From Soft Law to Hard Law: Human Rights Impact Assessments in the Digital Services Act Era

This essay is part of a symposium on the promise and perils of human rights for governing digital platforms. Read more from the series here; new posts will appear between June 18 - June 30, 2024.

For more than ten years tech companies have used human rights impact assessments (HRIAs) to navigate the murky waters of transnational human rights violations. These are procedures carefully designed to inform decision-making within companies. Their goal is to identify appropriate action to avoid, prevent, and mitigate the harms to human rights that can be foreseen or imagined. They have become an essential tool of corporate self-governance under the voluntary framework of business and human rights built around the United Nations Guiding Principles.

But as a tool of risk-management, HRIAs are now closely connected to regulations such as the Digital Services Act, the UK Online Safety Act and even the UN Global Digital Compact zero draft. In this brief essay, I argue that the fragile connection to the law the practice has shown until now has been the source of a structural weakness. I also argue that the influence exerted by new regulations may lead to a closer alignment between HRIAs and legal processes, potentially strengthening their impact.

HRIAs and a Founding Gap With the Law

The weak connection to the law of HRIAs and HRDD can be blamed on the UNGPs. Their major sin can be presented in the following terms: by relying on a voluntary commitment that ignores the close relationship between capital and states, the scheme explicitly renounces the tools of coercion associated with the law as an instrument of government. By encouraging a self-regulation nudged by peer-pressure and pressure from above, the UNGPs follow the steps of corporate voluntary codes of conduct that emerged in the 1970s, such as the the OECD’s Guidelines for Multinational Enterprises and the ILO’s Tripartite Declaration of Principles concerning Multinational Enterprises and Social Policy. The theory of change behind this mechanism is that norm entrepreneurs would get big companies to commit to certain standards of behavior, smaller competitors would follow, and industry-wide systemic change would (theoretically) ensue driven by market forces. However, this approach at the UN was a second-best option that came to be only after states failed to agree on the answer to the question of corporations and human rights. While for years many countries at the receiving end of transnational corporations (TNCs) sought a treaty that would impose upon them the obligation to respect human rights, the countries that produce TNCs successfully blocked it. The voluntary framework was former UN Secretary General Kofi Annan’s solution to this problem.

HRIAs are explicitly part of a soft law mechanism that emerged out of the impossibility of hard law. And the practice has suffered, until now, from the ambiguous conception of law behind the whole enterprise, where human rights are a central premise but are not mandatory in the sense legal rules are. This can be explained by generally accepted truths about international law: the main sources of international human rights law are treaties and these are made by sovereign states (and, thus, only states are parties to those agreements), states are trusted with the main responsibility to respect the rights recognized through treaties, TNCs are not—by definition—creatures of international law but from the sovereign nations that incorporate them, the notion that all corporations must respect the laws of the nation where they operate, and so on. Considering these limitations, the UNGP voluntary framework is better than nothing.

And yet human rights are hard law in the sense that they are universally recognized, must be respected by the states, are directly enforceable by courts in many countries of the world, and—in some jurisdictions—are mandatory both for the state and natural and juridical persons alike. From this standpoint, the place of TNCs within the international legal framework becomes a technicality: the challenge they pose is not a matter of rights, but of remedies. People have those rights, the question is how to enforce them. This perspective offers a better grounding for the UNGPs voluntary approach, because without a robust legal conception of rights the responsibility of corporations towards them becomes baseless. The ambiguity embedded in the UNGP project has, however, costs. Corporations do not perceive human rights in the same vein as they do corporate law, antitrust or securities regulations. Instead, they view human rights as a framework within which certain governance techniques can be deployed.

Governmentality, Innovation, And the Imitation of the Legal Form

HRIAs and human rights due diligence can be better grasped if we look at them through an analytics of governmentality framework, which means “exploring the often subtle and intricate mechanisms of liberal and indirect means of steering”. From this point of view, HRIAs and human rights due diligence (HRDD) are part of a web of complex new governance techniques in which traditional regulatory frameworks and top-down management approaches give way to more adaptable, negotiated, and dialogue-driven strategies. HRIAs and HRDD are part of them because of the methods they use (risk-based analyses, monitoring and measuring, evaluation and iterative learning) and because they have been embraced after the gentle push of international bodies (e.g., the UNGP) or peers (such as the Global Network Initiative in the tech sector).

This perspective is productive to think both about the limits of these practices and their potential evolution. My suggestion here is that enhancing HRIAs could involve fostering a more robust legal understanding of human rights and aligning the practice more closely with foundational principles of the legal process. New regulations may nudge the practice in this direction.

Indeed, the DSA, the UK Online Safety Act, and the zero draft of the UN Global Compact all embrace risk-based approaches to digital governance and call for assessing the impact on rights of tech companies’ operations. Because the DSA and the UK Online Safety Act are hard law, HRIAs may become part of the mechanisms through which companies comply with those laws. If that was to happen, the normative dialogue that will ensue between regulators and corporations will likely shape the practice and bring it closer to some kind of lawyerly compliance. HRIAs may also be shaped by their practitioners, who can take advantage of the tool’s flexibility.

Consider, for instance, the after-the-fact assessment developed by BSR for Meta on the Israeli-Palestinian crisis of May 2021. This kind of analysis reduces the level of abstraction at which HRIAs are often conducted and brings the practice closer to the law by imitating the backwards looking orientation of the legal process. This—the imitation of the legal form—is not unprecedented in the tech sector, which is plagued with legal concepts and narratives to deal with content moderation decisions (reviews, appeals, transparency reports, and so on). And it could be a source of change and evolution, driven by both the influence of emerging regulations and the flexibility practitioners enjoy within the framework of governmentality.

My intuition is that practitioners could adopt this strategy if they find it useful within internal corporate politics. The teams in charge of developing human rights policy are not the most powerful decision-makers within firms. Bringing what they do closer to the law, even if it is through imitation, may strengthen their position because of the symbolic capital associated to the field. HRIAs and HRDD could become more juridical—and thus, less governmental. By aligning the practice more closely to a robust conception of human rights law and by bringing the practice closer to the law as a social field, HRIAs and HRDDs may finally get the teeth they so desperately need and that the voluntary framework of business and human rights fails to provide.