to provide alternative access to it.
Providers must fulfill certain conditions, such as security criteria. In addition, they must inform customers before the contract is concluded whether they intend to use data from the product themselves or pass it on to third parties. The transparency requirements also include information on whether the data is to be stored by the manufacturer itself or by a third party.
While in consumer contract law the power imbalance between supplier and consumer is traditionally balanced by law, relationships between companies have so far been largely subject to freedom of contract between the parties. But for data, the Data Act now provides for some massive interventions here. Article 13 provides safeguards for micro, small, and medium-sized enterprises when it comes to the conditions for data access.
David Bomhard from the law firm Noerr also expects “considerable effects” on previous data exchange business models. “The proposed Data Act now provides for extensive access rights to data and declares certain data access and use agreements to be illegal.”
Data law specialist Stefan Hessel of Reuschlaw also warns against mixing antitrust and civil law when it comes to prohibiting discrimination against companies in data access: In his opinion, there can be no such thing as “corporate consumer protection.
Hessel also sees a need for improvement in other areas. For example, the distinction between data holder, responsible party, and manufacturer is insufficiently regulated, and data holders are threatened with having to fulfill obligations that only manufacturers can meaningfully implement. “Since data processing flows are already very complex today, there is a risk of chaos when it comes to clarifying responsibilities and implementing them in practice,” Hessel said. “If the EU really wants to stick to the right of access also to non-personal data, it should take this complexity sufficiently into account.”
A geopolitical battle cry is placed in Chapter 7 of the Data Act. This is intended to oblige data processing providers to take all possible measures to prevent the transfer of or access to data by non-EU authorities. The Commission’s proposal for the Data Act provides for exceptions only under certain conditions, such as in the case of international agreements or if it is actually guaranteed that the legal interests of European data subjects are protected.
The provision would thus adapt the requirements in the direction of the GDPR regulations without using the same sharp mechanisms. The Data Act would thus also affect providers from the USA, whose Cloud Act has so far not provided sufficient legal certainty for EU data subjects. However, Chinese providers are likely to be even more affected: The People’s Republic enacted extensive regulations on data security only last year – with comprehensive rights for the country’s security authorities. EU Internal Market Commissioner Thierry Breton also sees the regulation as a protective measure for the local economy: “The data law ensures that industrial data is passed on, stored and processed in full compliance with European regulations.”
Data law specialist Stefan Hessel from Reuschlaw sees a need for improvement here. In view of the current discussions about the Privacy Shield successor and the upcoming decisions, he warns: “In this situation, additionally restricting the international transfer of non-personal data is a further threat to the free Internet.”
In particular, the obligations on data access are meeting with resistance in parts of the business community. Iris Plöger, a member of the BDI’s Executive Board, criticized “the fact that the EU is expanding the requirements for European business in the data law regulatory jungle. The lack of legal certainty inhibits companies from using and sharing data economically.”
“Europe should also focus on market-driven innovations and voluntary cooperation and platforms when it comes to data use. This would create incentives to share data,” says Hildegard Müller, President of the German Automotive Industry Association, criticizing the Commission’s proposal and fearing high expenses for little relevant data. “The comprehensive obligations to provide data not only do not help consumers, but also jeopardize the confidentiality of trade secrets.”
“In order to fully leverage the value creation potential of industrial and machine data, it must be possible for data to flow to both the user and the component developer,” demands ZVEI Chairman Wolfgang Weber. Depending on how it is structured, he also sees opportunities in the Data Act, for example for better access to data for research purposes. However, costs incurred for the provision of data must also be compensated.
While she welcomes the proposal’s goals, she has concerns about specific regulations, said Christel Delberghe, president of trade association Eurocommerce: “With our complex supply chains, we’re already sharing enormous amounts of data based on contracts – to the benefit of all parties.”
Monique Goyens, chair of the consumer umbrella group BEUC, on the other hand, welcomes the proposal: “The Data Act is an important piece of the puzzle to ensure that cross-industry access to data is made possible under fair conditions while giving users full rights to decide what happens to the data they generate.”
The Berlin-based provider Here Technologies fears possible legal uncertainty arising from the Data Act, as Michael Bültmann, Managing Director for Germany, emphasizes: “If there is uncertainty among companies about the conditions for the further use of their data, especially about how data is passed on, this will prove counterproductive.” In addition, the Data Act must clearly distinguish between data from individual sources and aggregated data sets.
At present, it is still unclear who in the European Parliament will be responsible for the Data Act as rapporteur. It is certain that the ITRE Industry Committee and the IMCO Internal Market Committee will be responsible – consultation with the Justice and Home Affairs Committees is considered likely.
For Tiemo Wölken (SPD/S&D), the Data Act is a “unique opportunity to place the European data economy on a completely new foundation.” He said it was a matter of clearly distinguishing Europe from the US and China: “Neither private-sector data monopolists nor state surveillance systems belong in Europe.” Angelika Niebler (CSU/EPP) also sees great opportunities, but at the same time wants to “ensure, among other things, that there are no complicated clauses like those in data protection declarations through which users can’t easily see.”
Parliamentary State Secretary Franziska Brantner welcomed the Data Act on behalf of the Federal Ministry of Economics and Technology in Berlin. She said it was a matter of setting the right course and creating incentives “so that SMEs and startups, in particular, can realize the opportunities and innovations inherent in data. The Federal Ministry of Economics will play a leading and decisive role in this.”
As the process continues, business representatives will also have to put up with some unpleasant questions, some of which they are now vehemently opposing. For example, why has there been hardly any relevant use of data in Europe so far if the conditions have been so positive so far? Adoption before the end of 2022, as originally desired by the EU Commission, is unlikely to be realistic in the current scope and after the previous delays.
Slaves produce clothes we wear, pick fruit we eat, dig for minerals used in our phones and build some of the physical infrastructure on which our economies rely. They are working all over the world: in developing and developed countries, on all continents, and in most sectors.
Catastrophic incidents such as the 2013 collapse of the Rana Plaza garment factory in Dhaka occasionally shine a flashlight onto the plight of modern slaves. But it wasn’t until reports emerged of mass Uighur labor camps in Xinjiang that many companies started to wonder about the provenance of their supplies. National legislators sprang into action: the French Loi de Vigilance (2017), Dutch Child Labour Due Diligence Act (2019) and the German Lieferkettengesetz (2021) all oblige companies to take a closer look at their supply chains.
None of them, however, covers all sectors throughout the entire supply chain, and each uses its own definitions, remedies, and enforcement mechanisms. Businesses operating at the international level are left confused, while investors and NGOs plead for a harmonized approach at least within the European Union. The EU has so far shied away from direct intervention, divided over the extent to which laws and import bans should be used. This is about to change. Commission President Ursula von der Leyen has announced a ban on products made by forced labor alongside far-reaching obligations on companies in all sectors to clean up their supply chains.
The new rules mark a fundamental shift in the way businesses will be held accountable for breaches of human rights that may be happening at the other end of the globe, unbeknown to them. And this concerns, just like data protection, not just EU firms but all companies globally doing business in the world’s largest single market.
This shift is driven to no small part by the European Parliament. In 2018, the cross-party Working Group on Responsible Business Conduct set out to introduce, at the EU level, rules that had existed only as aspirational UN Guiding Principles on Business and Human Rights and OECD Guidelines for Multinational Enterprises.
For the short time that I, as the last UK delegate in this Working Group, was privileged to work on this proposal, we consulted widely with industry representatives, investors, regulators, and NGOs. Two things became apparent: 1) voluntary guidelines are not sufficient to entice businesses to take responsibility for their supply chains and 2) the current potpourri of national rules brings about more confusion than benefits. What is needed is harmonization and legal certainty.
The Parliament recommended mandatory supply chain due diligence for companies operating in EU markets, along the entire value chain, irrespective of sector. Supply chain due diligence will include compliance with agreed social as well as environmental standards and tackle forced labor and other forms of modern slavery, human trafficking, child labor, and minimum standards of labor law. After many delays, the Directive on Corporate Sustainability Due Diligence was published by the EU Commission yesterday and will enter into force in EU member states around 2024. The significance of this legislation cannot be overstated.
First, its reach is extremely wide. It catches companies with more than 500 employees (and some SMEs) wanting to do business in the EU single market, no matter where they are incorporated. Second, it is onerous. Proper due diligence goes beyond monitoring and reporting: companies will need to identify, prevent, mitigate and account for the risks of human rights violations across all their operations and along their entire value chains. Third, consequences for non-compliance are severe. They include not only administrative fines but also damages claims unless companies can prove they have taken adequate measures.
Companies have reacted with some trepidation. They fear being caught in the cracks between tectonic plates of geopolitics. This is especially true for companies that depend on sales in markets from which they may have to withdraw their supplies. They risk the wrath of customers on both sides of the divide – as has already happened to Western fashion retailers in China.
Some have questioned the effectiveness of such laws. Will private companies really be able to force tangible change? Even if they divert supply chains, will it make a difference in countries where forced labor is state-sponsored? The answers to these questions remain outstanding. What seems clear is that as long as they profit from cheap inputs, private actors have a role to play in fighting bad practices in supply chains. This does not absolve governments from their responsibility – both in their own countries and vis-à-vis others – but ensures that accountability is spread between economic actors.
The success of the new regime crucially depends on how, and how quickly, companies react. Those who act now and see this as an opportunity, rather than a threat, can reap first-mover benefits. There is still time to shape legislation, advocate for practicable guidelines, proportionality, and clear definitions. Lawmakers need to ensure that these costs are proportionate and do not penalize those who make a good faith effort and track down problems in the supply chain.
Early movers will be able to anticipate and pre-empt the rules. It may cost more now. But positioning a brand as human rights champion is a long-term investment, just as the investment in climate change mitigation. Companies with a track record in social and environmental engagement see considerable upsides and a competitive advantage. In a recent letter to the European Commission1, 80+ firms joined NGOs and investor organizations in calling for timely implementation of the rules.
In the age of consumer and shareholder activism, European companies can no longer hide behind complex global operations. Mitigating risks means putting in place structures and processes which will ensure transparency and the ability to intervene at short notice. Contingency plans will have to be in place in case supply chains need to be re-routed. Boards will have to embrace these changes and be prepared to enforce them.
Companies just adapting to the requirements of the Lieferkettengesetz will have to extend their vigilance beyond direct suppliers. Many will have to make difficult choices between equally lucrative markets. The sooner companies embrace the new rules, the better they will be placed by the time they come into force.
Mandatory supply chain due diligence is overdue. Implemented properly, with the right incentives for businesses and investors, it could well be one of the most consequential tools the EU has ever devised. It is to be hoped that ultimately people at the bottom of supply chains will benefit from better working conditions. On the way to eradicating slavery and forced labor, this is an important step.
