AI, Tech and the CSDDD: Does Lex Specialis Trump Lex Generalis?

The Corporate Sustainability and Due Diligence Directive (“CSDDD”) is now well-trodden territory for business and human rights lawyers. Indeed, it is rare to attend an event where the CSDDD is not a main topic of conversation, and justifiably so given its wide (and extra-territorial) reach, and significant imposition of legal responsibilities, duties, and potential civil and regulatory liabilities. The CSDDD, however, is geared towards addressing actual and potential human rights impacts, in the “traditional” sense of the term “human rights”. That is, human rights as envisaged in an offline world, when concepts such as “the right to private life”, “the right to non-discrimination” and “freedom of expression” were formulated within the context of the vertical relationship between the state and the individual. But how does the CSDDD apply on the cusp of the “digital revolution”? That was the subject of the presentation by my colleague, Robert Spano, former President of the European Court of Human Rights and Partner at Gibson Dunn, where he co-chairs our Artificial Intelligence and ESG Practice Groups.

‍

In short, Spano’s thesis is that the current regulatory framework at the European Union level, which consists of a number of potentially conflicting legislative acts imposing varying due diligence and risk assessment obligations on in-scope companies, leaves much to be desired as far as clarity, precision, and certainty. And, perhaps counter-intuitively, that uncertainty is not good for human rights, including for rights holders, due to the moral hazards and political incentives that it creates. Further, for global companies building and deploying AI, such uncertainty is exacerbated by the clash of values between, on the one hand, the EU, and, on the other, the US under the new administration (and its pro-tech/anti-ESG agenda).

‍

The web of regulation at EU level comprises, inter alia: (i) the CSDDD, and its obligations under Articles 10 and 11 that in-scope companies should identify potential and actual adverse human rights impacts (conceived in the “traditional” sense of there being a nexus between a company’s actions and the identified harm), in addition to (ii) the EU’s Artificial Intelligence Regulation (“EU AI Act”), and (iii) the EU’s Digital Service Act (“DSA”), which each also contain onerous risk assessment obligations similar in nature to due diligence.

‍

Within this web, the CSDDD is the lex generalis, i.e. it applies to any type of business so long as the company is incorporated in the EU, or incorporated outside the EU with a certain level of annual turnover within the EU. But how does the CSDDD apply to tech companies, or to companies otherwise heavily engaged with AI? Pursuant to Article 1(3) CSDDD:

“This Directive shall be without prejudice to obligations in the areas of human, employment and social rights, and of protection of the environment and climate change under other Union legislative acts. If a provision of this Directive conflicts with a provision of another Union legislative act pursuing the same objectives and providing for more extensive or more specific obligations, the provision of that other Union legislative act shall prevail to the extent of the conflict and shall apply as regards those specific obligations.”

For tech companies, such other lex specialis (i.e. applying to a particular sector) include, in particular, the EU AI Act and the DSA. The EU AI Act expressly states that its purpose is to limit fundamental rights harms: see Recital (6), which states that “[g]iven the major impact that AI can have on society and the need to build trust, it is vital for AI and its regulatory framework to be developed in accordance with […] fundamental rights and freedoms […]. [AI] should serve as a tool for people, with the ultimate aim of increasing human well-being.” And, at Recital (9), the EU AI Act states that it applies “without prejudice to existing Union law, in particular on data protection, consumer protection, fundamental rights, employment, and protection of workers, and product safety, to which this Regulation is complementary.” Where an in-scope company’s activity qualifies as a “high-risk system” (e.g. if it relates to workers’ rights), Article 9 of the EU AI Act then requires risk management system (which includes the identification of “reasonably foreseeable risks that the high-risk AI system can pose to […] fundamental rights”).  

‍

Similarly, Article 34 (risk assessment) of the DSA, which applies primarily to very large online platforms and search engines, requires an annual risk assessment which includes the risk of “any actual or foreseeable negative effects for the exercise of fundamental rights” (see sub-clause (b)).

‍

Both of these legislative acts therefore directly intersect with the CSDDD. So, in light of Article 1(3) CSDDD, do companies falling within the scope of lex specialis such as the EU AI Act and the DSA also fall within the scope of the CSDDD? Or does the lex specialis trump the lex generalis?

‍

Acknowledging that this is a developing area with no clear or definite answer, Spano advised that an systematic and contextual interpretive approach should be taken, in accordance with the general interpretative principles of EU law, and in order to protect against uncertainty for economic operators in this groundbreaking and developing field. The question then arises whether the risk assessments required by the EU AI Act and by the DSA are more extensive and specific than those contained in the CSDDD resulting in the former superseding the latter, at least in part. This will require considered reflection moving forward.

‍