The technology industry is entering a new era of regulation, with several initiatives in the European Union (EU) shaping how the industry assesses risk, addresses adverse impacts, and discloses to the public.
Each of these regulatory initiatives stands in isolation to address a specific topic, be it freedom of expression, artificial intelligence (AI), or privacy. Some are tailored to the technology industry, while others apply to companies in all sectors.
However, while working with BSR member companies to prepare for these various regulations, it has become abundantly clear that human rights based-approaches—and especially the implementation of the UN Guiding Principles on Business and Human Rights (UNGPs)—provide a common thread that ties them all together.
There are certain key features that distinguish a human rights-based approach: reviewing and addressing impacts against all human rights; prioritizing risks to people based on severity—i.e., scope (the number of people impacted), scale (how grave the impact), and remediability (whether the impact can be made good); and paying particular attention to the rights of individuals from vulnerable groups or populations.
It is striking how these key features of a human rights-based approach provide the conceptual foundation for each new EU regulation that technology companies will need to adhere to.
- Digital Services Act (DSA): Will require a “systemic risk assessment” encompassing actual or foreseeable impacts on rights contained in the EU Charter of Fundamental Rights, including a consideration of the severity of impact. The DSA emphasizes vulnerable users and offers scope, scale, and remediability as potential prioritization criteria.
- Artificial Intelligence Act: Will require a “conformity assessment” for higher risk applications of AI and uses the EU Charter of Fundamental Rights as the basis for understanding and classifying risk.
- General Data Protection Regulation: Requires that companies undertake “Data Protection Impact Assessments” that consider not just privacy but impacts against all rights contained in the EU Charter of Fundamental Rights, prioritizing the most severe risk to “data subjects.”
- Corporate Sustainability Reporting Directive: Will require that companies take a“double materiality” approach to disclosure, where the prioritization of matters that affect the economy, environment, and people (“impact materiality”) will be based on concepts of scope, scale, and remediability drawn from the UNGPs.
- Corporate Sustainability Due Diligence Directive: Will establish a corporate due diligence duty, which will require identifying, preventing, mitigating, and accounting for adverse human rights and environmental impacts across company value chains, including from the use of products and services.
For companies, there are opportunities to consider the human rights-based synergy between these different requirements. This might include identifying connectivity through compliance processes, creating shared content across different assessments, or establishing an information architecture for reporting that positions these different disclosure requirements as an integrated whole. Companies with well-resourced central human rights functions are better placed to achieve these synergies.
For regulators, there is a need to maximize interoperability between these different requirements. This should include consistency in emphasizing the relevance of all human rights (rather than prioritizing some over others), harmonizing criteria by which adverse impacts on people should be prioritized, or creating more uniformity of disclosure requirements. There is a lot riding on the details of the regulations, where even slight differences in scope or definitions can be counterproductive.
Preparing for this new era will require significant, detailed, and tailored activity to meet the requirements of each regulation. However, it is our premise that taking a consistent human rights-based approach based on the UNGPs will ease this process, enhance compliance with both the spirit of and letter of each regulation, and increase the likelihood that human rights become more deeply embedded in the technology industry.
In the movie “Everything Everywhere All at Once” Michelle Yeoh draws upon distinct elements of her best self to succeed in different contexts; in the reality of “Human Rights Everywhere All at Once,” human rights functions will need to take a similar approach.