Supply Chain Digital Transformation and Corporate Human Rights Due Diligence

TANG Yingxia (China)

I. Research Question

Digital supply chain management under the traditional data governance path focuses on the enterprise's own data security and internal operational risks, often ignoring the negative impacts that enterprises have on their stakeholders, that is, external human rights risks. Therefore, it is necessary to incorporate a human rights perspective in digital supply chain management and effectively prevent and comprehensively address human rights risks in digital supply chains by implementing a human rights due diligence approach. In the context of digital technologies such as artificial intelligence and big data, can the existing approaches to human rights due diligence in international human rights law be directly applied? By taking a close look at the existing human rights due diligence regulations in the field of business and human rights, including the UN Guiding Principles on Business and Human Rights (hereinafter referred to as the Guiding Principles) endorsed by the UN Human Rights Council and widely accepted by States, the draft UN treaty on business and human rights under negotiation, and the mandatory legislation and voluntary norms of States on human rights due diligence, it can be found that all those above are based on the experience of traditional sectors such as mining, textiles and food processing. Whether such experience can be further applied in the digital context has yet to be tested in practice and theoretically studied.

At present, there are no international norms or domestic legislation that specifically address human rights due diligence in digital supply chains. Therefore, this paper seeks to discuss how digital technologies can empower supply chains and contribute to human rights protection in the context of the digital wave that is sweeping the world. What new challenges does the digital transformation of supply chains pose to human rights due diligence? Are the existing rules in the area of business and human rights, with the Guiding Principles at their core, sufficient to meet the challenges posed by this technological revolution? How can a human rights due diligence approach that fits into digital supply chains be constructed?

II. New challenges to corporate human rights due diligence in digital supply chains

(i) Characteristics of human rights due diligence in digital supply chains

Firstly, human rights due diligence is a customized process, when applied to the digital supply chain environment, it may take different forms depending on the size and location of the businesses, the type of products they are developing, their position in the value chain, the type of harm their products cause, who their customers are, and many other factors.

Secondly, human rights due diligence is also risk-based, which means that the measures taken by an enterprise to conduct due diligence should be proportionate to the severity and likelihood of adverse impacts. When the severity and likelihood of the impact is high, for example, when the product being developed can be used in a harmful way, due diligence must be more extensive.

Thirdly, human rights due diligence is flexible, progressive, consultative and transparent. Companies are expected to initiate and continue the due diligence process; no one expects to completely map out human rights-free operations and supply chains overnight. Companies need to make hard choices about what they prioritize, and make incremental improvements over time. It is a consultative and transparent approach, where stakeholders are expected to be consulted at each step of the due diligence process to ensure that efforts are effective. With the progress of mandatory human rights due diligence legislation, companies are also expected to publicly report on their efforts to conduct due diligence. These steps are not mutually exclusive and can be undertaken simultaneously.

(ii) The challenge of digital supply chains for human rights due diligence

Participants in digital supply chains are at greater risk of human rights abuses. Unlike physical assets, data assets are non-rivalrous in that they may have multiple copies and be processed simultaneously in different locations in different jurisdictions. This geographical distribution of factories and manufacturing assets has led to the emergence of cyber-physical supply chains that cover the traditional manufacturing value chain. Participants in the digital supply chain, such as engineering contractors, cloud manufacturing service providers, data service providers, etc., are increasingly aware of their responsibility to respect and provide remedies for human rights violations. Within the framework of the Guiding Principles, this responsibility is primarily fulfilled through the requirement to conduct business-implemented human rights due diligence. In the context of digital supply chains, human rights due diligence may become more challenging.

1. New human rights risks arising from third-party data risks

In digital supply chains, data is exposed to both internal and external supply chain risks during the flow of data. Internal risk refers to the data risk that can arise when sensitive data is accessed by information systems and employees of the business as it operates internally, while external risk refers to the risk that can arise when sensitive data is accessed by suppliers and other partners as it flows through the supply chain. When someone uses a supplier or other partner to steal an organization's data and launch an attack on the supply chain, data risk from third parties can arise, and this can lead to human rights harm. Digital supply chains have profoundly changed the sources and types of risks faced by companies in traditional supply chains. Third-party risk is the weakest link in the digital transformation of the supply chain, as the external risk to data flowing through the supply chain comes from the application of suppliers or third-party partners, when the data is out of the control of the business. Human rights risks due to third party data risks increase the difficulty of risk identification in human rights due diligence for companies.

2. Business relationships are unpredictable

Digital supply chains have changed the geographic distribution of networks and physical assets due to the use of technologies such as cloud computing, big data, the Internet of Things and blockchain, and have complicated the process of “ex ante” human rights due diligence. In traditional supply chains, manufacturers have clearly established business relationships, often structured through long-term contractual agreements. In theory, therefore, ex ante human rights due diligence can be somewhat predictable for a given business relationship. However, in the context of digital supply chains, beyond the physical boundaries of one or more factories operated by the same manufacturer, the manufacturer may no longer know the exact supplier of the particular resource being provided or service being offered. In addition, data assets may be at most the result of multiple data transactions and processing operations, which are not always easy to trace.

3. Multiple parties involved make it difficult to determine liability

Even in traditional supply chains there are “many hands”, and the unique design and operational characteristics of digital supply chains make it even more challenging to identify the responsible parties. Currently, supply chains have evolved from a single chain structure from upstream suppliers to downstream customers to a complex network structure from multiple upstream suppliers to multiple downstream customers, and the relationships between supply chain members have evolved from a simple relationship between two companies (supplier-retailer relationship) to a network of both vertical and horizontal dependencies. However, no matter how complex the structure of a traditional supply chain is, the supply relationships between upstream and downstream of the supply chain are clearly hierarchical. As a result, the risk of human rights due diligence is traceable. Digital supply chains have changed the physical basis of traditional supply chains, and have broken the boundaries of traditional supply chains. There is both an intersection of supply, manufacturing and retail-based relationships and a mutual complementarity of digital, service and product packages based on production complexes, creating an interdependent, networked and dynamic supply chain ecosystem with symbiotic relationships between different supply chains and a synergistic evolution of all participants. Digital developments have allowed new players into the supply chain, namely third-party digital partners, thus fundamentally changing traditional supply chain relationships.

4. Technical barriers to forensics make remedies difficult

Conducting effective human rights due diligence depends on an end-to-end view of the supply chain. In digital supply chains, applying technical forensics can help uncover evidence that is critical to mitigating risk. However, currently available forensic technologies do not work well in collaborative smart manufacturing environments, where commercially sensitive information and operational technology devices are distributed among many artefacts, such as field devices, collaborative robots, etc. Conversely, these devices may be under the control of participants spread across multiple geographic locations and jurisdictions, which may be a serious impediment to remediation.

III. Sound multidimensional governance solutions adapted to human rights due diligence in digital supply chains

In response to the trend towards increased corporate human rights due diligence in supply chains and the new challenges in the digitization of supply chains, it is necessary to develop a human rights due diligence approach that is adapted to digital supply chains. The Guiding Principles provide an authoritative and pragmatic cornerstone for any State action to shape the digital economy, and a human rights due diligence approach for digital supply chains cannot be divorced from the legal framework of “protect, respect and remedy” established by the Guiding Principles, but should be adapted to digitalization on the basis of existing human rights due diligence approaches.

(i) Clarifying the State's duty to protect in the human rights due diligence in the digital supply chain

The first pillar of the Guiding Principles' “Protect, Respect and Remedy” framework reaffirms the existing obligations of States under international law to protect against human rights abuses by third parties, including business enterprises, and provides a roadmap to guide State practice. Digital supply chains are also included within business enterprises. The three pillars are interlinked and mutually supportive. The State’s duty to protect underpins and safeguards business human rights due diligence. States have a responsibility to prevent business-related human rights harm through a smart mix of measures, including national laws and regulations, voluntary standards such as guidance, and public procurement incentives.

1. Elements for consideration in State legislation on human rights due diligence in digital supply chains

Artificial intelligence technologies that “differentiate, sort and classify” are essentially “discrimination systems”. In digital supply chains, consideration must be given to the ways in which operations are affected, the types of products manufactured, who they are designed to serve and who benefits from their development. This does not mean that all business models that rely on artificial intelligence undermine the principles of equality and non-discrimination. However, companies that profit from the use or sale of these tools need to take proactive steps to prevent discriminatory outcomes.

Firstly, digital-related laws such as AI Act and algorithm rules, should universally incorporate human rights impact assessments (HRIAs). HRIAs should be conducted in different ways at all stages of the digital supply chain lifecycle, from the conceptualization stage until after implementation has been applied, and can include processes to review impacts in an iterative and ongoing manner. To this end, appropriate resources and capacity must be allocated to ensure adequate classification and assessment.

Secondly, it is imperative to define the criteria and scope for assessing the impact on human rights. The legislation should clearly identify which events or situations require a human rights impact assessment. Human rights impact assessments should prioritize harm reduction and adverse human rights impacts on marginalized and vulnerable groups, take a holistic approach and assess the impact of AI systems on a wide range of human rights, including collective rights, economic, social and cultural rights and environmental rights. In addition, the area under review should be assessed on a case-by-case basis, paying attention to specific circumstances, including geographical location, language, population groups, socio-political and temporal factors.

Thirdly, inclusiveness. The inclusion of external stakeholders in the human rights impact assessment process is crucial and should, as far as possible, take into account the interests of socially disadvantaged people such as ethnic minorities, races, women, LGBTQ+, people with disabilities, and representatives from affected and marginalized communities, ensuring public access in the process.

Fourthly, a holistic approach is adopted. Human rights impact assessments are integrated with other accountability mechanisms such as data protection impact assessments, human rights and environmental due diligence and conformity assessments, algorithmic audits, and transparency registers, and should focus on potential and actual harm to individuals, communities, society and the environment in the analysis.

2. China's institutional progression on human rights due diligence in digital supply chains

Although developed countries in Europe and the US have started to regulate human rights due diligence in supply chains as a whole through legislation in the last decade, China's attention on human rights due diligence in supply chains is mainly in the practical area, and relevant laws and policies are still relatively scattered.

Firstly, human rights due diligence in top-level design. The nature of a smart society is characterized by contemporary science and technology that is algorithm-centered, data-led, integrated with blockchain and artificial intelligence, and linked by the Internet and the Internet of Things. In the digital transformation of the supply chain, algorithms are at the heart of the process and data provides the raw material for their development, design and application. Data law and algorithm regulation therefore form the basis of governance for digital supply chains. In terms of top-level design, the Outline for the Implementation of the Rule of Law Society (2020-2025) proposes to develop and improve the regulation and management of the application of new technologies such as algorithm recommendation and deep forgery, and to strengthen the regulation and guidance of the research and application of new technologies such as big data, cloud computing and artificial intelligence. The Cyber Security Law, the Data Security Law and the Personal Information Protection Law have been promulgated and implemented one after another, setting up the basic framework of China's data law. The new National Human Rights Action Plan (2021-2025) proposes to “strengthen the protection of personal information, improve the relevant legal system, supervision and enforcement, and publicity, and effectively safeguard network and data security” in the section on “Rights and Interests of Personal Information”, thus giving a human rights dimension to the protection of personal information and data. In addition, it is worth mentioning that the National Human Rights Action Plan (2021-2025), in the section on “Promoting Responsible Business Conduct in Global Supply Chains”, explicitly provides for the promotion of business conduct in foreign trade, economic cooperation and investment in accordance with the Guiding Principles, the implementation of human rights due diligence, and the fulfilment of social responsibility to respect and promote human rights. This is the first time that the requirement of human rights due diligence in supply chains has been explicitly included in China's human rights policy, and marks the comprehensive integration of the Guiding Principles into China's human rights policy, providing policy support and a jurisprudential basis for building a concrete approach to human rights due diligence in digital supply chains.

Secondly, the human rights path in specific algorithmic rules. Following the Guidelines on Strengthening Comprehensive Governance of Algorithms for Internet Information Services (hereinafter referred to as the Guidelines) jointly formulated by nine ministries and commissions, Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration of Market Supervision and Administration jointly issued the Regulations on the Administration of Algorithmic Recommendations for Internet Information Services (hereinafter referred to as the Regulations), defining for the first time in a sectoral regulation five categories of algorithms: “generation and synthesis, personalized push, sorting and selection, retrieval and filtering, and scheduling and decision-making”. The content of the Regulations reflects the rights-based path.

Although previous Chinese data legal policies and human rights legal policies were implicit and fragmented in their provisions on human rights due diligence, it is gratifying to note the explicit provisions on human rights due diligence in the new phase of the National Human Rights Action Plan (2021-2025) and the comprehensive inclusion of the Guiding Principles, and the adoption of a human rights protection perspective in the new algorithmic governance norms, all of which provide the digital supply chain with a human rights due diligence These provide the institutional basis for the construction of human rights due diligence in the digital supply chain.

(ii) Approaches to applying human rights due diligence in digital supply chains for business

1. Develop a corporate human rights policy. Businesses in digital supply chains should develop and make public their human rights policies to align their commitments with the Guiding Principles, including a commitment to avoiding human rights harm and to conducting supply chain due diligence to address the harm. As part of this step, companies should integrate their expectations for protecting human rights into their engagement with suppliers, customers and other business relationships. Companies should clearly communicate to suppliers and customers that certain uses or unintended impacts of their technology are unacceptable and may have an impact on business relationships. Policies should also be kept up to date, taking into account stakeholder perspectives and lessons learned from the company's efforts to address risks. Google has highlighted its AI principles on its website. These principles are that AI should (1) be beneficial to society, (2) avoid creating or reinforcing unfair bias, (3) be built and tested safely, (4) be responsible to people, (5) incorporate privacy design principles, (6) adhere to high standards of scientific excellence, and (7) be available for uses that are consistent with these principles. This does not require companies to stay away from high-risk activities, such as those of the defense sector. Rather, companies should seek to design strategies that suit their own risk appetite and enhance due diligence to identify and prevent or mitigate human rights risks, prioritizing actual or potential harm according to its severity. The principles of transparency and stakeholder engagement are particularly important in this regard.

2. Define the roles or responsibilities of different supply chain participants. Unlike traditional supply chains where the relationship between manufacturer, seller and consumer is linear, in digital supply chains there is significant overlap and exchange between technology developers, suppliers and end users. Therefore, all supply chain participants will undergo extensive scoping to identify where human rights risks are most likely to exist and are most important, resulting in an initial prioritization of the most important risk areas for further assessment of human rights risks. (1) Technology developers. While due diligence should cover all stages of the product lifecycle, the greatest potential for risk is in the product development process of the digital supply chain. By applying a Human Rights Design Strategy, developers can prevent/mitigate potential risks to technology at each step of development, so it is critical to identify relevant players and involve them early in the process. (2) Suppliers. Once the product has been developed, the supplier sells it to the end user who will implement and operate the technology. It is the supplier's responsibility to conduct due diligence at the point of sale regarding the risks associated with the use of the product. Suppliers should review reliable reports on the recipient's human rights record or history of misuse of the product. (3) End-user. End-users can be anyone, including governments, government contractors, other companies or civil society organizations. For many AI technologies licensed to end-users, developers have the capability to monitor the product, creating opportunities for human rights due diligence between the developer and the end-user. For example, developers and suppliers can limit end-user licence renewals.

3. Risk prevention or mitigation at different stages of the life cycle. Based on the initial scoping and risk assessment, companies should take action to stop, prevent or mitigate the identified impacts. This involves developing and implementing a plan that is fit for purpose. It is expected that all impacts will be addressed and that the most serious impacts will be prioritized. Stakeholders should be meaningfully involved in the process. Preventing or mitigating adverse impacts can be done at the design stage if the product is under development, or at the procurement or sales stage if the product has been sold. Companies can already mitigate potential human rights adverse impacts through contractual and procedural safeguards and strong grievance mechanisms.

4. In response to barriers to remedy and the need for greater transparency in digital supply chains, a unified platform can be built using a collaborative approach. This platform brings together data generated by companies' R&D and production, materials inventory management and suppliers, carriers, etc., links relevant people in all parts of the supply chain, covers all users of the supply chain, and makes transparent the various influences in the production and distribution of products, so that specific links that generate negative human rights impacts can be targeted and the fragmentation and complexity of remedies resulting from the web-like nature of digital supply chains can be mitigated.

(The author is deputy director of the Human Rights Research Center at Nankai University)