Four years to a first draft: slow progress toward treaty to bind companies

The U.N. Human Rights Council has published the first official draft of a legally binding treaty on business and human rights. This draft has been four years in the making and marks an achievement in advancing corporate accountability for human rights abuses.

The draft proposes a framework of due diligence which calls on companies to consider the human rights impacts of their business activities. However, the draft leaves much room for improvement, particularly with respect to protecting digital rights.

We call on the Council to strengthen the draft by:

  1. demanding transparency from companies on human rights impacts assessments,
  2. closely scrutinizing the business/state relationship to prevent private and state-owned/controlled companies from enabling states to carry out human rights abuses,
  3. providing effective remedial mechanisms for victims, with fair processes and adequate redress, and
  4. widening the scope of application of the treaty to include domestic companies.

We also call for greater involvement of civil society in the treaty process to ensure the treaty’s legitimacy and effectiveness.


Companies can directly infringe our human rights. Examples of egregious behavior by private firms reach as far back as the British East India Company using torture to collect taxes from colonies in India. More recently, the 1984 leak of toxic gases at Union Carbide chemical plant in Bhopal, India, was a foreseeable failure that killed at least 7,000 people over its first three days, and sparked the modern movement for corporate accountability.

Legally, though, there is no binding international agreement among states that holds companies responsible for causing or contributing to human rights harms. Due in part to jurisdictional disputes, for example, and the refusal of U.S.-based Dow Chemical Company, which bought Union Carbide in 2001, to stand in Indian courts, justice remains out of reach for the Bhopal victims and their families. Fortunately, though, this reality and dynamic is changing, more than 30 years after the world’s worst industrial disaster.

In July 2018, the U.N. Human Rights Council’s open-ended intergovernmental working group on transnational corporations and human rights (Working Group) published the Zero Draft, the first unofficial draft of a legally binding treaty that directly addresses corporate abuses of human rights. In 2014, the Human Rights Council adopted a resolution directing the Working Group to “elaborate an international legally binding instrument to regulate … the activities of transnational corporations and other business enterprises.”  Four years later — yes, you read that correctly the drafting committee produced a first draft. This process has not been and will not be speedy.

And yet, this draft marks an achievement. Coming seven years after the U.N. Guiding Principles on Business and Human Rights were unanimously endorsed by the Human Rights Council, this is a recognition by the international community that corporate impunity for human rights abuses cannot continue. The Guiding Principles were an important first step and still continue to be implemented by states, through National Baseline Assessments and Action Plans, and reported on by businesses; however, they leave a gap in corporate accountability because they are voluntary. This treaty aims to fill that gap.

As discussions and negotiations over the draft continue, it is important to take a moment to consider the impact the treaty could have. Because so much of our lives are carried out online, ICT companies, perhaps more so than companies in other sectors, have a huge impact on our human rights. Data breaches and censorship are an everyday occurrence, while events like the Myanmar military’s use of Facebook to incite genocide stand out and demand accountability. News of ex-NSA agents being hired by the UAE government to help spy on human rights activists and social media users, including minors, illustrates the nexus between states and companies in this space. It is therefore necessary to ensure that this treaty properly regulates ICT companies and protects our rights — and data — online.  

Due diligence: how the treaty envisions prevention of human rights abuses

Among some of the gravest risks that ICT companies pose to our human rights are those to our freedom of expression and privacy. The rights to express oneself, and to disseminate and receive information freely and securely are fundamental to digital rights. While digital platforms and vendors help us to extend our lives online, they also threaten our rights when they limit our ability to express ourselves and when they improperly collect, retain, and share our personal data.

The Zero Draft proposes a framework of human rights due diligence which could possibly address these risks. Due diligence is a legal concept which generally refers to the reasonable investigation a company carries out before conducting a business activity. Usually it centers on financial questions, auditing whether the other party in a business deal carries outstanding debts or legal liabilities, for example. In terms of human rights, due diligence means that companies must assess the potential impact their business activities will have on human rights. And, in terms of digital rights, it can demand a study of the surveillance practices in a country before selling networking equipment to its government, for example, or consultation with female journalists targeted for harassment and abuse on a social media platform.

The draft treaty calls for states to ensure that transnational businesses within their jurisdiction undertake human rights due diligence measures, including monitoring their actual and potential human rights impacts, identifying and assessing any actual or potential human rights violations that may occur, and preventing human rights violations within the context of a company’s business activities. This is done through a variety of processes like engagement with affected communities, human rights policy development, and disclosure and reporting of violations.

Some states are already moving toward mandatory human rights due diligence. Under French regulation, companies must publish Vigilance Plans describing their systems to identify and mitigate risks in their supply chain and customer interaction.  

How to strengthen the treaty

Emphasize transparency

Companies will be required not just to conduct human rights due diligence, but also to “[report] publicly and periodically” on the results of these measures. This reporting requirement implies transparency, but the treaty must be much more explicit in calling for transparency and setting out clear standards for companies to follow. In fact, the word “transparency” is not mentioned at all in the entire draft. This is a problem because, particularly for ICT companies, transparency is key; it is a way to address the risk that these companies pose to our rights to privacy and freedom of expression. For instance, the multiple data breach revelations in the past year have demonstrated just how much information ICT companies, especially social media companies, collect, retain, and share about their users. This is why we maintain the Transparency Reporting Index and push for more meaningful reporting by tech firms on their human rights impacts.  

The risk to our right to privacy lies in the fact that much of this information is collected and retained without users’ knowledge, let alone consent. By providing transparency as to how user information is collected, shared, secured, and retained, ICT companies could better fulfill their due diligence obligations regarding our privacy rights. As for freedom of expression, the risk lies in companies restricting or limiting our right to express ourselves freely. Transparency as to when and why user content could be restricted would go a long way to fulfill the obligation to respect our freedom of expression, the reason we support the Ranking Digital Rights Corporate Accountability Index.

And we are not alone in pushing for greater transparency: recently, a group of investors representing $700 billion (USD) in assets issued a statement calling on ICT companies to align their policies and practices with the standards set out in the Corporate Accountability Index. Specifically, the investors call on companies to be transparent, ensuring that their human rights reporting includes policies on freedom of expression, data security, and privacy. The private sector is taking notice that transparency is crucial; the treaty must do so as well.

Without demanding transparency on human rights impacts, the treaty falls behind even current legislation that requires reporting on non-financial matters like environmental, social, and governance indicators. For example, under the U.K. Modern Slavery Act and similar laws in Australia and California, large companies must publicly state their steps to prevent and cut forced labor from their supply chains.

Scrutinize the state/business relationship

Another major issue the treaty fails to address is the relationship between private companies and the state. This relationship can arise out of two scenarios: 1) private companies providing goods/services to the state, or 2) companies that are state-owned or controlled. Human rights abuses involving ICT companies often occur where these companies are used as tools by oppressive regimes to stifle freedom of expression or to carry out massive and unlawful surveillance of individuals. For instance, Google’s Project Dragonfly, an effort by the company to create a censored search engine app for China, presents a situation where a tech company could facilitate the repression and abuse of human rights demanded by a state actor. Although the state should clearly be held responsible for violating human rights, the private actor that enables the state ought to be held proportionately responsible, as well.

Under the current status of the draft, it is unclear whether liability would attach to the company providing such tools to a state actor. Article 9 of the draft directs businesses to conduct due diligence that would identify and prevent human rights abuses arising from their activities or those of their subsidiaries and of entities under their direct or indirect control. However, it fails to recognize that the state is an entity that is not under the control of private actors, yet is nevertheless often empowered to act through the services and tools it receives from companies. This is very relevant to the tech sector, as the Google example shows. Governments are relying on tech companies to design tools or provide services that could impact the rights of people all over the world. In dealings between the state and private companies, particularly where the companies are owned or controlled by the state, the Guiding Principles say the government must take “additional steps” to ensure that human rights are respected. These steps include specifically stating human rights obligations in the terms of the contract and exercising adequate oversight over the businesses’ activities to ensure that those obligations are met.  

However, in attaching liability to companies for the actions of third parties, the treaty must be careful to distinguish cases when companies are used as a tool to promote or exercise rights rather than restrict them. Particularly for online platforms, there is a danger that they could be held responsible for content by third parties that a repressive state may find to be in violation of national laws. Unfortunately, states themselves often threaten human rights, and are unlikely to take any “additional steps” to protect people from corporate abuses. In such cases, when platforms enable free expression or the exercise of other human rights, the treaty must not be used as a means to attach liability.

Provide effective remedial mechanisms

The treaty also needs clear and effective mechanisms for remedy. As it stands, the closest the treaty comes to addressing an actual path to remedy is the section on implementation on the national level which directs states to “take all necessary legislative, administrative or other action … to ensure effective implementation of this Convention” (Art. 15(1)). No more is said as to what requirements would constitute effective implementation. At the international level, the treaty creates a Committee to provide guidance and recommendations on the understanding and implementation of the treaty. It is telling that more attention and detail is devoted to how the Committee will be established rather than what it will actually do.  

These provisions are wholly insufficient to provide effective remedial mechanisms or even to carry out the objectives listed in the treaty itself. The most remarkable aspect of the treaty is that it is an international recognition that corporate impunity of human rights abuses must end; therefore what it is needs is an international mechanism for remedy. While it’s important to have state-level remedies, a combination of state-level mechanisms and global governance mechanisms in the treaty would be more effective in achieving corporate accountability.

On the national level, as the treaty calls for states to ensure that businesses undertake human rights due diligence, the question of remedy could be incorporated into due diligence. Rather than merely monitoring human rights impacts, companies should implement and participate in grievance mechanisms that allow individuals to raise human rights concerns. Operational-level grievance processes give the company a chance to know and address harms before they grow more severe. The draft treaty, in its Optional Protocol, smartly notes that individuals participating in non-judicial grievance processes, like the new National Implementation Mechanisms envisioned by drafters, should always be allowed to take their claims to courts, as well. We agree: no quasi-judicial process, or corporate “Supreme Court,” should ever prejudice peoples’ rights to a day in court.

Widen the scope of application

Finally, to be a truly effective tool to address corporate abuse of human rights, the treaty must apply to all types of corporations. As it stands, the treaty only applies to “business activities of a transnational character” (Art. 3(1)). This is concerning because it leaves out domestic companies, holding them to a different standard than transnational companies (a concern ironically shared by the business community, for different reasons). The ostensible reason is that a state’s own laws should be sufficient to address human rights abuses carried out by domestic companies within its territory, where jurisdiction is clear. But this same argument could also be used to limit liability for transnational corporations — when a corporation violates human rights within a host state’s jurisdiction, shouldn’t that host state’s laws be sufficient? Yet the international community has agreed that an international standard is necessary, so let’s hold everyone to that standard, including domestic companies.

The treaty also gives states the option to exempt small and medium-sized enterprises (SMEs) in order to spare them “undue additional administrative burdens” (Art. 9(5)). This ignores the fact that SMEs are just as capable of committing grave human rights abuses as large transnational corporations. Examples are companies like Hacking Team, Cambridge Analytica, and NSO Group who provide technology to governments with weak human rights records and abusive practices. Because these companies are not transnational giants like Google or Facebook, they could escape liability under this treaty. Corporate accountability should be for all corporations, not just the very big ones.

Greater role for civil society

Civil society has long been active in calling attention to business-related abuses of human rights. This has made human rights defenders into targets, with more than 1,300 attacks since 2015 against activists on business-related issues. To protect human rights defenders and to create a treaty that will promote rather than limit human rights, it is necessary that all voices are heard throughout the treaty process. Civil society must be integrated to ensure the treaty’s legitimacy and effectiveness.

Access Now has previously raised concerns over the treaty, and we speak up again to ensure that everyone’s digital rights are recognized. We’ve come a long way with the treaty, but there is still a lot of work to do to ensure that corporate impunity for human rights abuses will finally come to an end.