The Legal Dimensions of Heightened Human Rights Due Diligence

I. Introduction 

The spread of conflict and political instability worldwide presents multiple business challenges, including operational, legal, and brand risks. Companies are under pressure to account for their action or inaction in conflict-affected and high-risk areas (CAHRAs). In the past few years, we have seen both public campaigns and investor scrutiny over the activities of a company's operations and value chains in Russia, Israel and the West Bank, Gaza, Myanmar, the Democratic Republic of Congo, Sudan, and China.

At the core of responsible business is human rights due diligence (HRDD). In the CAHRA context, businesses are expected to conduct heightened human rights due diligence (hHRDD), which is distinct in structure and method from ordinary HRDD. Beyond these methodological differences, CAHRAs pose critical legal nuances for companies to consider in conducting due diligence. This piece focuses on key legal considerations for companies conducting hHRDD, including (i) the substantive law underlying the hHRDD process; (ii) compliance with other legal standards and regulations; (iii) practical integration into risk-management protocols; and (iv) disclosure.

II. HRDD v. hHRDD

Fifteen years after the endorsement of the UN Guiding Principles on Business and Human Rights ("the Guiding Principles"), proliferating corporate human rights regulation has entrenched HRDD as a cornerstone of effective social risk management across company value chains.¹ CAHRAs are likely to be priority arenas for HRDD under any of these regulations because they frequently pose the most salient human rights risks to stakeholders.

Unlike ordinary contexts, however, CAHRAs also pose a distinct species of risk: conflict itself. This risk dimension means that the aim and structure of an hHRDD process is meaningfully different from ordinary HRDD. As the CS3D notes, companies "should take into account that CAHRAs constitute particular geographic and contextual risk factors" and adapt HRDD accordingly. Effective hHRDD thus aims to understand human rights risks and impacts as well as the factors that create, drive and sustain conflict, and how business is related to them. More information on hHRDD can be found here.

The bedrock of HRDD is international human rights law. Risks and impacts are assessed with reference to international and regional human rights conventions and commentary, which apply to everyone irrespective of context and national law.² CAHRAs also implicate international humanitarian law, which is applicable in armed conflict and imposes obligations on public and private actors, including businesses sufficiently connected to the conflict.³ In addition, CAHRAs implicate conflict risks—i.e., the risks of exacerbating the conflict—that do not constitute risks under international human rights or humanitarian law, such as perceived injustice by one group even if all decisions are objectively fair. An hHRDD process must account for each of these distinct risk types in one integrated whole.

III. The Legal Backdrop to hHRDD

In addition to the methodological differences between HRDD and hHRDD, CAHRAs implicate a far more substantial level of legal risk for companies to consider, both when considering whether to conduct hHRDD and in structuring that process.

a. Litigation

Corporate litigation risk—and related brand risk—has long been most acute in CAHRAs. Some of the seminal early corporate human rights litigation in the US concerned alleged security-related harms in Nigeria,⁴ Indonesia,⁵  and Myanmar.⁶ Even as avenues for such litigation in the US have narrowed, a global banking institution was recently held liable for financing Sudan's military, and in 2024, a multinational agribusiness and food company was found civilly liable for financing a Colombian paramilitary group. We are also seeing conflict-related claims in other jurisdictions. In France, cement company was held criminally liable for financing terrorist groups such as ISIS and al-Nusra in Syria.⁷ In Sweden, two executives of an oil company are currently standing trial for complicity in war crimes committed in Sudan.⁸

b. Compliance

Beyond the imperatives of mandatory HRDD regulations, several non-human rights laws and regulations may be relevant for companies operating in CAHRAs. Sanctions regimes, for instance, are increasingly complex and diverse—with acute resonance in CAHRAs. The EU, US, and UK each differ in their sanctions' scope and enforcement. Sanctions are relevant for company operations and business relationships in CAHRAs. They should also inform the structure and conduct of on-the-ground hHRDD, notably to ensure that findings findings and risk-mitigation measures are properly managed by company legal teams.

In addition, corporate integrity regulations such as the US Foreign Corrupt Practices Act,⁹ Justice Against Sponsors of Terrorism Act,¹⁰ and Anti-Money Laundering Act¹¹ create heightened risk—and greater need for scrutiny—in CAHRAs due to weakened public governance, increased potential for misuse of public power, and security risks posed by non-state actors.

Further, sector-specific regulations may intersect with conflict-related issues. For example, social media companies may have to comply with the EU Digital Services Act (DSA) requiring companies to conduct annual risk assessments and disclose systematic risks posed by their platforms.¹² In October 2023, the European Commission invoked the DSA to request information from key companies on content moderation related to Israel and Hamas.¹³

For miners, processers, and purchasers of minerals, CAHRAs remain an ever-sharpening regulatory focus. In the US, §1502 of Dodd-Frank Wall Street Reform and Consumer Protection Act requires public companies to disclose whether tin, tantalum, tungsten, or gold ("3TG minerals") in their products are sourced from the Democratic Republic of the Congo or neighboring counties.¹⁴ The EU Conflict Minerals Regulation expands and deepens expectations by requiring EU importers of 3TG minerals to conduct due diligence in CAHRAs.¹⁵ Similarly, the Swiss Responsible Minerals Ordinance similarly requires 3TG mineral importers to conduct risk-based due diligence in line with the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas.¹⁶ And the EU Batteries Regulation requires responsible sourcing of raw materials in batteries such as lithium, cobalt and nickel, which have been tied to conflict.¹⁷

IV. Practical Implications

There are three practical implications of this legal context: prioritization, structure, and disclosure.

1. Prioritization: Effective human rights risk management turns on structured prioritization. Leading voluntary standards and mandatory due diligence regulations require companies to prioritize based on "salience," i.e., the severity and likelihood of risk to stakeholders. CAHRAs are likely to be priority contexts for due diligence on this criterion alone. The added risks associated with litigation and integrity compliance—let alone brand and operational risks—only strengthen the argument for global companies to prioritize CAHRAs.
2. Structure: While CAHRAs present severe human rights risks, they also present international humanitarian law and conflict risks, in a context of heightened stakeholder sensitivity, which means that hHRDD is distinct from HRDD in scope and method. In addition, the broader legal context creates greater need for legal privilege to enable rigorous investigation. Indeed, integrating hHRDD with broader geopolitical and integrity compliance would be effective and efficient.
3. Disclosure: Due to their heightened risks to stakeholders and businesses alike, CAHRAs can affect a suite of sustainability and securities disclosures. Companies may need to be conscious, however, of the impact that disclosure itself can have on the conflict, as publishing information related to CAHRA engagement, including due diligence, may elevate security, human rights, and possibly also legal risks to stakeholders, personnel, or to the business itself.

¹  See mandatory human rights due diligence regulations in Europe, such as the German Supply Chain Due Diligence Act (LkSG), Norwegian Transparency Act, French Duty of Vigilance Law; and the European Union’s Corporate Supply Chain Due Diligence Directive (CSDDD), Batteries Regulation, Conflict Minerals Regulation, and Deforestation Regulation (EUDR).

² States may suspend the application of certain rights during states of emergency.

³ International Committee of the Red Cross, What Private Businesses Need to Know About International Humanitarian Law, ICRC LAW & POLICY (Nov. 26, 2024), https://blogs.icrc.org/law-and-policy/2024/11/26/what-private-businesses-need-to-know-about-international-humanitarian-law/.

⁴ Bowoto v. Chevron Corp., 2006 U.S. Dist. LEXIS 63209 (N.D. Cal. August 22, 2006).

⁵ Doe v. Exxon Mobil Corp., 654 F.3d 11 (D.C. Cir. 2011), vacated, 527 F. App’x 7 (D.C. Cir. 2013) (mem.).

⁶ John Doe I v. Unocal Corp., 2002 Cal. Super. LEXIS 5207 (Cal. Super. Ct. June 11, 2002).

7 Lafarge S.A. v. France, No. 19-87.367, 2021 WL 4260700 (Sept. 7, 2021)

8 Business & Human Rights Resource Centre, The Significance of the Lundin Trial, BUSINESS-HUMANRIGHTS.ORG (Sept. 5, 2023), https://www.business-humanrights.org/en/latest-news/the-significance-of-the-lundin-trial/?utm_source=chatgpt.com.

9 Foreign Corrupt Practices Act, 15 U.S.C. §§ 78dd-1 to 78dd-3 (1977). Note, the Trump administration has passed an Executive Order pausing the enforcement of the FCPA. See: The White House, Pausing Foreign Corrupt Practices Act Enforcement to Further American Economic and National Security (Feb. 28, 2025), https://www.whitehouse.gov/presidential-actions/2025/02/pausing-foreign-corrupt-practices-act-enforcement-to-further-american-economic-and-national-security/.

¹⁰ Justice Against Sponsors of Terrorism Act, Pub. L. No. 114-222, 130 Stat. 852 (2016).

11 Anti-Money Laundering Act of 2020, Pub. L. No. 116-283, § 6001, 134 Stat. 4511 (2020).

12 Regulation (EU) 2022/2065, Article 13, of the European Parliament and of the Council of 19 October 2022 on a Digital Services Act, 2022 O.J. (L 277) 1.

13 Maya Reddy, As Israel and Hamas Go to War, the Digital Services Act Faces Its First Major Test, DFRLab (Oct. 26, 2023), https://dfrlab.org/2023/10/26/as-israel-and-hamas-go-to-war-the-digital-services-act-faces-its-first-major-test/.

¹⁴ Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 1502, 124 Stat. 1376, 2213 (2010).

15 Regulation (EU) 2017/821 of the European Parliament and of the Council of 17 May 2017 on the supply of tin, tungsten, tantalum, and gold originating from conflict-affected and high-risk areas, 2017 O.J. (L 130) 1.

¹⁶ Ordinance on Due Diligence and Transparency in Relation to Minerals and Metals from Conflict-Affected Areas and Child Labour (DDTrO), Dec. 3, 2021, 221.433 (Switz.).

¹⁷ Regulation (EU) 2023/1542 of the European Parliament and of the Council of 10 May 2023 on batteries and waste batteries, art. 10, 2023 O.J. (L 130) 1