‘Third-party verification’ in the ‘chain of activities’: opportunities and risks

Dr. Camilla S. Haake is a Post-Doctoral Researcher at the Ludwig Boltzmann Institute of Fundamental and Human Rights (LBI-GMR) affiliated with the University of Vienna. She is a lawyer and holds a doctorate in public international law. Her research interests lie, amongst others, in the theory of international law and human rights. At the LBI-GMR, Camilla conducts research in particular on topics at the interface between nature and human rights as well as business and human rights.

Stephen Rabenlehner MA is a Researcher at the LBI-GMR and holds a Master’s Degree in Theory and Practice of Human Rights (University of Essex). During the Master’s, Stephen’s interest in the correlation between (international) economics and its impact on (socioeconomic) human rights awakened and has remained a research focus ever since.

 

The authors are working with the Institute for Sustainability, Business Law and Reporting (INUR) of the University of Cologne on a research project, including the preparation of an independent study funded by the Austrian Federal Chamber of Labour on the human rights and environmental aspects of audit and certification systems in the context of corporate due diligence.

 

The new ‘Corporate Sustainability Due Diligence Directive’ (CSDDD) of the European Union (EU), in force since July 25, 2024, establishes due diligence obligations for companies to respect human rights and the environment at EU level in a legally binding form for the first time. It thereby creates legal certainty and a ‘level playing field’ for the current 27 EU member states with regard to human rights and environmental due diligence obligations. The CSDDD aims to ensure that certain large companies operating in the internal market identify and, where necessary, prioritise, prevent and mitigate, bring to an end, minimise and remedy actual or potential adverse human rights and environmental impacts (cf. Recital 16) in the context of their ‘chain of activities’, i.e. in connection with the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of products and the development of the product or a service (cf. Art. 3 para. 1 lit. g) CSDDD).

The CSDDD is not the first legal act of its kind: at national level, the French ‘loi de vigilance’ has played a pioneering role in the creation of legally binding corporate due diligence obligations since 2017, and in 2021 Germany has also implemented a law regulating corporate responsibility for compliance with human rights and environmental protection in the form of the ‘Lieferkettensorgfaltspflichtengesetz’. The CSDDD represents a further step by the EU and its member states towards realising the UN’s Sustainable Development Goals (SDG) – especially SDG 8 which aims to promote ‘sustained, inclusive and sustainable economic growth, full and productive employment and decent work for all’ – and is also intended to serve the goal of strengthening the protection of human rights in extraterritorial constellations.

But companies seem to struggle to fulfil their due diligence obligations. This is shown, for example, by the results of a 2020 survey which was part of the monitoring of the German National Action Plan (NAP) for Business and Human Rights. According to the report, only 12.8-16.5% of German companies with more than 500 employees fulfilled the NAP’s corporate due diligence requirements in 2020. This is food for thought, because most of these obligations, although now cast in legally binding form with the directive, are anything but new: by establishing the ‘Guiding Principles on Business and Human Rights’ of the United Nations (UN) and the ‘Guidelines for Multinational Enterprises’ of the Organisation for Economic Cooperation and Development (OECD), the international community has already recognised, among other things, a certain (but at that time: not yet legally binding) responsibility of companies to respect human rights and the environment.

In order to support companies in complying with their due diligence obligations, the CSDDD allows recourse to various means such as participation in multi-stakeholder initiatives – or verification of compliance with the corporate due diligence obligations arising from the directive by an ‘independent third party’ (cf. Art. 3 para. 1 lit. h) CSDDD). Such a third party is defined as ‘an expert that is objective, completely independent from the company, free from any conflicts of interest and from external influence, has experience and competence in environmental or human rights matters, according to the nature of the adverse impact, and is accountable for the quality and reliability of the verification’.

 

  1. Audits and certifications: one way of ‘independent third-party verification’

One way of verification in this sense can be the implementation of so-called audit and certification procedures, which is an (external) review of whether a company has complied with its due diligence obligations under the CSDDD, taking a snapshot of the current human rights and environmental situation of the respective company at the time of the review.

An audit is an inventory of current (organisational) processes in a company. The specific items audited range from management systems, processes and procedures within a company to the products it produces and/or services it offers. Audits often consist of an on-site inspection, whereby the compliance of the company’s practices with certain previously defined (sometimes international) standards such as the SA8000 social standard can be checked and the company can be given the opportunity for continuous improvement. A distinction is made between internal and external audits. Internal audits are defined as the review of the implemented management system by the company itself. External audits can relate to the same audit object (management system, products, processes, procedures) as internal audits, but are carried out by customers of the company (‘second-party audits’) or by external auditors who are independent of the company, such as certification organisations (i.e. ‘third-party audits’ which are of particular interest here).

Certification is the process by which compliance with certain predetermined criteria is demonstrated (Dolle et al. 2020, p. 641), whereby following a successful on-site inspection, a certificate of conformity is issued by a third-party (ideally accredited by an independent body); certification may be either required by law or voluntary, or regulated publicly or privately (definition based on ECCHR et al. 2021, p. 3). Certification standards can be established by, e.g., private institutions, associations, institutes and industry organisations. The best-known standard-setting organisation is probably the ‘International Organization for Standardization’. A distinction is made between product-based (e.g. the ‘Fairtrade’ seal or the ‘EU organic seal’) and process-based (e.g. the EU EMAS (‘Eco-Management and Audit Scheme’) seal) certificates.

 

  1. Added value, opportunities and risks of audits and certifications in the chain of activities

The CSDDD does not permit automatic (legal) exemption from civil liability solely on the basis of having implemented audit procedures and having been awarded a corresponding certificate. Nevertheless, as audit and certification schemes represent one of the few instruments of private (voluntary) industry self-regulation for verifying compliance with corporate due diligence, their use can bring great benefits, not least in the external presentation of a company. According to the EU legislator, the instrument of ‘independent third-party verification’ is intended to support companies in implementing their due diligence obligations under the CSDDD. Companies can make use of this ‘to the extent that such verification is appropriate to support the fulfilment of the relevant obligations’ (Art. 20 para. 5 CSDDD; Recital 52). The regular evaluation of companies and their supplier relationships can enable the optimisation of internal company processes and – based on an included (human rights) risk assessment – the associated implementation of a continuous improvement process (see ECCHR et al. 2021, p. 3), which in turn can amount to a long-term investment in quality. However, this only works if the verification is carried out by persons who have (at least) the characteristics listed in Art. 3 para. 1 lit. h) CSDDD, whereby the objectivity and independence of the verification are likely to be of particular importance.

However, competition between audit providers and scarcity of resources can limit the quality of audits and do more harm than good to compliance with human rights and environmental due diligence. Due to a lack of time and personnel resources, auditors may fail to record all relevant aspects of working conditions on site, particularly cases of discrimination, sexual harassment (Terwindt & Saage-Maaß 2017, p. 6) and child labour (Rosenbaum 2024). In some cases, the added value of audits per se is therefore even questioned. Some authors see a risk of manifestation of a supposed ‘appearance of global supply chain governance and “continuous improvement”’ in the continued frequent use of audit systems by companies, while instead a legitimisation of ‘business as usual’ takes place (LeBaron & Lister 2015, p. 915). A veritable ‘flood’ of different certificates and standards is also likely to diminish the significance of the test procedures and the certificates and seals awarded on their basis (Terwindt & Saage-Maaß 2017, p. 5). Reports of disasters such as the ’Rana Plaza’ incident of 2013 – the collapse of a factory complex in Bangladesh that led to the deaths of many textile workers despite prior SA8000 inspection of the production facility of a textile manufacturer operating in the building – have also not led to an improvement in the public perception of audits in recent years, but have rather provoked debates about civil liability also of auditors. Such discussions will, however, not be ended by the directive, because it does not contain any provision on liability of ‘independent third parties’. Art. 29 CSDDD on ‘Civil liability of companies and the right to full compensation’ only applies to companies that violate their original due diligence obligations under the directive.

 

  1. Audits and certifications as ‘diagnostic tool’

In contrast to, for example, Art. 6 of the EU ‘Conflict Minerals Regulation’, the CSDDD (e.g., Art. 10 para. 5; 11 para. 6; 20 para. 5) only allows the use of audit and certification procedures, but does not provide for mandatory use. This makes it clear that audits can support the implementation of corporate due diligence, but cannot replace it (Recital 52). This is accompanied by a repositioning of audits and the high expectations companies might have of these (see Klinger & Ernst 2021, p. 4). In order to be able to use audits as an effective diagnostic tool to provide reliable snapshots of the human rights and environmental situation of companies, they must fulfil high quality standards and ideally be accompanied by extensive changes in processes such as the trading, procurement and pricing practices of companies (Recital 41). Effective cooperation between auditors and audited companies is therefore necessary, as auditors will not (be able to) remedy human rights and environmental violations they identify themselves for obvious reasons.

 

This contribution is part of the project “Acceso a la justicia en el contexto de abusoscorporativos: la litigación como estrategia de resistencia y de empoderamiento a las víctimas (ACCJUSTEDH)” (ICI023/23/000001), financed by the International Catalan Institute for Peace.

 

Suggested Citation: C. S. Haake, S. Rabenlehner ‘‘Third-party verification’ in the ‘chain of activities’: opportunities and risks‘, Nova Centre on Business, Human Rights and the Environment Blog, 10 october 2024