Recent stories about the usage of military drones on civilian populations in the ongoing Nagorno-Karabakh conflict are a reminder of corporate human rights responsibilities associated with responsible product usage, and the sharp disparities between the attention that companies pay to supply chain due diligence versus customer and end-user due diligence. Since the U.K. adopted its Modern Slavery Act in 2015, there has been a sustained “upstream” human rights focus centered on human rights risks in supply chains. Far less attention has been paid to the “downstream” human rights implications of company-created goods, although these also are included in the UN Guiding Principles on Business and Human Rights (“UNGPs”). This lack of attention, however, may change following the EU’s highly anticipated Corporate Due Diligence and Corporate Accountability directive, and companies should be prepared to institute steps to mitigate risks that their products are being used in connection with negative human rights impacts.
Drones in the Nagorno-Karabakh Conflict
A few months ago, renewed violence erupted in Nagorna-Karabakh, a region in the South Caucasus that has been the subject of long-running territorial disputes between Armenia and Azerbaijan. Recent articles in the online investigative journalist outlet Hetq have noted the use of “kamikaze drones,” remote airborne devices that carry weapons, by combatants in the conflict to attack civilian targets in violation of international humanitarian law. The articles have noted that the manufacturing chain for these drones has touchpoints around the world; components include cameras from a Canadian company that is a subsidiary of a U.S. technology company, an electric motor produced in Switzerland by the subsidiary of a German conglomerate, and a potentiometer produced in France. These parts are not specifically created for weaponry—they are used for a wide variety of purposes—and export control laws do not apply to them. The Swiss motor, for instance, is a gearbox used in medical equipment, ventilation systems, laboratory devices, automated systems, robotics, optics, and aerospace equipment. However, it is also critical to the drone—it operates the folding mechanism of its wings. As Hetq reports, “without the Swiss-made motor that operates the wings, the drone cannot fly. It cannot execute its killing capability.” While Hetq reports that the manufacturer is aware of the use of its gearbox in the kamikaze drones, the stories did not identify any steps the company had taken to mitigate the risks that its products might be used to violate human rights.
The reported connection of mechanical component manufacturers to the kamikaze drones in Nagorno-Karabakh is just one example of the issue of product misuse, in which a company’s goods or services may be used to violate human rights. While the Swiss motor manufacturer reportedly was aware that its motors were being used in weaponry, responsible product usage risks span a wide spectrum. For example, a chemical fertilizer, overwhelmingly used for farming purposes, might be misused as an ingredient for an explosive. Pharmaceutical drugs, such as opioids, may pose addiction and overdose risks if misused or misprescribed. Information technologies, including AI, facial recognition and surveillance products, can have a myriad of legitimate uses while also being used to violate human rights in a wide variety of ways. The Australian Strategic Policy Institute, a think tank, has published reports stating that medical technology companies are contributing to a large-scale genomic surveillance project in China. Other examples and case studies of product misuse have been compiled by the UN Global Compact, as part of its Human Rights and Business Dilemmas Forum, and reference telecom and encryption technologies, ultrasound equipment, medicines, and alcohol consumption, among others.
While attention has focused largely on supply chain issues, the UNGPs specifically contemplate that human rights responsibilities extend equally to downstream use of products by consumers and end users. UNGP 13(b), a foundational principle, states that businesses must “[s]eek to prevent or mitigate adverse human rights impacts that are directly linked to their operations, products or services by their business relationships, even if they have not contributed to those impacts.” The notion of human rights responsibilities extending to company products is also referenced in UNGP 16, regarding a company’s policy commitment, UNGP 17, regarding human rights due diligence, and UNGP 19, regarding integrating findings from impact assessments. Further, the commentary to UNGP 17 specifically references company “clients” in the context of prioritizing human rights diligence, and the UN’s Frequently Asked Questions about the Guiding Principles on Business and Human Rights (FAQs) also discuss clients in the context of contractual obligations incorporating a responsibility to respect human rights. In fact, the FAQs define “Value Chain” to include “entities with which it has a direct or indirect business relationship and which … receive products or services from the enterprise.” The FAQs similarly define “affected stakeholder” as an individual affected by a company’s products or services. The UN’s Corporate Responsibility to Respect Human Rights: An Interpretive Guide contains the same provisions. Corporate human rights responsibilities extend downstream, as well as upstream.
The Focus on Supply Chains
Despite the breadth of the UNGPs, national and subnational statutory interventions over the last 20 years have focused far more on supply chains and the production of goods with forced, child, or trafficked labor than on downstream impacts. Those interventions began in earnest 10 years ago with the adoption of California’s Transparency in Supply Chains Act, requiring certain companies doing business in California to publicly disclose key information about steps they are taking to combat modern slavery in their operations and supply chains. The U.K. picked up the concept, adopting its own version of the law, Australia followed with its own Modern Slavery Act, and Canada now has introduced its own legislation that may pass this year. In the United States, there is also a serious supply chain focus, as Customs and Border Protection is actively enforcing Section 307 of the Tariff Act of 1930, seizing goods at its borders where there is a suspicion that overseas suppliers produced them with forced labor. Even mandatory human rights due diligence laws, requiring affirmative human rights inquiries and compliance steps, have a supply chain bent. France’s Duty of Vigilance Law applies to company operations and companies under its control, as well as suppliers and contractors with whom they have established commercial relationships. The Dutch child labor law takes a comparable approach, focusing on whether goods or services have been produced using child labor. A U.S. Federal Acquisition Rule, mandating steps that companies must take to protect against trafficking associated with certain federal contracts, likewise has a supply chain lens.
As these laws and regulations encompass only company operations and supply chains, companies often do not take steps associated with product usage, which are not similarly mandated. The EU’s proposed legal directive on corporate due diligence and accountability may bring a change in this direction. The text of the proposal requested by the EU’s Committee on Legal Affairs applies to human rights and environmental and governance risks and impacts throughout company value chains, which covers all “business relationships.” Consistent with the UNGPs, it defines “business relationships” as transversing “entities along its entire value chain,” including those “directly linked to the undertaking’s business operations, products or services.” As with the UNGPs, it further defines “value chain” as “business relationships and investment chains of an undertaking inside or outside the EU,” which “includes entities with which the undertaking has a direct or indirect business relationship, upstream and downstream, and which either (a) supply products or services that contribute to the undertaking’s own products or services, or (b) receive products or services from the undertaking.” Accordingly, the current version of the EU proposal—a “pre-draft,” we have called it—contemplates supply chains, customers, and product end-users, as envisioned by the UNGPs.
Unintended Consequences & Risk
As proposals to regulate responsible product usage are advanced, the need to assess the likely direct and unintended consequences product usage is increasing, particularly for globalized businesses with distributed workforces. These requirements will raise a variety of challenges for boards, risk and compliance committees, and audit and training teams.
For example, large local country offices outside of the West may have different cultural understandings and legal obligations to the host country that will need to be considered. It will be important to determine if responsible product usage programs can be successfully implemented without forcing some employees to feel like they must choose between compliance with local national security laws and these proposed new Western regulations. Already, certain new tech products are being targeted by the West as having a higher potential risk of misuse, such as surveillance equipment and AI. These have been the subject of guidance from the U.S. Department of State and the EU. More recently, the U.S. has begun placing export control restrictions around products sold to certain companies in China, citing human rights concerns. Governments have also provided guidance to financial institutions in identifying and stopping human trafficking among customers, and started to institute related penalties. While these examples to date remain fairly isolated, they are indicative of potential future pitfalls for global companies—who will have to anticipate how strategic competition between countries may affect who they can or cannot sell to, or suddenly put certain key customer-facing employees in jeopardy.
Companies will also need to address the fact that scale approaches to vetting suppliers may break down for vetting customers. In the upstream market, global competitors are often able to achieve compliance program cost savings by splitting the costs of vetting shared suppliers. For example, major shoe companies may all use shoelaces made in the same factory and can utilize a pooled diligence product. Because customers are rarely shared, downstream compliance programs will be forced to work differently. Customer-focused compliance programs currently cost big banks roughly 10% of their total operating costs. These great expenses actually create perverse barriers to competition and stifle innovation, while simultaneously generating mountains of reports few ever really read. Company leaders will need to play out the firm-specific impact when considering what initiatives are appropriate in their markets.
Due Diligence & Mitigating Steps
To meet the anticipated EU requirement, and consistent with the principles in the UNGPs, there are a variety of steps companies can take to begin identifying and mitigating human rights risks of product misuse. They include:
- Strategy & leadership discussions to determine the tone at the top and future role for board risk committees in assessing the best approaches to meeting the requirements of today and tomorrow. In particular, boards can begin discussing key scenarios that anticipate challenges arising from regional sales directors trying to onboard customers in industries out of favor in Washington or Brussels. Boards should also anticipate what pushback and pressures may be shouldered by certain in-country teams.
- Due diligence to determine the likelihood that a company product or service may be misused. That analysis will likely focus on the risks associated with the product itself, such as (1) past instances of misuse of the company’s products or services (or similar products or services), (2) whether the product could be resold or transferred, (3) the purpose of the sale, and (4) how the product could create human rights harms if not used as intended. The volume of products being sold may also be relevant, as scale may increase or decrease the relevant risks. Risks associated with the country where the product will be sold or service rendered is also frequently germane, including relevant laws and regulations, the human rights history in the country relevant to the product, and like factors. In addition, the specific risks associated with customers or end-users, such as prior allegations of wrongdoing or connections to questionable actors, along with the role resellers may play are highly relevant. These factors and others can help provide a sense of the overall relevant risks associated with the product generally or in connection with any given sale.
- Policies and Procedures can be adjusted or expanded to reflect responsible product usage and product misuse. For example, numerous technology companies now have policies, recently made public, that address the responsible use of AI. Others identify their expectations that customers and end-users will use products in a manner consistent with human rights norms, and outline actions to be taken if the company receives evidence or reports that products are being used in connection with human rights abuses. Still others have detailed procedures, standards or guidance reflecting the steps they take in considering responsible product usage in sales processes.
- Training of relevant employees, resellers, contractors and potentially even customers and end-users. Training might cover appropriate uses of a product, human rights norms, and red flags to look for in connection with potential misuses. Training may be formal and in-depth, or more akin to potential reminders.
- Additional controls or processes where higher-risk situations are commonly present include limiting the volume or duration of sales, changing technical requirements for certain products, if appropriate, or heightened internal approvals. Contractual terms for customers and end-users limiting the potential uses of a product may also be useful. These may include requirements that customers take affirmative steps to develop their own responsible product usage and/or human rights policies, provide training to key employees, undertake due diligence of third parties to whom company products are transferred (or requirements limiting resales or transfers), notify the company when it learns of a potential misuse and cooperate in any company-led investigation, and put in place a grievance mechanism. Contractual provisions may also include allowing the company to suspend use or cease further sales when reasonable evidence of a concern of misuse is raised, and conduct audits of customers and resellers.
- Monitoring potential product misuse through media reports or grievance mechanisms and engagement with civil society are common, initiating investigations and reviews when concerns are identified. Some companies, such as telecommunications manufacturers, have included design features that allow for tracking of products post-sale.
While the focus on human rights in supply chains is now ingrained in many human rights programs, the “other” side of the value chain—customers and end-users—has received much less attention. The EU directive is likely to change that, and companies would be wise to begin preparing for more scrutiny in this arena.