Companies of a certain size with ties to Germany must soon establish robust due diligence procedures to prevent human rights and environmental abuses both within the course of their own business activities and within their global supply chains.

Following months of fierce debate, Germany’s government adopted on March 3 a draft “Supply Chain Act” (Lieferkettengesetz), also called the “Due Diligence Act (Sorgfaltspflichtengesetz),” now being weighed in German parliament. On May 7, the legislation passed the upper house; it is currently in the lower house for final discussion and voting.

“What we’re hearing in Berlin is that the Act more likely than not will go through,” says Patrick Späth, a partner at Morrison & Foerster in Berlin. If that’s the case, it’s likely to pass by September and enter into force on Jan. 1, 2023.

Germany’s government took legislative action after the country’s previous system of voluntary self-commitments to human rights failed to meet the desired 50 percent mark. According to a 2020 report published by the German Foreign Ministry, only 22 percent of the 455 companies who voluntarily participated in the survey met the requirements set out in the National Action Plan (NAP). The NAP implements the UN Guiding Principles on Business and Human Rights.

“The challenge for large international companies will be to compare the requirements with respect to human rights due diligence under various jurisdictions.”

Patrick Späth, Partner, Morrison & Foerster

The Supply Chain Act broadly defines “supply chain” to encompass all of a company’s products and services (and all inputs to them), both domestically and abroad, from extraction of the raw material to delivery to the customer. Additionally, the legislation broadly defines human rights violations as those that include forced labor and slavery; child labor; occupational health and safety violations; and environmental harm that adversely affects people’s livelihoods or health. The harm includes the manufacturing of mercury-added products and the production and use of certain banned chemicals.

Geographically, the legislation applies to companies that either are headquartered in Germany or whose main base of business or registered office is in Germany. “So, if you are an American company of a certain size and you do business in Germany, then you may have to comply with what the law stipulates,” says Johannes Weichbrodt, a partner at Mayer Brown in Düsseldorf. “This is because the law applies to the German subsidiaries of multinational companies, provided they meet the threshold, including German subsidiaries of U.S.-incorporated companies.”

Initially, the legislation will apply to companies with at least 3,000 employees, including employees at subsidiaries and temporary workers whose duration of assignment exceeds six months. Effective Jan. 1, 2024, the minimum threshold will be reduced to 1,000 employees. It is expected the law will impact roughly 3,000 companies.

Except for France, which passed a similar law in 2017, Germany is the only other European country to introduce mandatory due diligence supply chain legislation. Weichbrodt describes Germany’s legislation as “trailblazing,” as it could set the standard for the rest of Europe.

The law comes at a time when the European Union is considering a European regulation that would impose very strict supply chain due diligence obligations on companies. It remains to be seen, however, how the European directive will compare to German’s Supply Chain Act, Weichbrodt says.

Due diligence obligations

Under the Act, German companies must do their best to prevent human rights or environmental abuses in their supply chain but do not have to guarantee the absence of any such abuses. Rather, they must demonstrate they have implemented the due diligence obligations in their supply chains in an “appropriate manner,” leaving each company to decide for itself what measures are appropriate.

The legislation’s core due diligence requirements (translated below from the original German) include the following:

Establishment of a risk management system (Section 4). Under the legislation, companies must have in place an “adequate and effective” risk management system, which “must be anchored in all relevant business processes through appropriate measures.” Effective measures are those that make it possible to identify human rights and environmental risks, prevent violations, or end or minimize them, the legislation states. Companies must further assign someone responsible for monitoring risk management—for example, by appointing a human rights officer, the legislation suggests.

Implementation of a risk analysis (Section 5). Companies must carry out an appropriate risk analysis with the aim of uncovering human rights or environmental risks in their own business, as well as within their direct suppliers. Any risk identified must be “appropriately weighted and prioritized,” the legislation states. The risk analysis must take place at least once a year and on an ad hoc basis upon any significant changes in the supply chain—for example, the introduction of new products, projects, or a new business area.

The results of the risk analysis must be communicated to relevant decision-makers, such as the board or the purchasing department. “Given the increasing risk of legal sanctions, it is worth discussing whether/how this should be coordinated with the legal and compliance department,” Späth says.

Adoption of a policy statement (Section 6). Companies must adopt a policy on their human rights strategy that must, in part, describe how the company meets its obligations and what expectations it has of its employees and suppliers in the supply chain based on the findings of the risk analysis. Additionally, companies must adopt appropriate preventive measures—for example, in the form of training in the relevant business areas, risk-based control measures, and contractual assurances concerning compliance with human rights standards.

Remedial measures (Section 7). If the company discovers a violation has occurred, or is imminent, within the course of its own business activities or that of a direct supplier, it must “immediately take appropriate remedial measures” to prevent, end, or to minimize the damage. Termination of a business relationship with a supplier may be necessary if the violation is “very serious;” if implementation of desired remedial measures is not effective, no milder means are available; or if it doesn’t appear “promising” that the supplier can be influenced to change its ways.

Establishment of an internal reporting mechanism (Section 8). Companies must set up an internal complaint mechanism, in which people, from inside or outside the company, can report violations. As an alternative, an external complaint procedure may be set up, provided the following requirements are met: The external service provider can guarantee impartiality and independence of the reporting system; accessibility and implementation of the reporting system is publicly available; and confidentiality of those who report violations is maintained.

Documentation and reporting obligations (Section 10). Companies must continuously document the fulfillment of their due diligence requirements and maintain this documentation for at least seven years. Further, the company must prepare an annual report on the fulfillment of its due diligence obligations in the past financial year that must, at a minimum, explain “whether and, if so, which human rights and environmental risks the company has identified,” how it fulfilled its duties of care, and how it evaluates “the effects and the effectiveness of the measures,” the legislation states. This report must be made publicly available.

Generally, Germany’s legislation applies only to direct suppliers. However, companies would be required to perform due diligence on their indirect suppliers if they have “substantiated knowledge” of a possible human rights or environmental violation.

Failure to meet these due diligence obligations could be met with serious sanctions. Companies whose average annual turnover exceeds €400 million (U.S. $486 million) could receive fines of up to 2 percent of their average group annual turnover for certain violations. Additionally, companies may be excluded from being awarded public contracts for up to three years if a fine of at least €175,000 (U.S. $213,000) has been imposed. Investigative and enforcement powers fall under the responsibility of the Federal Office of Economics and Export Control (BAFA).

Praise and criticism

As drafted, the Supply Chain Act has garnered both positive and negative feedback. In a joint statement, more than 30 individual companies and organizations voiced their support for the legislation, saying it would help create a “level playing field” and would ensure companies don’t evade their responsibilities without consequences.

“The pandemic shows once again the global interdependence of supply chains, and the collapse of the markets clearly underlines the relevance of resilient supply chains,” the joint statement reads. “We see the need for joint action and uniform regulation of the due diligence obligations of companies.”

German carmaker Daimler said it was in favor of both the German Supply Chain Act and international regulation. “This would contribute to legal certainty and a level playing field,” Daimler stated. “Proposed legislation should also pursue the goal of creating incentives for preventive measures in companies, thus ensuring the protection of human rights.”

Some business associations argue, however, the scope of the law goes too far. The German Employers’ Associations (BDA) stated, for example, the legal responsibility imposed on companies for the entire supply chain goes too far. “With substantiated knowledge, companies must immediately carry out a comprehensive catalog of measures,” the BDA stated. This will result in “far-reaching and impractical obligations for the entire global supply chain.”

Chief compliance officers and chief risk officers at companies with a nexus to Germany are going to have to closely review their supply chain risks and related due diligence procedures. Global companies already must navigate a patchwork quilt of due diligence laws as it is.

“The challenge for large international companies will be to compare the requirements with respect to human rights due diligence under various jurisdictions,” Späth says. Consider, for example, the due diligence requirements under France’s duty of care law, the United Kingdom’s Modern Slavery Act, and California’s Transparency in Supply Chains Act in the United States. Companies should spend time thinking about how to establish a system to ensure they comply with all these laws holistically if they have not done so already.

Another question many companies must grapple with, Späth says, is “where in the company should these measures and tools and guidelines be installed, and who should be responsible?” In some companies, this is done by the purchasing department.

Many companies still have much legwork to do. Weichbrodt refers to a German DAX 30 company that still does not feel well placed in terms of its human rights and environmental risks, even though they have been tackling these issues for a while. “If a company like that—which is a very sophisticated, multi-billion-dollar operation—doesn’t feel comfortable, then you can imagine that many other companies feel much less comfortable.”