Understanding the Potential Impasse of Suppliers’ Data Disclosure to Brands

The successful implementation of due diligence laws such as the Corporate Sustainability Due Diligence Directive (CSDDD) requires a significant degree of transparency and accountability across value chains. It is very likely to result in companies in scope requiring extensive disclosures from suppliers about their business operations, including potentially commercially sensitive information and grievance and working conditions related information. However, suppliers express concerns about disclosing business sensitive data to brands and are increasingly looking to local regulations such as data privacy laws for protection. This is a striking yet underestimated issue that needs to be promptly addressed by policymakers as companies are preparing for compliance. Failure to do so may lead to an impasse that impairs effective implementation of the due diligence laws.

What are the requirements for disclosure?

Companies in scope are required to conduct thorough due diligence in their business operations and in the operations of their business partners, and to communicate externally their due diligence policies, processes, and activities, including the findings and outcomes of those activities. (1) CSDDD affects suppliers in the upstream supply chain (from product manufacturing to raw materials) and some parts of the downstream supply chain. (2) To identify and address actual and potential human rights risks, companies will turn to suppliers for support in complying with these requirements and for requesting enhanced transparency over their business operations and sourcing practices. (3)

Specifically, companies will direct their information requests to business partners to identify actual or potential adverse impacts, which may require disclosure of the identity of direct and indirect business partners and any other “essential information.” (4) Although the European Commission prescribes that companies should not extend their information requests beyond this scope, brands will decide the type of information and the level of disclosure, and this leaves room for discretion. (5) Complete and accurate disclosure of data is therefore a prerequisite for a well-functioning risk management system and lack of collaboration in disclosing data will make any other forms of monitoring, checks, and audits ineffective. Moreover, it will also have effects on brands-suppliers' relationships as non-compliance with brands’ requests may lead to suspension or termination of the commercial relationship. (6)

The risks of non-disclosure, incorrect or fraudulent disclosure not only hinder the credibility of due diligence laws but also have an impact on society at large for the missed opportunity to prevent and mitigate human rights risks in global supply chains.

Why are suppliers reluctant to disclose data and may appeal to safeguards from data privacy laws?

Suppliers, like any other company, are reluctant to share business sensitive information with their customers that is not in their favour. (7) Suppliers fear that this information will be used to their disadvantage and that there will be financial and non-financial repercussions for their businesses. (8) Suppliers are also concerned about the risks of giving away trade secrets and competitive advantages when disclosing data, although CSDDD explicitly states that business partners should not be obliged to disclose such information. (9) These fears fuel the general concern on brands’ control and interference over suppliers’ business due to the power asymmetry between suppliers and brands.

In some instances, suppliers may seek cover under data privacy laws. Data privacy applies to personal data and any data that refers to employees is considered personal information. (10) This contrasts with the requirement set by CSDDD to disclose essential information needed to identify actual or potential adverse impacts, which may include employees' grievances as well as employees’ working conditions and labour rights. Such information is vital to identify and address human rights risks in suppliers’ business operations and the impasse created by appealing to data privacy laws might considerably hinder this process.

Moreover, companies’ data such as trade secrets (industrial processes etc.) cannot be disclosed (11), but it remains to be seen if in practice this may be disregarded in the name of essential disclosure and if other data considered confidential by suppliers may be the subject of brands’ requests. Data sharing of trade secrets will also be a crucial element in the context of environmental disclosures such as the ones required by the Digital Product Passport set out by the Ecodesign for Sustainable Products Regulation. (12)

What can policymakers do to avoid the impasse?

First, the issue should be widely acknowledged and discussed in private and public forums. Policymakers and other relevant experts should convene consultations over this issue, its unintended consequences, and the concerns that it is generating. (13) The legislator should specifically address the scope of disclosure, address potential conflicts with data privacy laws, and provide guidance for brands and suppliers on how to balance the concerns of suppliers, especially regarding guarantees against the misuse of data to their disadvantage, with the challenges that brands face in retrieving data, particularly from indirect suppliers, and brands’ paramount need  to collect relevant and accurate data. (14) Specifically, the European Commission and Member States should take this issue into consideration when developing guidelines to support compliance with CSDDD or its transposition into national law.

References:
(1) Art. 5 Corporate Sustainability Due Diligence Directive
(2) Art. 3(1)g, Corporate Sustainability Due Diligence Directive
(3) European Commission (2024) Directive on Corporate Sustainability Due Diligence: Frequently asked questions 
(4) Art. 5(3) Corporate Sustainability Due Diligence Directive
(5) European Commission (2024) Directive on Corporate Sustainability Due Diligence: Frequently asked questions
(6) Art. 6(2)e Corporate Sustainability Due Diligence Directive
(7) https://altruistiq.com/state-of-sustainability/resource/sustainability-insider-8-the-uncomfortable-truth-suppliers-dont-want-to-share-their-data-with-you
(8) https://equiception.net/we-need-to-talk-about-the-disincentive-to-disclose-risk-or-adverse-impacts/
(9)  European Commission (2024) Directive on Corporate Sustainability Due Diligence: Frequently asked questions
(10) https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/do-data-protection-rules-apply-data-about-company_en
(11) https://www.wipo.int/web/trade-secrets
(12) Chapter III, Ecodesign for Sustainable Products Regulation
(13) https://envoria.com/insights-news/the-top-3-challenges-of-the-german-supply-chain-act-lksg-and-how-to-overcome-them
(14) https://equiception.net/we-need-to-talk-about-the-disincentive-to-disclose-risk-or-adverse-impacts/