(Cliquez ici pour la version française de ce blog).
Last February the French National Assembly passed the ground-breaking law imposing a duty of vigilance (due diligence) on large companies in relation to social and environmental risks. The first vigilance plans will start to be published in 2018. This article sets out some questions and answers about the law and its requirements.
Which companies are affected?
The law provides that two types of companies must establish and implement a vigilance plan:
- Companies who employ, at the end of two consecutive financial years, at least five thousand employees in their direct or indirect subsidiaries, whose head office is located on French territory;
- Companies who employ, at the end of two consecutive years, at least ten thousand employees in their direct or indirect subsidiaries, whose head office is located in France or abroad.
Although the statement “whose head office is located on French territory or abroad” in the second variant may suggest that the law could apply to foreign companies, the most common interpretation is that it applies only to companies established in France with more than 5,000 employees in France or employing more than 10,000 employees in France and / or abroad. In both cases, the number of employees includes employees of the company itself as well as those of its direct and indirect subsidiaries in France and throughout the world. French subsidiaries of foreign companies exceeding one of the thresholds described above will also be affected by the law. Around 150 companies are expected to be affected in total.
What are the legal obligations?
Affected companies must develop and implement a due diligence plan that includes “reasonable due diligence measures to identify risks and prevent serious violations of human rights and fundamental freedoms, health and safety as well as the environment, resulting from the activities of the company and those of the companies it controls, as well as from the activities of subcontractors or suppliers with whom an established commercial relationship is maintained”.
Let’s take a closer look at some of these elements:
“…reasonable due diligence measures to identify risks and prevent serious violations …”: The law is quite clear on this aspect of the content of the vigilance plan. At a minimum, this should include:
- A risk map containing risk identification, analysis and prioritization;
- A description of processes for regular evaluation of risks in relation to subsidiaries, subcontractors or suppliers
- Appropriate actions to mitigate identified risks or prevent serious violations;
- A process for gathering reports of risks or impacts, drawn up in consultation with the company’s representative trade unions;
- A mechanism for monitoring the measures implemented and evaluating their effectiveness.
These requirements will force companies to think carefully about the risks specific to their sector or business, in order to better prevent and mitigate them. It will not be enough to react to problems, or to wait until they hit the headlines; the law requires a proactive approach based on prior due diligence. While many large corporations may be able to use existing strategies as the basis for their vigilance plans, simply describing them will not be enough to meet the requirements of the law. Rather it will also be necessary to explain the reasoning and the methodology used to develop action plans, i.e. what risks are these measures intended to mitigate, how and why they have been prioritised, and how the company intends to address risks, evaluate and monitor its actions, both in its own operations and in its supply chains.
“…human rights and fundamental freedoms, health and safety and the environment…”: This wide range of subjects means that the development and implementation of the vigilance plan can only be done with input from and co-ordination between different departments of the company and its subsidiaries. Companies that are advanced in terms of CSR and sustainability will have an opportunity to deepen their understanding of the links between these three themes, which often remain separate in many companies.
“… resulting from the activities of the company and those of the companies it controls, as well as the activities of subcontractors or suppliers…”: In addition to risks related to the direct operational activities of the company itself as well as its subsidiaries, the vigilance plan must demonstrate a deep understanding of its supply chains and the associated risks. The parent company will therefore have to work closely with its subcontractors and suppliers to understand their risks and mitigation activities, to the extent that these relate to the business relationship. This could be a significant challenge for many companies, especially those with a very large number of subcontractors and suppliers or those operating in sectors where business relationships are often of short duration. In accordance with the principle of due diligence, companies should not exclude too hastily suppliers and subcontractors with whom their commercial relationships are not as strong, especially if their products and services were singled out by the risk assessment.
When and how will the first vigilance plans be published?
The law provides that the vigilance plan and the report of its implementation during the previous year must be included in the company’s annual report. Companies are already working on these and we can therefore expect that the first vigilance plans corresponding to the 2017 financial year will be published in Spring 2018.
What are the penalties for non-compliance?
If a company fails to comply with the obligations set by the law, any person with legitimate interest in this regard (e.g. non-governmental organisations, trade unions, or individuals affected by the company’s actions) may give official notice (mise en demeure) to the company to comply. If the company still doesn’t comply within three months, this person may ask the competent court to order the company to comply, under financial penalty if necessary. In addition, the law states that company can be subject to civil liability, which means that it could be sued to provide compensation to cover the effect of any harm that would have been prevented by the exercise of due diligence (i.e. the development of a vigilance plan).
These are much more severe penalties than those provided under similar laws such as the Modern Slavery Act or the California Transparency in Supply Chains Act. However, some commentators have raised questions about the practical application of these sanctions, including the determination of liability and access to remedies for victims.
What is the role of stakeholders?
The law stipulates that a company’s vigilance plan “should be drawn up in association with society’s stakeholders, where appropriate through multi-stakeholder initiatives within sectors or at territorial level”. It will be interesting to see how companies interpret this rather vague formulation. Indeed, the law does not provide more detail as to which stakeholders should be consulted, and to what extent. However, it is clear that companies will have to engage with the relevant trade unions in the development of a process for gathering reports of risks or impacts.
Stakeholders can also be expected to play a leading role in analysing and critiquing early reports in order to draw attention to what they see as the main gaps, with the likelihood that they will attempt to benchmark and classify company disclosures. Moreover, as noted above, stakeholders with a legitimate interest in this regard will be able to ask the courts to order companies to comply with the law and, in some cases, bring civil liability actions against them.
What can we expect from the first vigilance plans?
It will be interesting to see the first vigilance plans published by French companies. From our experience in relation to statements under the Modern Slavery Act (see our analysis here), these often offer little detail about the nature and mapping of identified risks, though they are getting more detailed. This reflects a reluctance on the part of British companies to make public information about the (even hypothetical) presence of modern slavery and forced labour in their operations or supply chains. While it is certainly possible that French companies will share this reluctance, they will nevertheless be legally obliged to publish this type of information, and more. Indeed, the French law goes beyond risk mapping and also requires information about action plans, among other things. Of course, it also covers a much wider range of topics (human rights, health and safety, environment) than the MSA.
It will also be interesting to see if the development of early vigilance plans will have an impact on corporate practices beyond the large parent companies. In the United Kingdom, for example, there has been a ‘cascade’ effect whereby companies have asked their smaller subcontractors and suppliers to report on measures taken to eliminate modern slavery and forced labour in their operations and supply chains, sometimes even when these companies were not obliged to do so under the Modern Slavery Act.
The past few years have seen significant legislative developments in the field of non-financial reporting, which have all contributed to raise standards of international best practice. Given the unprecedented obligations created by the Duty of Vigilance Law, French companies now have a clear opportunity to become world leaders on corporate social responsibility, transparency and good governance.