1

From Free Will to Duties of Vigilance: Corporate Liability for Wrongdoing

Paul Davies*
Abstract
This piece examines a number of possible doctrinal approaches to corporate liability for
wrongdoing and analyses their functional significance. It starts by identifying a starting point
common to many jurisdictions whereby liability for wrongdoing on the part of those in some
way connected with the company was attributed to the company itself. Vicarious liability
generally worked well in relation to tortious (delictual) liability but proved controversial in
many jurisdictions where criminal liability was at issue. Doubts about the appropriateness of
vicarious criminal liability led to restricted corporate liability for serious crimes.
The article then identifies an increasingly common way of circumventing this problem in the
criminal law area by shifting the basis of corporate liability onto an analysis of managerial
failings which caused or facilitated the commission of a crime. Crucially, this analysis does not
depend upon finding that any particular director, executive or employee of the company is
individually criminally liable. It is enough to attribute managerial acts or omissions to the
company and then to ask whether those are sufficient to constitute a crime on the part of the
company.
In a third stage, companies are made liable on an accessory basis, namely, that the company
displays a “corporate culture” which encouraged or permitted the commission of crimes by
individuals associated with the company. In this stage, the commission of a crime by a
connected person underpins the corporate liability, but the company is not liable for the
individual crime on a vicarious basis but independently for “permitting” the crime to occur.
The corporate culture analysis was most fully developed in Australia, but it has become more
widespread, though normally only in relation to particular crimes, under the heading of “failure
to prevent” liability.
“Failure to prevent” liability can be seen as the beginnings of a fourth stage, since the company
now has an incentive to take steps to prevent crimes being committed within the organisation
rather than just avoiding the creation of culture which permits infractions. The full development
of the fourth stage is to be found, however, in corporate “duties of vigilance”. Pioneered in
France but now proposed on a wide scale by the European Commission, the occurrence of a
wrong is no longer a necessary element for corporate liability. It is enough that the company
has no prepared, put in place and effectively operated a corporate strategy for assessing and
reducing the risks of wrongdoing within the organisation. Liability can arise even though no
infraction has occurred, on the grounds that the company has not discharge its vigilance duty.
Equally important, duties of vigilance are proposed or have been imposed beyond the criminal
law so as to embrace breaches of international human rights and environmental standards as
well as international economic crimes. It is argued that the implementation of this fourth stage
requires much greater precision about how far companies are required to go in discharging their
duties, especially when operating in countries which do not accept that a breach has occurred
or that the standard is applicable in the jurisdiction.

Electronic copy available at: https://ssrn.com/abstract=3940444

 2

I Introduction
At the height of the fashion for analysing the company as a “nexus” of contracts, it was possible
to take the view that company law was concerned solely with those who had contractual or
near-contractual relations with the company. Those who were harmed by the company’s
activities but were not in contractual relations with it were to be dealt with by some other body
of law, to which the term “regulation” was often applied. As to the former group, provided the
contracting process was effective, which it was in part the function of company law to ensure,
the allocation of the costs and benefits of corporate activity could be left to the contracting
mechanism. As to the latter (whose harms are usually referred to as “externalities”), whilst in
a world of no transaction costs contracting is in principle available also in the case of
externalities, nevertheless the costs of contracting in many real world situations hinder the
emergence of a viable contracting mechanism.1 So, here there was a need for a legal mechanism
alternative to the contractual one for allocating costs and benefits as between the company and
those not in contractual relations with it – though that mechanism might consist in some cases
of leaving the losses where they fell.

The nexus of contracts analysis was never wholly convincing, because it left a number of
important features of the corporate legal landscape unexplained. First, it did not explain why
company law focussed differentially on the various classes of contractual relations the
company entered into. Shareholder relations were comprehensively covered in all jurisdictions;
creditors extensively but not comprehensively; employees in some systems but not in others
(and not comprehensively in any system); suppliers and customers hardly at all, except when
they appeared in the guise of creditors. The non-lawyer might say that the relationships that
company law did not cover at all or comprehensively were still contractual relations, and so
the relevant bodies of law were subject to the same analysis as was proposed for company law.
But this did not explain why company law had developed as a separate branch of law, what its
distinctive features were or why other branches of law (for example, consumer law) had
developed differently.

* QC (hon), FBA. Senior Research Fellow, Harris Manchester College, University of Oxford and Professor of
Corporate Law Emiritus.
1
R.Coase, “The Problem of Social Cost” (1960) 3 Journal of Law and Economics 1. Contrary to the views
sometimes expressed, Coase did not argue that contracting would normally be possible but was interested in
analysing situations where transaction costs were substantial and, in particular, the extent to which law could
help to reduce those costs.

Electronic copy available at: https://ssrn.com/abstract=3940444

 3

Second, and more important for the purpose of this paper, the nexus of contracts theory seemed
to treat “regulation” as a body of rules entirely separate from company law, interesting for those
studying regulation in general (whether in the corporate context or not) but of no or little
importance for corporate law scholars. By contrast, it is the interface between regulatory rules
and the company that this essay addresses. The paper suggests that there are at least three issues
about the interrelationship between regulatory rules and the company which are, or ought to
be, of interest to scholars of company law. These are: does the legal construct of the company
as a person create conceptual barriers to the application of regulatory rules? Does the company
as an organisation create particular difficulties for the effective application of regulatory rules?
Does the company as an organisation offer potential advantages for the effective operation of
regulation which are not available outside the corporate context and how can these advantages
be operationalised?

The core case I consider in this essay is where a person within the corporate organisation - at
whatever level, not necessarily a senior one - commits, or is involved in committing, a wrong.
That wrong may be a crime, a civil wrong (a tort or delict, for example) or an administrative
or regulatory offence. The question I address is not whether the individual is liable but the basis
on which the company is, or should be, liable. In the early part of the essay I focus on criminal
wrongs, because corporate liability for serious crimes committed within its organisation has
proved controversial. By contrast, the basis for corporate liability in the civil and regulatory
areas was settled some time ago, though the law is still developing. In the latter part of the
essay, I turn to international standards, which are problematic in part because, at least in dualist
systems, those standards do not become part of the law of ratifying states unless domestic laws
adopt the international standards. In greater part, however, the modern legal issues have arisen
out of a renewed focus on the application of international rules in a global trading system.

II Conceptual barriers to making companies liable for wrongdoing: attribution

It is apparent, therefore, that in the term “regulation” I include not only bodies of rules aimed
at particular activities (such as pollution) or particular industries (such as the operation of
nuclear facilities) but also general rules against wrongdoing, embodied in the criminal law or
the law of torts (delict). Once this clarification is made, it becomes clear that my first issue is,
in fact, a very old one for company law. Since the company is a legal person in the eyes of the
law, but not a person in terms of physical reality, the only way of making the company liable
for the wrongdoing of those involved in promoting its business is by treating the acts and mental

Electronic copy available at: https://ssrn.com/abstract=3940444

 4

states of some groups of natural persons in some circumstances as those of the company. This
is generally referred to as the technique of “attribution”. However, attribution can be done in a
variety of ways whose results will have significant consequences for the extent of the liability
carried by the company. Probably no jurisdiction has a conceptual problem with the imposition
of liability on the company when the wrongdoing is committed, or more likely authorised, by
the board of directors. In continental systems, this is often put on the basis that the board is an
“organ” of the company, so that what it does is an act of the company. In truth, however, this
is a type of anthropomorphic reasoning which disguises an underlying process of attribution.
UK company law now accepts that this is the case. The acts of the directors operating
collectively are attributed to the company because its constitution (derived from its articles of
association and the Companies Acts) confer on the board of directors all the powers necessary
to run the company’s business.2

The more demanding questions arise when we need to decide whether the acts or mental states
of those lower down in the corporate hierarchy are to be attributed to the company. I consider
in the first section a general and traditional mode of attribution – vicarious liability - and then
go on to consider modern developments in attribution techniques, generated initially by a
reluctance of some legal systems to apply vicarious liability to serious criminal offences. If
attribution is not available in one way or another, either at all or to a socially acceptable extent,
then companies become potentially zones of unlawful behaviour and their social legitimacy
may come into question on the grounds of inadequate protection against the their negative
externalities. The potential liability of those natural persons involved in the company’s business
may be regarded as a necessary but insufficient answer to the legitimacy question; the
enterprise itself, it may be said, should also carry liability. And efficiency-minded persons are
likely to think that market prices will be more accurate if the enterprise bears the full costs of
its productive activities. In short, the answer to the attribution question is a foundational issue
for company law, much though corporate law scholars in many jurisdictions seem to regard it
as a second-order issue.

Tortious (delictual) liability

2
See Meridian Global Funds Management Asia Ltd v Securities Commission [1995] 2 AC 500 (PC) per Lord
Hoffmann, who said “Any proposition about a company necessarily involves a reference to a set of rules. . . There
would be little sense in deeming a persona ficta to exist unless there were also rules to tell one what acts were
to count as the acts of the company.” The company’s constitution thus counts as one possible source of those
rules. Vicarious liability and other types of attribution discussed below constitute other sources of attribution
rules.

Electronic copy available at: https://ssrn.com/abstract=3940444

 5

Despite the difficulties discussed below in relation to the criminal law, it worth starting by
noting that in most, perhaps all, jurisdictions the attribution question was answered early on
and effectively in relation to civil liability, especially in the area of tortious (or delictual)
liability. The attribution technique deployed here was some version of the doctrine of vicarious
liability (respondeat superior). The standard analysis of this doctrine is that vicarious liability
involves the attribution of the acts and states of mind of employees and agents who committed
the wrong to the company so as to make the company liable for the wrongdoing, as well as the
individual wrongdoers. Vicarious liability is not a special doctrine of company law, of course,
but applies to any employer/employee or principal/agent relationship. It took off in the
nineteenth century as a response to the rise in accidental harms resulting from industrialisation
and the growth of mechanised transportation. The fact that vicarious liability is a general
doctrine of the civil law may explain why corporate lawyers have paid it little attention, but
that does not excuse their failure to recognise its significance for the imposition of liability in
relation to corporate externalities.

Assuming an employee or agent has been identified,3 the crucial question becomes to establish
the required linkage between the employee’s (or agent’s) activities and the company’s
operations such as will lead to the liability of the company. In recent years, at least in my own
jurisdiction, the tendency has been to loosen the required linkage so as to expand the area of
corporate liability with regard to tortious conduct. In the UK it used to be said that the company
was vicariously liable only if what the employee or agent did was a wrongful way of performing
his or her duties and vicarious liability did not apply where the employee did something outside
the scope of employment altogether (sometimes colourfully referred to as situations where the
employee engaged in “a frolic of his own”). But recent decisions no longer seek to draw that
line, which was always an imprecise one. Thus, in Mohamud v W M Morrison Supermarkets
Ltd (2016)4 the claimant, a Somalian, stopped at the defendant’s supermarket petrol station to
enquire if he could print out some documents from a USB stick. For reasons which are unclear,
he was racially abused by one of the station operators, Mr Khan, who was of a different (non-
white) ethnic origin. The claimant returned to his car, but Mr Khan followed him and seriously
attacked him, despite the efforts of a supervisor, who had appeared on the scene, to restrain Mr

3
A question for the answer to which there appear to be no special corporate features – though it is an immensely
important question. However, it is worth noting that legal systems in limited circumstances make employers
liable for the torts of independent contractors, for example, in UK law through the unclear concept of a “non-
delegable” duty on the employer or the imposition on employers of a positive duty to supervise (as in German
law).
4
[2016] UKSC 11.

Electronic copy available at: https://ssrn.com/abstract=3940444

 6

Khan. The Supreme Court, holding the supermarket liable, disavowed the traditional test (as a
number of other recent decisions had done) and said the test was “whether the employee’s tort
is so closely connected with his employment as to make it just to hold the employer liable.”

Whilst this may be thought to be a way of re-formulating the question, rather than providing
an answer to it, the up-shot of the decisions has been that vicarious liability operates so as to
create a form of “enterprise liability”. Enterprise liability broadened the range of negative
externalities for which the company could be held to be civilly liable, apparently on two
interrelated grounds. First, in general, if not in all specific cases, the employer is in a position
to control its liability by exercising supervision over its employees and agents; and, second,
where this is not so, it is normally in a better position to bear the uncontrollable costs of its
business than the person harmed. And very effectively vicarious works in most cases. The
company is likely to have a deeper pocket than the individual tortfeasor (though this cannot be
guaranteed across the board)5 and the claimant no longer has to identify which of the employees
or agents committed the tort (in cases which are less clear than Mohamud), provided that it is
clear that someone or some persons within the organisation did so. As a judge said in an earlier
Supreme Court case, where the company was held liable for the fraud of an agent which was
contrary to the interests of the company:

[I]t is a fact of life, and therefore to be expected by those who carry on businesses, that
sometimes their agents may exceed the bounds of their authority or even defy express
instructions. It is fair to allocate risk of losses thus arising to the businesses rather than leave
those wronged with the sole remedy, of doubtful value, against the individual employee who
committed the wrong. To this end, the law has given the concept of ‘ordinary course of
employment’ an extended scope. (Lord Nicholls in Dubai Aluminium Co Ltd v Salaam (2002)6)

The main limitation on the vicarious liability doctrine is that the claimant must be able to show
that a tort was committed by some employee or agent within the organisation (so that the
company may be vicariously liable for it), even if the actual wrongdoers cannot be identified.
If there was no tort committed or provably committed by a natural person, the company cannot
be vicariously liable. But, in doubtful cases, the court is likely to help by drawing inferences.
If a foreign object is discovered in a sealed container produced by a food manufacturer, the
court is not likely to require much persuasion to shift the evidential burden of proof onto the
company to show that it was not through its employees’ negligence that the object found its

5
In so far as vicarious liability reduces the probability that the individual managers will have to pay out in
practice, it can be welcomed on the grounds that shareholders are better able to diversify their risks than full-
time managers, who might choose to act overly cautiously if there was a real prospect of their personal liability.
6
[2002] UKHL 48.

Electronic copy available at: https://ssrn.com/abstract=3940444

 7

way into the product. And the company will not normally be in a good position to rebut that
inference.

Criminal law

When the focus shifts to the criminal law, however, the cross-jurisdiction consensus breaks
down, a variety of approaches can be discerned, and the shape of an effective general solution
to corporate liability for crimes committed by its employees and agents even when acting in
the furtherance of the company’s business is heavily disputed, among both lawyers and policy-
makers. In the eighteenth century, Lord Thurlow, an English Lord Chancellor, famously said:
“Did you ever expect a corporation to have a conscience, when it has no soul to be damned,
and no body to be kicked?"7 This was more a comment on the difficulties of punishing
companies than one about their liability in principle – and it was not a very convincing
argument, even at that level. It is perfectly possible to fashion dissuasive sanctions for
companies, for example, by way of fines or restrictions on or the removal of their freedom to
conduct business.

A more principled objection to corporate criminal liability was put forward by Friedrich Carl
von Savigny in 1840. He said:

Criminal law has to do with natural persons as thinking and feeling persons exercising their free
will. A legal person, however, is not such a person but merely a property owning being ... Its
reality is based on the representative will of certain individual persons which, by way of a fiction,
is attributed as its own will. Such a representation ... can be acknowledged everywhere only in
civil law, but never in criminal law.
Everything which is considered as a legal person's crime is always only the crime of its members
or organs, this means of single human beings or natural persons ... If a legal person were to be
punished for a crime, the basic principle of criminal law, the identity of the offender and of the
sentenced person, would be violated.8

The force of this argument and, perhaps even more, of Savigny’s reputation may help to
explain why, even as late as the post-Second World War period, German law denied in
principle the availability of corporate criminal liability. In the US, by contrast, by the
beginning of the twentieth century, jurists, perhaps less impressed by arguments based on
an analysis of the concept of legal personality and free will, had moved to the imposition of
vicarious criminal liability on companies, where employees or agents had acted in the course
of the company’s business.9 The UK, again perhaps typically, adopted a somewhat

7
Quoted in John Poynder, Literary Extracts (1844), vol. 1, p. 268.
8
Friedrich Karl von Savigny, System des heutigen römischen Rechts, Vol. II, Berlin 1840, p 310
9
The leading case, at least with hindsight, was New York Central & Hudson River Railroad Co. v. United States
212 US 481 (1909), though that case could have been interpreted more narrowly. However, the American Model

Electronic copy available at: https://ssrn.com/abstract=3940444

 8

incoherent middle ground, closer to the German position, though even that did not find
expression until the middle of the last century. A form of attribution of liability to companies
emerged, but only where the crime was committed by those who constituted the “directing
mind and will” of the company – a term which did not extend much beyond the board of
directors.10 In this case, it was said, the actions and states of mind of the directors were those
of the company, but this was in truth a limited form of attribution. In practice, it meant it
was very difficult to convict a company of a serious criminal offence where the actors were
located below board level – unless, ironically, the company was a small organisation where
the directors constituted the main part of its workforce.
At a more granular level, one can see that even jurisdictions which had not gone down the
US route developed some qualifications to the non-liability principle. In Germany
companies were made liable for administrative offences under the
Ordnungswidrigkeitengesetz, whilst in the UK the problem with attributing criminal
liability to companies was regarded as confined to crimes involving a guilty mind (mens
rea). Consequently, companies were liable, not only under regulatory rules, but also in
respect of criminal offences based on strict liability. The courts have generally accepted
corporate liability even where the strictness of the obligation was qualified by phrase “so
far as reasonably practicable”, as it often is in health and safety at work legislation.11
Nevertheless, where vicarious liability for criminal offences was not fully accepted the
result was highly unsatisfactory. Companies other than small ones could not be prosecuted
for the most serious criminal offences, which seemed a perverse result. A striking example
was provided by the Herald of Free Enterprise catastrophe, when a ferry left Zeebrugge for
Dover in March 1987 with its bow doors open (apparently to save time) and, before they
could be closed, the ship filled with water, turned over and sank with 193 fatalities. The
large company which operated the ferries between Belgium and the UK was not itself

Penal Code §2.07 (American Law Institute, 1962) adopts an approach based on organisational liability in the case
of serious crimes.
10
This concept emerged initially in the civil law for those few cases, mainly maritime ones, where vicarious
liability was not enough to make the company liable. See Lennard’s Carrying Co Ltd v Asiatic Petroleum Co Ltd
[1915] A.C. 705, HL. The notion echoes the “organ” analysis of continental systems. Lord Haldane, who gave the
leading judgement, was probably influenced by the distinction drawn between agents and organs in German
company law, Haldane having studied in his youth in Germany. His approach was discounted recently by Lord
Hoffmann in the case discussed in n 2.
11
For the state of the law about at this time see, for England, C Wells “Corporate Criminal Liability in England
and Wales: Past, Present and Future” in M.Pieth and R.Ivory (eds), Corporate Criminal Liability, 2011 and, for
Germany, the references to the OWiG in A Eser, G Heine and B Huber (eds.), Criminal Responsibility of Legal
and Collective Entities, 1999.

Electronic copy available at: https://ssrn.com/abstract=3940444

 9

convicted.12 By contrast, a small leisure company which organised canoeing trips close to
the English shore was found guilty of manslaughter by gross negligence after a fatal
excursion because its director was its principal (and negligent) employee.13

II. Beyond attribution: organisational fault

For those jurisdictions which rejected a general doctrine of vicarious liability for criminal
offences, the attribution discussion seemed to have run into the sand by the end of the last
century. But public pressure to plug this gap in corporate liability eventually led to
legislative acceptance that an alternative approach to the issue was available. Instead of
focussing on the attribution to the company of the criminal acts of employees and agents,
the new focus was on the way the company organised its affairs. This was direct criminal
liability for the company, not liability attributed to it from another. It was an approach which
fitted in well with the emphasis on improved corporate governance which emerged in the
1990s. The focus of that movement may have been the reduction of shareholders’ agency
costs, but developments in criminal law showed that the idea had value also in the control
of corporate externalities.
Of course, this new approach necessitated an examination of the decisions of the relevant
layer of management, and the attribution of those decisions to the company, but not in order
to determine whether those managers had committed a crime, but in order to determine
whether the company was blameworthy because of the managers’ organisational failings. It
thus involved attribution of decisions, but not of liability. It might even be that no one within
the company could be shown to have committed a criminal offence, but the company might
nevertheless be held liable for a crime. This would be the case where organisational failings
permitted a serious harm to be inflicted on a third party but no particular employee had
sufficient control over the events which led up to the harm to be individually culpable. Thus,
the liability of individuals was decoupled from the liability of the company, and vice versa,
unlike in traditional attribution where the former is a necessary condition for the latter.
This approach appears most clearly when the legislature creates a criminal offence which
can be committed only by a company (or other legal entity) and not by an individual, and
bases the company’s liability on its managerial failings. This is the approach taken in the

12
P & O European Ferries (Dover) Ltd (1991) 93 Cr App R 72 (Central Criminal Court)
13
Kite and OLL Ltd, Winchester Crown Court, 8 December 1994, unreported.

Electronic copy available at: https://ssrn.com/abstract=3940444

 10

Corporate Manslaughter and Corporate Homicide Act 2007 (UK), which creates the
following offence, which can be committed only by organisations (including companies):
An organisation to which this section applies is guilty of an offence if the way in which its
activities are managed or organised—
(a) causes a person’s death, and
(b) amounts to a gross breach of a relevant duty of care owed by the organisation to the
deceased (s.1(1))
We do not need to go into the details of this law, which has been criticised by some as being
too narrowly framed: it covers only death caused by breach of a duty which exists apart
from the Act and requires a “gross breach” of it through the failings of its senior managers.
The point is that it is free-standing liability for organisations, based on their organisational
inadequacies, and, therefore, does not depend on traditional notions of attribution of liability
from individual within the organisation.
However, it should not be supposed that this technique requires the creation of independent
crimes for companies. It can be applied to crimes which can also be committed by
individuals, but it still creates a basis of corporate liability which does not depend on the
attribution to the company of the acts and states of minds of individuals. The leading
jurisdiction with this as a general approach to criminal corporate liability is Australia.
Essentially, what Australia has developed is a radical extension of notions of “accessory”
liability, which probably all jurisdictions contain. In the traditional language employed in
the UK, accessory criminal liability arises when a person “aids, abets, counsels or procures”
a criminal offence. So, applied to a company, there must be an established crime which the
individual agent or employee might commit, but the company is not made liable for
committing that wrong but for supporting or facilitating it in some way. Indeed, if the
liability of the company is based on counselling, the underlying offence may not in fact be
committed by anyone. So, one might say that traditional accessory liability, when applied
to companies, is a form of direct criminal liability, which looks at the problem from the top-
down, not from the bottom-up.14
Australia has adopted a broader approach since 1995 by virtue of section 12(3) of its
Criminal Code, which will be slightly amended if the recent recommendations of the
Australian Law Reform Commission are accepted.15 It starts from the relatively
uncontroversial statement that the company is liable where the board knowingly,

14
Of course, it is crucial whose actions can be attributed to the company for the purposes of the accessory
liability. Traditionally, it is only the acts of the board or other senior management that count, but see the
Australian law discussed below.
15
Australian Law Reform Commission, Corporate Criminal Responsibility: Final Report, ALRC Report 136, April
2020. References as to the section as proposed to be amended.

Electronic copy available at: https://ssrn.com/abstract=3940444

 11

intentionally or recklessly authorised or permitted the commission of the ‘relevant physical

element’ of the offence. Whether the person so authorised or permitted in fact committed a
crime, for example, because he or she did not possess the relevant guilty mind, is irrelevant
to the company’s liability. It moves on to make the same provision in relation to
authorisation or permission by an employee or agent of the company acting within the scope
of his or her apparent authority (subject to a defence for the company that it took reasonable
precautions to prevent the agent from so authorising or permitting). Finally, the important
innovation, made in the 1990s, is that the company may be liable where the prosecution
proves that “that a corporate culture existed within the body corporate that directed,
encouraged, tolerated or led to non‑compliance with the relevant provision.” Here,
therefore, the concept of managerial failing is extended beyond authorisation or permission
by management (at whatever level) of specific acts to embrace managerial practices and
arrangements which encouraged non-compliance with the applicable rules. For example, a
company which puts pressure on its employees to increase output and at the same time turns
a blind eye to practices which offended the rules would run a risk of being found guilty of a
criminal offence through a combination of the acts of its employees and its own managerial
culture. It is true that, under the Australian formulation, the prosecution carries the burden
of proving the existence of the relevant culture and this may not be an easy task, but section
12(3) clearly demonstrates the potential of focussing liability on managerial failings.

III. Harnessing the organisational capacities of the company to support compliance

with the law
The managerial approaches to criminal liability discussed in the previous section can be said
to have two principal features in comparison with attribution of liability. First, pinning
corporate liability on to the decisions of managers about how to conduct the company’s
business avoids the strict liability consequences of vicarious liability but identifies an
appropriate basis for liability since one may assume that those decisions are driven by
managers’ perceptions of what the success of the business requires. The availability of a
“reasonable measures” defence in relation to the actions of subordinate managers gives the
company some control over the risks it runs in a delegated management structure. In other
words, this approach can presented as a manifestation of enterprise liability, like vicarious
liability in the civil law sphere, but here adapted to meet society’s different and narrower
conceptions about the when criminal liability should be imposed on companies. However,
it should be noted that this approach, while of particular importance to private sector

Electronic copy available at: https://ssrn.com/abstract=3940444

 12

companies, is not a pure company law doctrine. Rather it is an approach to the criminal
liability of organisations. Thus, the section from the UK Act discussed above applies to
partnerships and all corporate bodies, whether incorporated as a private company under the
Companies Acts or in some other way (an example would be a body incorporated under a
public sector statute such as a National Health Service “trust” hospital, which is,
confusingly, not a trust in legal form but a corporate body).
Second, the managerial approach to criminal liability points companies in the direction they
should go if they wish to reduce their criminal liability: they should re-arrange their affairs
so as to avoid serious crimes. This basis for liability generates an incentive for companies
(and other organisations) to arrange their affairs differently. This second feature is not,
however, unique to criminal liability based on managerial failure. Vicarious criminal
liability creates an even stronger incentive for companies to arrange their affairs so as to
avoid serious crimes, since they know that they will be liable for crimes which occur even
after they have taken all reasonable steps to prevent their occurrence. As Professor Coffee
showed some time ago, the objection that criminal liability in such circumstance is
unacceptable is partly met in the US at the point of penalties. Under US federal law and in
some states where vicarious criminal liability applies, companies receive a substantial
discount on the fine that would otherwise be imposed, if they have demonstrably developed
and implemented policies to prevent the crimes being committed within the business and
have co-operated with the prosecuting authorities by self-reporting breaches and
cooperating with investigations.16 These incentives upon companies to reduce crime are
strengthened by deferred prosecution agreements (DPA), which have recently been adopted
in the UK from the US, where they are of long-standing. Here the company avoids a criminal
conviction provided that it cooperates with the prosecuting authorities, including self-
reporting, pays a fine roughly equivalent to what it would have paid upon conviction and
often further compensation to those harmed by the criminal acts and agrees to a set of
remedial measures.17

16
John C Coffee, “Corporate Criminal Liability: an Introduction and Comparative Survey” in Eser, Heine and
Huber (eds), above n.11, 9.
17
There is, however, a dark side to DPA. There is a strong incentive for both managers and prosecuting
authorities to agree to them, which the insertion of court approval into the DPA process in the UK seems not to
have reduced. The former avoid the stigma of a criminal conviction for the company, which could render its
business more difficult to conduct in the future, whilst the money paid over is not the managers’ money. The
latter obtain a win which they will publicise without facing the costs and uncertainties of a trial. But the DPA
does not cover any individual within the company alleged to have committed criminal offences and whose acts
are usually publicly identified in the statement of facts agreed between the company and the prosecuting
authorities. In fact, the DPA normally requires the employees to be cut loose by the company. However, in the

Electronic copy available at: https://ssrn.com/abstract=3940444

 13

However, under the two laws considered at the end of section II, the incentives to re-arrange
the companies’ internal organisation so as to avoid crime are relatively weak. Under the UK
Corporate Manslaughter Act the liability is limited in a variety of ways, whilst under the
Australian law, although it applies generally, the prosecution must prove the existence of a
corporate culture which, in some way, caused or encouraged the breaches of the rules. If no
such culture exists, there can be no corporate liability. The incentive for the company is thus
to avoid encouraging or facilitation crimes within the organisation, but not to take steps
beyond that to prevent crime. One might say that the Australian provisions, novel though
they were, were formulated in essentially negative terms: avoid managerial actions which
encourage breaches of the rules. In the next section we consider in a little detail two further
developments in corporate liability which increase the incentives on companies positively
to take steps to prevent unlawful acts, whilst stopping short of imposing vicarious liability.
These two developments are the creation of corporate criminal liability for failing to prevent
the commission of crimes within the company’s business (broadly defined) and the
imposition upon companies of a “duty of vigilance”. Under both types of rule, the incentive
for companies to reorganise their internal managerial arrangements is considerably
intensified, for the mere commission of an illegality within the organisation opens up the
company to potential liability, but the company is not automatically liable for those crimes,
as under vicarious liability. Management is now incentivised to devote resources to reducing
illegality within the organisation and thus corporate liability – at least to the point where the
costs of preventative measures exceed the expected benefits of the reduce liability –
irrespective of any characterisation of the company’s culture as one which encourages
illegality.
What are the arguments in favour of this further step? There is a core argument in favour
and an extension, the extension reflecting a globalised world. The core argument starts from
the premise that it is easier for those in continuous control of the conduct of the company’s
affairs to take steps to prevent illegality and to work out the optimal way of reducing those
risks than it is for outsiders, for example, prosecuting authorities, with only episodic and
superficial contact with the company. From this ex ante perspective, the function of ex post
liability on the company is to sharpen its incentives to find that optimal balance ex ante.

UK many subsequent prosecutions of those individuals in the courts have failed, often spectacularly, thus casting
doubt on the original DPA. See Paul Davies, Introduction to Corporate Law, 3rd ed, 2020, pp 292-295 and more
recently “Trial of former Serco executives collapses as SFO fails to disclose evidence”, The Guardian, 26 April,
2021.

Electronic copy available at: https://ssrn.com/abstract=3940444

 14

Failure-to-prevent rules and vigilance duties thus come close to vicarious liability but are
not congruent with it. The crucial dividing line is that under both failure-to-prevent and
vigilance rules some sort of defence is provided, based on the absence of fault. That defence
may by framed narrowly, as with an “adequate procedures” defence, or it could be framed
more broadly as a general defence based on the absence of negligence. The standard law
and economics analysis in this area is that vicarious (ie strict) liability better promotes
internalisation of harms inflicted by companies on others, because companies are
incentivised to devote resources to preventative measures up to the point where the marginal
additional expenditure is less than the marginal reduction in expected liability.18 Duty-based
rules score less well on this dimension because, where there is no breach of duty, the
company will carry no liability and so has no incentive to expend resources on preventative
measures. However, in this analysis, preventative measures are defined as measures which
deter crime without affecting an agent’s probability of being sanctioned. Actions which
increase the probability of sanctions are termed “policing” measures and here duty-based
liability scores better because, unlike with strict liability, a company does not necessarily
incur liability if wrongdoing is discovered, provided the company has taken proper steps to
discourage it. A duty-based rule avoids the “perverse” incentive of vicarious liability that
the company is incentivised to prevent wrongdoing but not to discover it, if it actually
occurs.19
The extended argument for corporate liability based on managerial failures takes the point
about the weakness of the prosecuting authorities further and applies it to the prosecuting
authorities (of some) of the foreign countries in which the company operates. On this
extended argument, the company should be liable in its country of incorporation (and
conceivably other countries) even though the illegal conduct took place neither in its
jurisdiction of incorporation nor in the jurisdiction in which it is being prosecuted. For this
step to work effectively, liability needs to be imposed on the company, not only for actions
occurring within its own operations, but also those within other group companies and,
conceivably, within contractors and customers. This blunt extraterritoriality is justified on
the basis that the prosecuting authorities in the jurisdictions where the illegality took place

18
This is a socially optimal outcome if we assume (i) that the expenditures by the company are a social cost
because they increase the cost to society of the company’s outputs and (ii) that the fine expected to be paid by
the company reflects the cost to society of the harm done. So expenditures on (i) should be made to the point
where they exceed the benefits flowing from reducing (ii).
19
J Arlen and R Kraakman, “Controlling corporate misconduct: an analysis of corporate liability regimes” (1997)
72 New York University Law Review 687.

Electronic copy available at: https://ssrn.com/abstract=3940444

 15

are ineffective (whether because of lack of resources, corruption or some other reason) and
that the conduct in question harms both the economic growth of the countries where it occurs
and growth of international trade. The argument has its most obvious application to the
bribery of public officials and other forms of governmental or quasi-governmental
corruption.20

IV. Failure to prevent lability and duties of vigilance

(a) Failure to prevent rules.
An early example of a “failure to prevent law” applying extraterritorially was s.7 of the
Bribery Act 2010 (UK). This imposes liability on the company21 where a person
“associated” with it bribes another person in order to promote the company’s business. An
associated person is anyone who performs services on behalf of the company and this term
is wide enough to include employees and agents of subsidiaries or affiliates, as well as of
the company itself, and contractors. For the purposes of the corporate liability, it is irrelevant
that the bribery took place outside the UK, even though individual liability for bribery
outside the UK is narrowly constrained.22 The liability imposed does not require fault on the
part of the company to be proved, but the company has a defence if it has put in in place
“adequate procedures” to prevent associated persons from engaging in bribery. This is a
more restricted defence, leading to sharper incentives on the company, than that originally
proposed by the UK’s law reform body, the Law Commission. The Law Commission would
have based corporate liability on negligence, with adequate procedures being conclusive
proof of the absence of negligence.23 A further change made in the Parliamentary process,
but without extensive debate, was to extend the corporate liability, even in relation to foreign
bribery, to all companies operating in the UK, whether incorporated in the UK or not. The

20
The de haut en bas flavour of this argument is somewhat diluted by the support for extraterritorial
measures by the UN and the OECD, but see the discussion of China, below.
21
Or any other commercial organisation.
22
S.12.
23
For the original recommendation see Law Commission, Reforming Bribery, LAW COM 313, 2008, paras. 6.93ff;
for the Parliamentary change see House of Lords/House of Commons Joint Committee, Draft Bribery Bill, First
Report, July 2009, Ch.5. In consequence, the company will be liable if it has no procedures in place, even if it was
arguably not negligent on the facts of the case. Thus, the UK subsidiary of the South African Standard Bank was
held liable for bribery committed by employees of an African affiliate (with which it was involved in a loan deal
to an African government) because it had no procedures for supervising the actions of such employees. On the
original formulation of the law it would have been able to argue that its reliance on the African affiliate to
perform the supervision was reasonable. See Serious Fraud Office v Standard Bank, Decision of 30 November,
2015 (available at www.judiciary.uk/wp-content/uploads/2015/11/sfo-v-standard-bank_Preliminary_1.pdf).

Electronic copy available at: https://ssrn.com/abstract=3940444

 16

Law Commission had rejected this extension on the grounds that it invited “tit of tat” relation
by other countries.24
It is clear that the UK Act was in part a response to pressures on the UK to implement
effectively Art. 2 of the OECD Convention on Combating Bribery of Foreign Public
Officials in International Business Transactions, which requires Parties to “take such
measures as may be necessary, in accordance with its legal principles, to establish the
liability of legal persons for the bribery of a foreign public official.” Whether the prior UK
law was in breach of the Convention was disputed, those denying breach pointing to the
phrase “in accordance with its legal principles” in Art. 2 and their opponents suggesting that
the absence of a failure-to-prevent offence and lack of extraterritorial reach caused the prior
UK law to be ineffective.25 In any event the Law Commission was in favour of the reforms
advocated by the opponents, whilst not accepting the validity of their argument based on the
Convention.26 Moreover, having adopted failure-to-prevent corporate liability in the narrow
area of bribery, the UK government became enamoured of the technique and has suggested
that failure-to-prevent liability might be appropriate in relation to all economic crimes - but
so far has imposed liability only in respect of evasion of the UK tax laws.27

(b) Duties of vigilance

While failure-to-prevent liability constitutes a further development of the use of managerial
failings to impose direct criminal liability on a company, beyond the “encouragement” of
wrongdoing laws considered in Section II, it would be wrong to think of it as a technique
which is confined to the criminal law. Certainly, there no functional need to deploy it in
areas of civil law where vicarious liability and accessory liability of the traditional type
apply. However, failure-to-prevent liability is not conceptually confined to the criminal law.
Recently, proposals to extend this type of corporate liability to a wide range of international
standards in the human rights and environmental fields, as well as in relation to corruption,
has been proposed by the European Commission and the European Parliament. In this

24
See the Parliamentary Joint Committee, previous note, paras. 154-155.
25
See M Pieth, “Article 2: The Responsibility of Legal Persons”, in M Pieth, L Low, and P Cullen(eds), The OECD
Convention on Bribery: A Commentary (2007).
26
See Law Commission, 6.72 to 6.92.
27
Criminal Finances Act 2017.

Electronic copy available at: https://ssrn.com/abstract=3940444

 17

respect, they were following the lead of the French legislature which enacted a law creating
a devoir de vigilance for large companies in 2015.28
Vigilance duties represent a further mutation in direct corporate liability. Whereas failure-
to-prevent liability creates an incentive for companies to review their business arrangements
ex ante so as to reduce the risk of ex post liability, there is no obligation upon the company
under such laws to do so. It may decide against a review and take the risk of being found
liable later on. However, where the company’s activities carry a significant probability of
infringement of the relevant rules, this may not be a rational choice, so that it may be argued
that in functional terms there is not much difference between a failure-to-prevent liability
and a vigilance duty (assuming both apply to the same set of underlying wrong). However,
it is suggested that there is, in fact, a significant difference between the two. A vigilance
duty adds conceptually an additional duty to the failure-to-prevent duty, so that two
liabilities arise potentially. These are (i) liability for failing to carry out (and periodically
update) a review of the illegality risks within the company’s business and to produce and
implement a set of policies for reducing the risks identified and (ii) liability for actual
breaches of the relevant standards, usually on a fault basis. Even if no breaches have
occurred under (ii), the company may still be subject to supervision and regulatory oversight
on the basis that its discharge of the vigilance duty was inadequate. (i) is a governance
strategy whereas (ii) a traditional liability for breaches of rules or standards to which the
company is required to conform. Thus, under the European Parliament’s draft of March
2021 on corporate due diligence29 (discussed further below) one article is devoted to civil
liability (art.19). This requires Member States to introduce liability regimes (“in accordance
with national law”) for harms caused through actual or potential breaches of the standards
to which it applies, but subject to the defence “that undertakings that prove that they took
all due care in line with this Directive to avoid the harm in question, or that the harm would
have occurred even if all due care had been taken, are not held liable for that harm.” In fact,
national laws have already taken significant steps in this direction.30 For the rest the principal

28
C. com., art. L. 225-102-4-II. See A Pietrancosta and E Boursican, “Vigilance: un devoir à surveiller” La
Semaine Juridique, 11 May 2015.
29
European Parliament, Recommendations For Drawing Up a Directive of the European Parliament and of the
Council on Corporate Due Diligence and Corporate Accountability, Annex to the Resolution of 10 March, 2021
(2020/2129(INL)).
30
See, for example, the judgements, accepting liability in principle against Shell for alleged environmental and
human rights harms in Africa, by the UK Supreme Court and the Dutch Court of Appeals (Four Nigerian Farmers
and Milieudefensie v. Shell, Gerechtshof, The Hague, 29 January 2021; Okpabi v Royal Dutch Shell plc [2021]
UKSC 3, following Lungowe v Vedanta Resources plc [2019] UKSC 20). In these cases, liability was accepted as
available but on the basis of existing national doctrines of civil liability (either of the country of incorporation or

Electronic copy available at: https://ssrn.com/abstract=3940444

 18

focus of the twenty-two articles of the Draft is on the governance strategy, ie the duty carry
out a risk assessment in relation to possible breaches of the international standards in the
areas which it covers.
The vigilance duty (both in the form actually adopted in France and in that proposed by the
European Parliament) thus transposes the incentive structure implicit in duties to prevent
into a formal risk assessment obligation in relation to the international standards applicable
in the human rights, environmental and corruption areas (which the EP draft refers to as
“good governance”). Neither risk assessments as part of good corporate governance nor an
emphasis on corporate respect for human rights and other international standards is new in
the second decade of the twenty-first century. However, the obligations of the bodies with
risk assessment duties are normally stated in general terms and leave the company almost
exclusive competence in relation to the implementation of the duty, subject to possible ex
post liability consequences if the directors do a poor job at the implementation stage
(possible liability for both the company and its directors in negligence, for example).
Thus, Art.39 of the Audit Directive31 requires public interest entities to have audit
committees consisting of non-executive directors, one of whose eight duties is “monitor the
effectiveness of the undertaking's internal quality control and risk management systems and,
where applicable, its internal audit, regarding the financial reporting of the audited entity...”
Looking at risk assessment more generally the UK Corporate Governance Code, operating
on a “comply or explain” basis, says that “The board should establish procedures to manage
risk, oversee the internal control framework, and determine the nature and extent of the
principal risks the company is willing to take in order to achieve its long-term strategic
objectives.”32 Both these sets of requirement oblige companies to establish machinery to
achieve assess defined categories of risk, but leave companies largely free to decide how
the machinery, once established, is to go about its business. As to corporate respect of human
rights standards the UN Guiding Principles on Business and Human Rights (2011), require
companies to “seek to prevent or mitigate adverse human rights impacts that are directly
linked to their operations, products or services by their business relationships, even if they

the country where the harm occurred). For debate over whether corporate civil liability can be based on
breaches of customary international law see the decision of the Supreme Court of Canada in Nevsun Resources
Ltd v Yebeyo (2020 SCC 5), where the majority of five judges was prepared to accept this but the minority of four
was not.
31
Directive 2006/43/EC, as amended. The audit committee requirement was introduced in 2014. There are
more demanding rules for financial institutions, especially banks. See Klaus J Hopt, Corporate Governance of
Banks and Financial Institutions, ECGI Law Working Paper 507/2020.
32
UK Corporate Governance Code 2018, Principle O.

Electronic copy available at: https://ssrn.com/abstract=3940444

 19

have not contributed to those impacts.”33 This UN document clearly influenced many
elements of the EP draft. However, it views enforcement largely as an ex post activity and
leaves it to the signatory states. The same comment may be made about the human rights
aspects of the OECD Guidelines for Multinational Enterprises (2011), where enforcement
is principally a question of mediation through “national contact points”.
The French law and the EP draft differ from the documents mentioned in the previous
paragraph along one or more of three dimensions, which are to some extent interrelated.
First, the duty of vigilance is encased in legal obligations which take away a substantial part
of the company’s capacity to decide how to comply with the standards; second, they apply
to a wide range of international standards most of which were initially devised in an inter-
state context and whose application in a commercial context has not been the subject of
detailed consideration; third, they pay no regard to the potentially adverse reaction of foreign
host states when companies come to implement the international standards.
On the first point, to take the EP Draft as a focus, the public authorities have power to
investigate companies’ discharge of their risk assessment duty and to impose sanctions for
failure to remedy deficiencies (up to and including orders for the temporary cessation of the
company’s business) even in the absence of actual breaches of the international standards
by the company or those associated with it.34 In addition, a wide range of stakeholders must
be involved by the company in the drawing up and the annual review of the policy resulting
from the risk assessment exercise and those stakeholders (and others) may complain,
anonymously and in confidence, if they desire, about the inadequacies of the company’s
discharge of its duty.35 Finally, as an alternative to complaints to the public authorities, the
company must itself provide a grievance mechanism “allowing any stakeholder to voice
reasonable concerns regarding the existence of a potential or actual adverse impact on
human rights, the environment or good governance”.36 Thus, whereas a bare risk assessment
duty may add little to failure-to-prevent liability, that duty can be developed, as in this case,
to reduce substantially the company’s capacity to shape its business to meet the relevant
standards in the way that seems to it most likely to enable it to meet those standards and still
conduct an effective business, especially in relation to competing companies from
jurisdictions which do not impose similar constraints. On the contrary, the risk is that the

33
Principle 13(b). Principle 13(a) refers to the company’s own activities.
34
Arts. 13 and 18.
35
Arts. 5, 8 and 13.
36
Art.9.

Electronic copy available at: https://ssrn.com/abstract=3940444

 20

due diligence process will turn into a continuing political negotiation, in particular with civil
society groups, rather than be a business strategy analysis designed to reduce externalities.
As to the second point, the core of the problem is the failure of the proponents of the
vigilance duty to give sufficient attention to the capacity of companies to secure compliance
with the standards and to shape the companies’ liability according to that capacity. Whilst
it is true, as argued above, that in the company is often in a better position to control illegality
within its business than the public authorities, it is a non-sequitur conclude that the
company’s control capacity is unlimited. The European Parliament’s proposal builds
corporate liability onto a bewildering number and variety of international instruments in the
three areas it covers, namely, human rights, environmental standards and anti-corruption,
with little or no attempt to differentiate among their substantive requirements. Some of these
standards are precise as to outcomes and there is a range of actions wholly within the
company’s control to achieve these outcomes. This is especially so in the corruption area.
Examples might be rules against corporate bribery of foreign officials or money-laundering
by banks and other financial institutions. Here, failure-to-prevent liability and vigilance
duties can be implemented by companies at reasonable cost and with reasonable certainty
about what is required of them. This is not to deny that effective anti-corruption and anti-
money laundering regimes may not require significant changes in companies’ internal
arrangements, but that is the point of the rules. However, this is also the area where national
laws have already made the most progress and so the gain from new initiatives, such as that
proposed by the European Parliament, is likely to add the least value.37
At the other end of the spectrum are many human rights standards. Recital 21 of the EP
Draft refers to some 20 international standards on human rights, some of which incorporate
further sets of standards. For example, the Recital refers to the International Bill of Human
Rights which in turn states that it “consists of the Universal Declaration of Human Rights,
the International Covenant on Economic, Social and Cultural Rights, and the International
Covenant on Civil and Political Rights and its two Optional Protocols.” Apart from the
ranges of instruments companies will have to consider, they differ from the bribery and
money-laundering examples in not having been drafted initially in a commercial context but
as guides for action by states and often express political or aspirational goals rather than
contain fixed rules. For example, both the International Covenant on Economic Social and

37
It is perhaps significant that the French law does not include international standards on “good governance”
within its purview.

Electronic copy available at: https://ssrn.com/abstract=3940444

 21

Cultural Rights and the European Social Charter require “fair remuneration” and “just
conditions of work” (Arts 7 of the former and Arts 2 and 4 of the latter). Does this mean
anything more than that foreign companies coming into a country should meet or marginally
exceed the local standards? If it does, what are the criteria for judging fairness? The
Conventions of the International Labour Organisation may be of some use, but they are
more concerned with the introduction of minimum wage setting machinery (inevitably a
task for states) than with setting specific wage levels, beyond requiring adherence to
whatever wage level is set though that machinery.38 It is unlikely that provisions drafted
with the aim of ultimately being enforced in courts would have been written in such an open-
ended fashion (contrast, for example, the specificity of national minimum wage laws or
rules on working time) and the difficulties companies will have in interpreting them are
clear.39
However, when the company has worked out what these working conditions standards
require in a particular context, at least it can be said that the company has full control over
the implementation of its response. Presumably, the level at which it sets wages and other
terms and conditions of employment are within its own control – though other employers in
the host country may not be happy if a foreign company exceeds the going rate. But some
of the human rights standards are not apparently addressed to employers at all and yet they
are included in the list of matters to be covered by the due diligence duty in the EP’s draft.
For example, Art 21 of the UN Universal Declaration of Human Rights states that “everyone
has the right to take part in the government of his country, directly or through freely chosen
representatives." What are the implications of the duty of vigilance for a company operating
in a country whose government is evidently a dictatorship (even if it adopts the camouflage
of a democracy)? Many of the world’s most important trading nations arguably fall within

38
See, for example, ILO Convention No. 131, Minimum Wage Fixing, 1972. The fixing may occur through multi-
employer collective bargaining, but that is unlikely to be effective in the absence of legislative support.
39
Because of the imprecision of the obligations imposed on companies under the French law, the conseil
constitutionnel held that the criminal sanctions originally attached to the rules were unconstitutional and were
struck down: Decision of the French Constitutional Council n° 2017-750 DC of 23 March 2017 (available
at www.conseil-constitutionnel.fr/decision/2017/2017750DC.htm. « Compte tenu de la généralité des
termes qu'il a employés, du caractère large et indéterminé de la mention des « droits humains » et des
« libertés fondamentales » et du périmètre des sociétés, entreprises et activités entrant dans le champ
du plan de vigilance qu'il instituait, le législateur ne pouvait, sans méconnaître les exigences découlant
de l'article 8 de la Déclaration de 1789 et en dépit de l'objectif d'intérêt général poursuivi par la loi
déférée, retenir que peut être soumise au paiement d'une amende d'un montant pouvant atteindre dix
millions d'euros la société qui aurait commis un manquement défini en des termes aussi
insuffisamment clairs et précis. »

Electronic copy available at: https://ssrn.com/abstract=3940444

 22

this category. Some cases might be clear, for example, supplying guns to a government
which is currently in the process of putting down a popular protest against its non-
democratic governance arrangements, but most cases would be less obvious. Suppose there
is no civil unrest in the non-democratic country, would continuing to trade with it in civilian
goods be a breach of Art. 21? Probably, it would be disproportionate to require the trading
to cease but in an economically small, non-democratic country, even a company which does
not supply to the country but exports from it (for example, oil or minerals) might be regarded
as contributing to non-compliance with Art.21 if the royalties and other taxes payable
constitute a major part of the state’s revenues.
Although the EP draft is hedged around with some general provisions, requiring the
company to take only proportionate steps to address risks or requiring risks to be addressed
only when the company’s activities make a substantial contribution to the risk, there is a
basic unclarity in the Draft about how far the company is required to extend its efforts to
avoid human rights abuses. This problem is exacerbated by two further features of the draft.
The first is the extension of the vigilance duty throughout the company’s “value chain”, ie
to abuses occurring within suppliers or customers. The second, and more important, is the
imposition of the vigilance obligation beyond human rights abuses which the company’s (or
its suppliers’ or customers’) activities cause or contribute to so as to embrace risks of abuse
to which their actives are “directly linked” (without any causation).
In both respects the Draft follows the UN Guidelines, which are now a decade old and might
be argued not to have thrown up the problems anticipated above. However, the UN
Guidelines, whilst creating this analytical problem, are able to avoid its consequences to a
considerable extent because they do not surround the production of the strategy with an
elaborate supervisory structure, as the EP Draft does, rather leaving it to companies to decide
how best to produce and periodically review the strategy in the light of the guidance
provided. Signatory states are required to take enforcement action only in respect of abuses
which actually occur and then have considerable freedom to decide what enforcement
machinery to put in place. “States must take appropriate steps to ensure, through judicial,
administrative, legislative or other appropriate means, that when such abuses occur within
their territory and/or jurisdiction those affected have access to effective remedy.”40 For these
reasons, the question of the extent to which companies are required to adopt policies to
reduce the risk of human rights violations could be glossed over in the UN Guidelines, but

40
Principle 25.

Electronic copy available at: https://ssrn.com/abstract=3940444

 23

that issue emerges centre-stage in the EP draft. Given the novelty and complexity of the
areas into which legal obligations upon companies to implement international standards are
being introduced, a mere listing of a large number of standards seems an inadequate way to
proceed with legislation.41
On the third point, companies seeking to implement legislation along the lines of the EP
draft are likely in some cases to face adverse reactions by the foreign states in which
companies seek to implement their human rights policies. A good example of the potential
traps for companies is the experience in early 2020 of the Swedish company, H&M, which
was frozen out of electronic access in the Chinese market, possibly only temporarily,
because of a statement made a year earlier in a corporate transparency statement about its
concerns relating to forced labour in a Chinese province. The example is instructive in two
ways. First, it shows a country which constitutes an important part of the global market
being unwilling to accept a characterisation by a foreign company of its practices as
constituting forced labour. In fact, the state-controlled Chinese Consumers Association
turned the tables by characterising the company’s action as potentially illegal. It said that
“companies’ statements on Xinjiang might constitute ‘deceiving’ consumers and infringing
their freedom of choice over raw materials.” 42 Second, it shows the host state’s capacity to
inflict economic harm on the foreign company, whilst incurring little cost itself or its
economy, since the impact of the boycotts of H&M (and Nike) seems to have been to boost
the market capitalisation of Chinese competitors.43
The point here is not that human rights abuses in China should not be addressed but that
challenging the practices of powerful states raises very delicate issues of international
diplomacy which is best left to such diplomacy rather than delegated in decentralised way
to companies without expertise in the diplomatic arts. If states think it appropriate, they can
require companies incorporated in their jurisdiction not to trade with or to reduce their

41
In other words the “imprecision” critique extends beyond the criminal law so as to put in question all the
sanctions stipulated in the EP’s draft. For a development of this critique see European Company Law Experts
Group, The European Parliament’s Draft Directive on Corporate Due Diligence and Corporate Accountability
(available at ecgi.global/news/commentary-european-parliament%E2%80%99s-draft-directive-corporate-due-
diligence-and-corporate).
42
“Chinese apparel brands rally on support for Xinjiang cotton sourcing”, Financial Times, March 26, 2021,
43
Ibid stating that “Shares in Chinese apparel groups and other companies with ties to Xinjiang have rallied as
a backlash against western brands that have expressed concerns over forced labour in the region gathers
pace.”

Electronic copy available at: https://ssrn.com/abstract=3940444

 24

reliance on particular products from particular countries,44 a potentially more effective,

because coordinated, response. At the time of writing, the international community has not
been able to agree a common policy about the implications of the forced labour issue for
participation in the Olympic Games scheduled for Beijing in 2022, but companies which
sponsor the International Olympic Committee are already coming under pressure
individually to withdraw their support.45 This is not a set of issues which even large
companies can be expected to address coherently on their own. It is noticeable that the UN
Guidelines, when dealing with the issue of the extra-territorial application of corporate
policies, are imprecise and unprescriptive. Signatory states, according to Principle 2, should
set out clearly their “expectation” that companies domiciled in their territory should respect
human rights “throughout their operations” but the Commentary on that Principle is
essentially descriptive rather than normative. The OECD Guidelines come closer to the issue
by providing that “in countries where domestic laws and regulations conflict with the
principles and standards of the Guidelines, enterprises should seek ways to honour such
principles and standards to the fullest extent which does not place them in violation of
domestic law.”46 However, this does not quite meet the issue which arose in H&M which
was (or was perceived to be) a decision by the company not to use the product of forced
labour rather than to break local law (subject to the possible contrary arguments of the
Chinese Consumer Association).

V. Conclusion
The historical trajectory of the law, looking at the matter broadly, has been from a starting point
where liability for wrongs inflicted on third parties was imposed on companies quite easily
where the general law doctrine of vicarious liability was available, but, where this was not so,
for example, in relation to serious crimes, many jurisdictions struggled to bring liability home
to the company itself. Having battled in a variety of ways with this issue over the years, most
jurisdictions outside the US moved from trying to make companies vicariously liable for crimes
to imposing liability upon them directly, on the basis of their managerial shortcomings.
Managerial failure, initially viewed as a doctrine to be used in only a limited range of
circumstances, proved to have remarkable potential. This was revealed when the concept was

44
As, for example, following US pressure the UK did with supplies from Huawei destined for its 5G network,
though this was done on national security, not human rights, grounds. It generated an angry response from
China. See “UK orders ban of new Huawei equipment from end of year” Financial Times, July 15, 2020.
45
“Olympics sponsors duck questions over Beijing 2022 as boycott calls grow”, Financial Times, May 6, 2021.
46
OECD Guidelines for Multinational Enterprises, Concepts and Principles 2.

Electronic copy available at: https://ssrn.com/abstract=3940444

 25

expanded to embrace, first, corporate liability for failing to prevent harms and, second, a duty
of vigilance requiring companies to assess the risks of harms to others inherent in their
businesses and to develop strategies for reducing, or even eliminating, those harms. Overall,
there was a move from attribution to duty (implicit with failure to prevent rules; explicit with
the duty of vigilance) as the preferred technique for imposing liability on the company. With
duty questions of attribution fall away: all the court or tribunal needs to decide is whether the
organisation has conformed to the duty laid upon it and there is rarely a need to consider the
culpability of individuals or groups within the organisation. However, the imposition of duties
on the company raises a whole new, and very different, set of issues, which I briefly alluded to
in Section IV. The legislature, no doubt, can shape corporate duties in any way it wishes (at
least within constitutional constraints). Whether it is wise to craft a duty in a particular way is
a different question. As I suggested in Section IV, it is important to analyse the capacity of the
company to achieve the results contemplated by the duty, where those results are not wholly
within the control of the company.

Electronic copy available at: https://ssrn.com/abstract=3940444

 26

Electronic copy available at: https://ssrn.com/abstract=3940444