Adapting the GNI Assessments for Mandatory Due Diligence Regulations

August 26, 2024  |  Accountability, Confluence Blog

By Min Aung, GNI Assessment and Accountability Manager

In early August, GNI published a blog outlining five fundamental changes that we have made for the fifth assessment cycle. These changes individually and collectively recognize the needs of our membership for a dynamic, adaptable, meaningful, and efficient assessment process that addresses the evolution of GNI, its membership, and the external environment. This blog is the first in a series that explores each of these changes in further detail. Please also see other blogs on service-related adaptations and adaptations to new forms of government interventions.

August 2024 is a date of significance under the EU’s Digital Services Act (DSA) for two reasons: first, it marks the deadline for  the first 19 services designated as Very Large Online Platforms and Search Engines (VLOPSEs) to complete their second, annual Article 34 systemic risk assessment; second, it marks the deadline for these same entities to submit their first Article 37 independent audits, which will include a review of their year one risk assessments.

The DSA is one of many emerging laws that require certain activities intended to make business conduct more responsible and accountable (“emerging regulations”). Some, like the DSA, apply to certain tech companies, while others apply broadly regardless of sector, with obligations often ratcheting up depending on market presence and/or risk-related criteria. These regulations are emerging in different jurisdictions, but they share common components, including: the conduct of risk assessments (also referred to as “due diligence”) and establishment of corresponding mitigations, engagement with outside stakeholders, measures to enhance transparency, and sometimes the use of third-party audits. In these ways, they reflect the core tenets of the UN Guiding Principles on Business and Human Rights and the OECD Guidelines on Multinational Enterprises – two important frameworks that also inform and are reflected in the GNI Principles on Freedom of Expression & Privacy and corresponding Implementation Guidelines (together, the “GNI framework”). 

For over fifteen years, GNI member companies have been sharing information and receiving feedback about how they attempt to address many of these components through the GNI assessment process. In this manner, GNI has helped member companies prepare for these emerging regulations, a conclusion that was illustrated in several assessments conducted in the last cycle (2020-2023). At the same time, these emerging regulations have also raised concerns related to the added costs of mandatory regulatory compliance, the potential duplication of efforts, and the lack of clarity in some regulations around how participation in third-party initiatives may factor into compliance. 

In the first half of 2023, GNI collaborated with Article One advisors to research these emerging regulations, identify potential overlaps and gaps between them and the GNI framework, and explore opportunities for synergies with GNI assessments. Subsequently, in the first half of 2024, GNI produced detailed guidance for its members and accredited assessors to tailor the assessment based on each company’s unique exposure to emerging regulations. This blog elaborates how such adaptations may occur based on the fifth cycle Assessment Toolkit.

General Requirements for Adaptation

To improve the efficiency, adjustments were made to the GNI assessment process to allow company members to use efforts taken pursuant to regulatory compliance to demonstrate that they are making a good faith effort to meet corresponding aspects of the GNI framework, subject to two conditions:

1. There is a direct, unequivocal overlap between a specific requirement of a regulation (“regulatory requirement”) and an equivalent element of the GNI Process Review, as set out in Appendix I of the GNI Assessment Toolkit; and 
2. Independent, third-party assurance is provided regarding such efforts within the same period of the company’s GNI assessment, the relevant results of which are shared with the company’s GNI assessor. This assurance could be required  as part of a regulatory regime (e.g., Article 37 of the DSA as noted earlier), or could be undertaken voluntarily, whether in line with frameworks such as the EU Corporate Sustainability Reporting Directive (CSRD) or pursuant to a company’s internal human rights or management systems audit.

An example of adaptation: the EU Digital Services Act

As alluded to above, the DSA is an important and precedential piece of tech regulation. Many GNI company members have operations in the European Union and are thus likely subject to certain requirements of the DSA. The following areas of audited DSA compliance have complementarity with GNI assessments:

• Information about compliance with DSA Article 41’s requirement for establishing a compliance function responsible for periodically reviewing and approving risk management processes related to systemic risk assessments and overseen by a management body may demonstrate how the company meets GNI’s “Governance” requirements (Process Review (“PR”) Section 2, Appendix I, Assessment Toolkit). 
• Information about compliance with DSA Articles 34, 35, and Recital 90 relating to annual systemic risk assessments, covering risk identification (including to fundamental human rights) and risk mitigation may demonstrate how the company meets various aspects of GNI’s “Risk Management and Due Diligence” requirements (PR Section 3).
• Information about compliance with DSA Recital 90 and Articles 14, 15, 24, 27, 39, 42 (depending on the type of service) may demonstrate how the company meets GNI’s “Transparency and Engagement” requirements (PR Section 5). 
• Information about compliance with DSA Articles 16, 17, 20, 21 (depending on the type of service) may help demonstrate how the company meets GNI’s requirements related to grievance mechanisms (PR Section 5.5).

Of course, the DSA’s focus is on steps taken by covered services to address risks to the European Union. Where such steps apply globally, they can helpfully illustrate general systems and policies that meet GNI’s non-jurisdiction-specific requirements. Where such actions are limited to Europe, or where additional information is needed to contextualize or elaborate on a company’s approach, additional information will need to be reviewed and presented in the GNI assessment. A non-public annex to the GNI Toolkit provides detailed guidance on how to identify and take advantage of such synergies in their GNI assessments. 

Reverse adaptation: Using GNI Assessments to support regulatory compliance

The GNI assessment process requires companies to identify, prevent, mitigate, communicate, and monitor impacts on freedom of expression and privacy rights, focusing on those impacts arising from government restrictions and demands. While the examples above highlighted how evidence of regulatory compliance can be used to demonstrate a company’s good faith efforts to implement the GNI Principles, the converse could also apply where regulations permit participation in third-party frameworks to be submitted as evidence of regulatory compliance. 

One example of an emerging regulation that allows compliance to be supported by external processes is the EU’s Corporate Sustainability Due Diligence Directive (CSDDD), whose Recital 37 explains how participation in multistakeholder initiatives may “help create additional leverage to identify, mitigate, and prevent adverse impacts.” Various articles in the CSDDD mention how such initiatives may support company’s implementation, including in developing and verifying “preventative action plans” (Articles 5 and 11) and conducting “meaningful stakeholder engagement” (Article 13). In addition, Article 20 of the CSDDD makes clear that companies may use independent third-party verification carried out by multistakeholder initiatives “to support the implementation of due diligence obligations” regarding companies in their “chain of activities.” As such, participation in GNI, including its independent, multistakeholder assessment process, should help companies demonstrate how they are complying with the CSDDD, at least with respect to salient freedom of expression and privacy-related risks.

Even where the use of multistakeholder frameworks is not explicitly addressed in regulations, as in the case of the Australian Online Safety Act or the EU’s Corporate Sustainability Reporting Directive, there often will be value for companies to proactively cite GNI’s independent assessment as evidence of their efforts to identify, prevent, mitigate, communicate, monitor, and otherwise manage salient freedom of expression and privacy risks. 

GNI has and will continue to collaborate with regulatory authorities and our membership to ensure that GNI assessments and participation in GNI supports compliance with regulatory requirements and improved respect for freedom of expression and privacy rights across GNI’s company members and the technology industry.