The German Supply Chain Duty of Care Act (Lieferkettensorgfaltspflichtengesetz; the Act) entered into force on 1 January 2023 for the first companies with more than 3,000 employees in Germany. It obliges (primarily German) companies to comply with human rights and certain international environmental standards within their operations and supply chains (see earlier blog post here). Over the last months of 2022, companies have been very busy with getting ready for the Act and establishing required internal compliance structures as well as supply chain safeguards. The German supervisory authority published four guidance papers for implementation, yet, there are still many uncertainties for companies concerning the extent of new obligations being imposed ranging from initial risk assessments to third party due diligence to reporting.
Reach of supply chains
Generally, the definition “supply chain” under the Act is broad and captures not only suppliers that are supplying necessary materials for the manufacturing of products but also activities indirectly related to the manufacturing process. However, there is still uncertainty whether, for example, the “downstream side” of the supply chain, i.e., the distribution steps within the supply chain after the production process, would meet the definition since they do not technically “supply production”. If that would be the case, such business partners would not be subject to the general risk analysis obligations under the Act and subsequent due diligence duties. They would only be included as part of the general risk management, including ad hoc measures, as ad hoc risk analyses. Moreover, the term “direct supplier”, i.e., partner to a contract for the supply of goods or the provision of services, could also be open to debate. Specifically, companies will need clarity on whether the Act requires them to only focus on their own direct suppliers or whether direct suppliers of their controlled subsidiaries (even abroad) would be considered as “their” direct suppliers as well. The supervisory authority (Bundesamt für Wirtschaft und Ausfuhrkontrolle, BAFA) – without further explanation – has treated in the same manner both direct suppliers of subsidiaries and direct suppliers of the obliged company itself. This means that – regardless of the fact whether the relevant subsidiary itself is supplying the parent company at all – the same level of due diligence and monitoring is required by BAFA for direct suppliers of controlled subsidiaries as for the direct suppliers of the obliged (parent) company itself.
Whistle blowing/grievance mechanisms
The Act requires companies to establish a complaints procedure for the reporting of human rights and environmental risks/violations caused by the actions of a company’s own business or the actions of its direct or indirect supplier. Accordingly, the Act requires that a company’s own employees be included in the complaints mechanisms. As such, in general companies will have a further obligation to set up reporting channels for their employees under the EU Whistleblower Directive ((EU) No 2019/1937), which was due to be transposed into the domestic laws of the EU Member States. Germany will most likely adopt its transposing legislation in the next months. Hence, as these complaints and grievance mechanisms (under the Act and under the Whistleblower Directive) have different requirements – the Whistleblower Directive representing stricter standards – companies will be challenged to find the appropriate implementing approach. They will need to choose between a uniform implementation approach – which is user-friendly but would need to make the stricter procedural requirements of the Whistleblower Directive applicable to supply chain grievances as well and thus going beyond what is stipulated by law. Or companies could provide for a separate procedure for internal employee-related whistleblowing and external grievances being reported via the supply chain, which could in turn increase the administrative burden of handling different procedures. Interestingly, the draft EU Corporate Due Diligence Directive (see recent updates here) in its current version foresees the alignment of internal whistleblowing and grievance procedures in supply chains as the latter shall be governed in the future by the stricter standards of the Whistleblower Directive as well. Thus, there might be an argument in favor of aligning both procedures already now.
Linked to this topic is the difficulty for companies under the Act to evaluate when (reported or detected) breaches of labor law protection reach the level of employee-related human rights violations and trigger the sequence of safeguards and remedial actions under the Act. To date, no guidance by the legislator is available in this regard; this will be left to jurisprudence.
As regards complaints, it is noteworthy that the BAFA itself set up an online complaint form that can be used by everyone to submit complaints about companies who allegedly are in breach of their obligations under the Act.
Reach of duties and the concept of “substantiated knowledge”
The imposed duties under the Act generally need to be fulfilled within a company’s own business operations – which includes controlled subsidiaries (in Germany or abroad) – and vis-à-vis direct suppliers. Yet, the Act goes further and requires companies to extend their due diligence efforts – establishing preventive safeguards as well as reactive remedial actions – beyond first tier suppliers whenever there is so called “substantiated knowledge”, i.e., factual and verifiable indications of a possible violation of a human rights-related or an environmental obligation at indirect suppliers. This can include information about risks in a specific region in which a company or several suppliers are operating. Such risks could be identified via the grievance mechanisms, by internal audits or investigations, through a supervisory authority or through other sources of information, such as NGO reports. The interpretation of the term “substantiated knowledge” plays a key role for the scope of the Act. It does not only trigger the extension of compliance obligations towards suppliers, but also has an impact on companies’ internal risk and governance management. There is a certain consensus that only actual knowledge of potential violations is required, and negligent lack of knowledge does not meet the standard. Hence, in theory, there is no obligation to gather particular information, although turning a willful blind eye is not an option. Therefore, in practice there might only be a fine line for companies that eventually determines the degree of their duties under the Act.
Internal responsibilities/Human Rights Officer
The Act requires a clear definition and allocation of responsibilities for monitoring internal and supply chain risks and proposes companies should establish a Human Rights Officer. There are no further specifications by the law. Therefore, companies have much discretion on assigning responsibilities. Currently, companies follow two different approaches in practice: either establishing a responsible person as Human Rights Officer, right below the management level, or implement a “Human Rights Committee”, benefitting from various expertise of different departments, like the sustainability, procurement/purchasing and legal teams. Both ways are equally feasible.
The Act obliges companies to document comprehensively how they are fulfilling every element prescribed by the law, e.g., implementation of internal governance structures and third-party compliance and due diligence. The Act also requires companies to annually report on fulfilment of these compliance measures. Reports have to be (i) submitted electronically to the BAFA and (ii) published free of charge on the obliged company’s website, kept publicly available for a period of seven years. For these purposes the BAFA developed a questionnaire that consists of multiple choice and free-text questions, open and closed questions as well as mandatory and voluntary questions (in total 437 answer options). As such questions specifically cover fulfilment of the duties under the Act, companies will need to draft their reports with all due care and avoiding unclear messages that could lead to subsequent information and data requests by the BAFA in order to monitor compliance with the law and the (potential) need for imposing administrative fines for non-compliance.
Reports must cover the previous financial year from 1 January 2023 onwards and need to be submitted/published no later than four months after the end of the company’s financial year. As duties just now become applicable to companies, first reports will only have to cover the actions taken from 1 January 2023 onwards. Regarding the enforcement of reporting duties, the BAFA just announced that auditing of the reports will only start from 1 June 2024 and thus also delayed submission or publication might not be fined until that date.
It is evident that supply chain reporting will become a central topic for companies which is reinforced by the adoption of the far-reaching EU Corporate Sustainability Reporting Directive (CSRD) which entered into force on 5 January 2023 (see our previous blog post here) and that builds on the current EU Non-Financial Reporting Directive. Amongst many other ESG topics companies need to report under this legislative framework on (e.g.,) adverse impact of own operations, value chain, business relationships and supply chains; actions taken to mitigate such impact; due diligence processes, policies and strategies implemented as regards sustainability; and internal responsibilities. To a certain extent, this reporting framework also captures non-EU companies. Alignment of domestic supply chain laws and reporting under the CSRD remains to be seen. Accordingly, companies should be aware of the various interrelations of their ESG reporting.
Guidance papers by supervisory authority BAFA
Just one day before Christmas, the BAFA published its final guidance paper for compliance with the Act. Four thematic guidance papers are now available for companies to orient their implementation efforts: (i) risk analyses (August 2022); (ii) reporting (October 2022); (iii) grievance mechanisms (November 2022); and (iv) the principle of appropriateness (December 2022). All guidance papers have been long-awaited by companies as the Act, partly, remains uncertain with respect to some key elements. The last guidance paper on the principle of appropriateness, for example, covers an essential topic which permeates every element under the Act. An appropriate way of handling the obligations under the Act is determined by (i) the nature and scope of a company’s business activity, (ii) the leverage a company has on the party directly responsible for a risk or violation, (iii) the likelihood of a violation, its severity and reversibility, and (iv) an obliged company’s influence and contribution (if any) to the specific risks or violations. In line with previous soft law instruments on supply chain due diligence (like the OECD Guidelines for Multinational Enterprises), the BAFA declares that the principle of appropriateness generally means that the more vulnerable to human rights or environmental risks a company's business activity, business model or supply chain structure is, the more likely and severe the expected violation of protected legal interests; and the bigger the contribution to causation and the possibility of exerting influence of a company is, the more efforts can be expected to prevent, stop or minimise such violations.
2023 will continue to challenge companies with respect to new ESG compliance legislation and in particular supply chain regulation; for example, the new Swiss supply chain law also became applicable with the New Year. Moreover, companies that are not directly in scope will be affected because more and more obliged companies under the Act (and others to come) will next be reaching out to their contract partners to impose new contractual obligations, as human rights compliance assurances and transparency/reporting duties. 2023 will be decisive for the development of best practices under the Act taking into account the BAFA’s implementation guidance and enforcement strategies that are now being established.