Navigating Human Rights in AI A Strategic Compliance Framework for VLOPs and AI Companies

I. Executive Summary

The digital age has ushered in a profound and irreversible transformation in corporate responsibility, moving decisively away from voluntary corporate social responsibility initiatives towards a new era defined by mandatory human rights due diligence (mHRDD).1 Artificial Intelligence (AI) technologies, while offering significant opportunities, also pose serious human rights risks, particularly for Very Large Online Platforms (VLOPs) and companies extensively utilising AI. This necessitates a strategic and integrated approach to compliance.

AI introduces novel and amplified human rights risks, including algorithmic bias and discrimination, privacy and data usage violations, impacts on decision-making autonomy, surveillance capabilities, and the amplification of misinformation and disinformation.1 These risks are not theoretical; real-world cases demonstrate severe consequences, from tragic user harm to significant financial repercussions and reputational damage.1

The "Supply Unchained" (SU) method, based on the "Human Rights Golden Thread" concept, offers a robust, regulation-agnostic, and harms-based framework rooted in the UN Guiding Principles on Business and Human Rights (UNGPs) and OECD Guidelines.[1, 1] This approach streamlines compliance, enhances risk management, and builds stakeholder trust by unifying disparate regulatory obligations under a single, principles-driven methodology. It transforms compliance from a reactive necessity into a proactive driver of resilience and responsible innovation.1

The global regulatory landscape is rapidly evolving towards mandatory and enforceable human rights and environmental due diligence, backed by significant financial penalties and civil liability.1 The new UK parliamentary inquiry on AI and human rights further underscores this urgency, signalling heightened scrutiny and potential future legislation that will demand greater accountability from both private and public actors in the AI domain.2 Proactive adoption of a comprehensive human rights due diligence framework is no longer merely an ethical consideration but a critical strategic imperative for companies operating with AI.

II. Introduction: The Human Rights Imperative in the Digital Age

The global landscape of corporate responsibility is undergoing a profound and irreversible transformation, moving decisively away from voluntary corporate social responsibility (CSR) initiatives towards a new era defined by mandatory human rights due diligence (mHRDD).1 This evolution is fundamentally anchored in international standards, most notably the UN Guiding Principles on Business and Human Rights (UNGPs), which were unanimously endorsed by the UN Human Rights Council in 2011.1 The UNGPs establish an authoritative global benchmark, articulating the state's duty to protect human rights and the corresponding responsibility of businesses to respect these rights through their operations and relationships.1

Central to this responsibility is the concept of human rights due diligence—an ongoing, dynamic process, not a mere tick-box exercise.1 It compels businesses to proactively identify, assess, prevent, mitigate, and account for their actual and potential adverse impacts on human rights and, increasingly, the environment.1 A critical element of this framework is its focus: the primary concern is the risk posed to rights holders—individuals and communities whose rights may be affected—rather than solely the material risks confronting the business itself.1 This represents a fundamental reorientation in corporate risk perception and management.

This shift from voluntary CSR to mandatory HRDD is not merely a regulatory trend; it signifies a fundamental change in the nature of corporate responsibility. The UNGPs and OECD Guidelines, initially considered "soft law" or aspirational standards, are now explicitly integrated into national and regional "hard law" such as the EU Corporate Sustainability Due Diligence Directive (CSDDD), the EU Corporate Sustainability Reporting Directive (CSRD), and the German Supply Chain Due Diligence Act (LkSG).1 This integration effectively hardens expectations and makes adherence to these principles a legal and commercial necessity. This creates a powerful feedback loop where the growing consensus around human rights in business informs legislative action, which in turn reinforces the importance and enforceability of the original principles. For businesses, this means that investing in compliance with UNGPs and OECD Guidelines is no longer merely "good practise" but a strategic imperative for future-proofing operations. A "regulation-agnostic" approach, which focuses on these universal principles, becomes highly efficient because it inherently addresses the core requirements of multiple emerging hard laws, rather than requiring companies to play catch-up with each new piece of legislation. This transforms compliance from a cost centre into a strategic advantage.

Within this evolving context, the Technology, Media, and Telecommunications (TMT) sector, particularly its largest players often referred to as "Big Tech" or Very Large Online Platforms (VLOPs), occupies a unique and complex position.1 These companies operate at the dynamic intersection of rapid technological innovation, unprecedented global scale, profound societal influence, and deeply intricate supply chains.1 Their products and services—encompassing social media platforms, artificial intelligence systems, cloud computing infrastructure, sophisticated hardware, and telecommunications networks—now mediate fundamental aspects of modern life, from communication and information access to commerce and civic participation.1 This central role, however, creates a distinct and amplified set of human rights risks. Issues ranging from data privacy and freedom of expression online to labour conditions in global electronics manufacturing supply chains are inherent to the sector's operations.1 Consequently, TMT companies find themselves disproportionately exposed to, and increasingly scrutinised under, the burgeoning global regime of human rights compliance.1 The very nature of TMT business models and technologies often magnifies potential human rights impacts; for instance, the vast user base of major platforms amplifies the consequences of content moderation decisions on free speech, while the centrality of data processing creates inherent tensions with privacy rights, and the deployment of AI introduces novel risks related to bias and discrimination.1 This inherent amplification effect necessitates a particularly robust and principled approach to human rights within the TMT sector.1

This report advocates for a strategic shift towards a streamlined, multi-framework risk assessment process specifically tailored for TMT companies. The central argument is for the adoption of fundamental human rights principles as a "golden thread"—an organising logic that unifies diverse compliance obligations and risk management activities.1 By embedding human rights respect at the core of their operations and strategic decision-making, TMT firms can not only navigate the complex regulatory environment more effectively but also manage risks holistically, build stakeholder trust, and ultimately create more sustainable long-term value.1

III. The Evolving Landscape of Human Rights in AI

AI development and deployment carry profound human rights implications.1 The rapid advancement and pervasive integration of AI across various sectors introduce new vectors for human rights risks, demanding careful consideration and robust mitigation strategies.

Core Human Rights Risks in AI

  1. Algorithmic Bias and Discrimination: AI systems can perpetuate or amplify societal biases, leading to discriminatory outcomes in areas such as hiring, loan applications, content filtering, predictive policing, or access to essential services.1 This is identified as a key salient human rights risk, as demonstrated by instances where AI recruitment tools systematically discriminated against female applicants.1
  2. Privacy and Data Usage: Risks include unlawful surveillance, whether by state or private actors, facilitated by technology, data breaches, misuse or excessive collection of personal data, and intrusive targeted advertising.1 The fundamental right to privacy is challenged by AI’s capacity for extensive data processing and profiling.
  3. Impacts on Decision-Making Autonomy: AI systems can potentially impact human autonomy, especially when they operate with a lack of transparency or undermine human agency in critical decision-making processes.1
  4. Surveillance Capabilities: AI can significantly enhance surveillance capabilities, raising profound concerns about individual freedoms and privacy rights.1
  5. Misinformation and Disinformation: AI-powered algorithms and platforms play a significant role in the amplification and spread of false or misleading information that can incite violence, undermine democratic processes, or endanger public health.1
  6. Human Dignity: AI systems that lack transparency or undermine human autonomy can be seen as violating human dignity.1 The UN Guiding Principles call for respecting dignity as a core principle.
  7. Freedom of Expression: Challenges arise from content moderation policies, where balancing the removal of harmful content with the protection of free speech is complex. This includes platform responses to government censorship demands, arbitrary account suspensions, and ensuring equitable access to platforms for diverse voices.1
  8. Accessibility: A failure to design hardware, software, and online services that are accessible to persons with disabilities can lead to exclusion and infringe upon the rights of vulnerable populations.1
  9. Child Safety and Well-being: AI systems and online platforms pose specific risks to children, including exposure to harmful or illegal content (e.g., self-harm, child sexual abuse material), algorithmic amplification of distressing material, and inadequate age verification or protection mechanisms. This can lead to severe mental health impacts, exploitation, and infringement of children’s rights to safety and development.[1, 1]

Specific Challenges for Very Large Online Platforms (VLOPs)

VLOPs face distinct and amplified human rights risks due to their unprecedented global scale and profound societal influence.1 The sheer volume of users and data processed by VLOPs means that any human rights violation, such as algorithmic bias, can have widespread and severe consequences.1 The pervasive deployment of AI in recommender systems, content filtering, advertising, and user profiling makes AI-related human rights risks particularly salient for these entities.1

The complexity of content moderation on VLOPs presents a constant challenge, requiring a delicate balance between removing illegal or harmful content and protecting freedom of expression. This often leads to ongoing debates about potential over-censorship or under-enforcement.1 Child safety, in particular, is a critical concern for VLOPs, given their broad reach and the potential for algorithms to expose minors to harmful content or facilitate exploitation.[1, 1]

Case studies from the provided materials vividly illustrate these challenges:

  1. Social Media Platform (VLOP) – Self-Harm Content: This platform exposed a 14-year-old user to content related to self-harm, depression, and suicide, with its algorithm actively recommending more harmful material, which worsened the user’s mental state.1 A coroner’s report concluded that the user’s death was caused by over-exposure to content from the platform. The platform suffered severe financial repercussions. This incident infringed on the user’s right to life (Human Rights Act, Article 2) and right to privacy (Human Rights Act, Article 7).1 It also violated the UK Online Safety Act (OSA), which requires the prevention of illegal and harmful content (Section 5) and mandates platforms to put duties in place to prevent children from encountering harmful content online (Section 11).1
  2. Microblogging Platform (VLOP) – Child Sexual Exploitation Material (CSAM): This platform failed to put safeguards in place to protect one of its users from child sexual exploitation and failed to remove child sexual abuse material from its platform.1 Users faced the risk of exposure to abusive and illegal content without sufficient protection mechanisms. The platform faced lawsuits under U.S. laws. The case infringed upon the user’s right to prohibition of torture (Human Rights Act, Article 3) and prohibition of forced labour (Human Rights Act, Article 4).1 Under the EU Digital Services Act (DSA), VLOPs must remove illegal content (Article 16) and conduct risk assessments (Article 34); the platform’s failure breached these obligations.1 The OSA also requires platforms to prevent exposure to harmful content (Section 5) and assess risks to children (Section 4).1 Furthermore, the platform’s inability to protect its users from sexual exploitation infringed on its obligation to take steps to prevent risks in the supply chain as stated in the Modern Slavery Act (Section 54).1
  3. Largest Tech Company (VLOP) – AI Recruitment Bias: This company used an experimental AI recruitment tool which was found to systematically discriminate against female applicants, creating structural barriers for women in tech and reinforcing gender bias.1 The incident sparked international criticism. The VLOP failed to uphold users’ right to respect for private life (Human Rights Act, Article 8) and the right to protection from discrimination (Human Rights Act, Article 14).1 Under the DSA, VLOPs must act with due diligence (Article 14) and assess systemic risks to fundamental rights, including discrimination (Article 34); the VLOP’s failure to identify and mitigate gender bias breached these obligations.1 Under the EU AI Act, high-risk systems like recruitment tools require risk management measures (Article 9) and human oversight (Article 14); the absence of safeguards and oversight contravened these requirements.1 Under the GDPR, organisations must ensure fair and transparent processing (Article 5), limit automated decision-making (Article 22), and implement data protection by design (Article 25); the tool’s opaque profiling and lack of human intervention breached these provisions.1

These incidents highlight that AI-related human rights risks are not isolated but often intersect, leading to multiple regulatory breaches from a single underlying issue. For example, algorithmic bias is not just a discrimination issue; it can also be a privacy issue due to data used for profiling and an accountability issue due to opaque decision-making. A failure in fundamental human rights due diligence at the design or deployment stage of an AI system can lead to a ripple effect of violations across different rights and thus different regulatory frameworks. The inclusion of the Modern Slavery Act in the microblogging case, for instance, illustrates how online harms can connect to supply chain due diligence if the platform's operations are linked to exploitative content creation or dissemination. This interconnectedness underscores the need for a holistic approach rather than siloed compliance efforts.

Key International and Regional Regulatory Frameworks

The regulatory landscape governing corporate human rights responsibilities is becoming increasingly complex and demanding, particularly for globally operating TMT companies. This web requires appreciating both the foundational principles and the specific legislative mandates emerging across key jurisdictions.1

Foundational Principles (Normative Bedrock):

  1. UN Guiding Principles on Business and Human Rights (UNGPs): These stand as the authoritative global standard, establishing the “Protect, Respect, Remedy” framework.[1, 1]
  2. OECD Guidelines for Multinational Enterprises: These offer practical guidance on responsible business conduct, including detailed recommendations on implementing HRDD, explicitly aligned with the UNGPs.[1, 1]
  3. Universal Declaration of Human Rights (UDHR), International Covenant on Civil and Political Rights (ICCPR), International Covenant on Economic, Social and Cultural Rights (ICESCR), and ILO Declaration on Fundamental Principles and Rights at Work: These provide the broader human rights context and normative bedrock for all subsequent legislation.[1, 1]

Mandatory Supply Chain & HRDD Frameworks (Jurisdictional Mosaic):

  1. EU Corporate Sustainability Due Diligence Directive (CSDDD): This directive imposes comprehensive, binding HRDD obligations on large companies operating within the EU market, including non-EU companies meeting substantial turnover thresholds. It mandates a six-step due diligence process across the entire value chain to identify, prevent, mitigate, and remediate adverse human rights and environmental impacts. Non-compliance carries significant risks, including fines of not less than 5% of the company’s net worldwide turnover and potential civil liability for damages.[1, 1]
  2. EU Corporate Sustainability Reporting Directive (CSRD): This mandates detailed sustainability reporting, including human rights impacts, according to the European Sustainability Reporting Standards (ESRS) for a wider range of companies.1
  3. German Supply Chain Due Diligence Act (LkSG): Already in force, it mandates a robust risk management system to identify, assess, prevent, mitigate, and address human rights and specific environment-related risks within a company’s own operations and at direct suppliers, with obligations extending to indirect suppliers upon substantiated knowledge. Penalties include fines up to 2% of the company’s average annual global turnover and exclusion from public contracts for up to three years.[1, 1]
  4. UK Modern Slavery Act 2015 (MSA): Requires commercial organisations with a global turnover of £36 million or more, supplying goods or services in the UK, to publish an annual statement detailing steps taken to ensure slavery and human trafficking are not occurring in their business or supply chains. While currently lacking direct financial penalties, it carries significant reputational risk, and potential future penalties and broader HRDD are under consideration.[1, 1]
  5. California Transparency in Supply Chains Act (TISC): Applies to large retailers and manufacturers doing business in California, mandating disclosure on their websites regarding specific actions taken to eradicate slavery and human trafficking from their direct supply chains.[1, 1]
  6. Australian Modern Slavery Act 2018: Mirrors the UK approach, requiring entities to submit annual Modern Slavery Statements; a review has recommended potential amendments such as introducing penalties for non-compliance.[1, 1]
  7. Canada Fighting Against Forced Labour and Child Labour in Supply Chains Act: Imposes annual reporting obligations on government institutions and private sector entities meeting specific thresholds, with potential fines up to CAD 250,000 for non-compliance and potential personal liability for directors and officers.[1, 1]
  8. Other relevant regulations: This includes the Uyghur Forced Labour Prevention Act 2021 (US), Forced Labour Act 2023 (Mexico), EU Conflict Minerals Regulation, Norwegian Transparency Act 2015, Duty of Vigilance Law 2017 (France), and the proposed UK Commercial Organisations and Public Authorities Duty (Human Rights and Environment) Bill.1

Digital Frontier: Regulating Rights Online (with AI implications):

  1. EU Digital Services Act (DSA): This landmark regulation aims to create a safer, more transparent online ecosystem while explicitly protecting fundamental rights. It imposes tiered obligations on online intermediaries, with the most stringent requirements applying to VLOPs and Very Large Online Search Engines (VLOSEs). Key obligations include implementing measures to tackle illegal content, conducting comprehensive risk assessments to identify and analyse systemic risks stemming from their services (including risks related to fundamental rights like freedom of expression, non-discrimination, and children’s rights), and implementing effective mitigation measures. Non-compliance can lead to fines up to 6% of global turnover.[1, 1]
  2. UK Online Safety Act (OSA) 2023: This Act establishes a new regulatory framework imposing duties of care on providers of user-to-user services and search services accessible in the UK. The primary goal is to enhance user safety, particularly for children, by requiring services to take proactive steps against illegal content and implement measures to protect children from content that is harmful to them. Enforcement is handled by Ofcom, with powers to impose fines up to £18 million or 10% of global turnover, whichever is higher.[1, 1] Ofcom is also responsible for developing Codes of Practise to guide platforms in meeting their duties under the Act.1
  3. General Data Protection Regulation (GDPR): This regulation governs data protection and privacy for individuals within the European Union and the European Economic Area. It requires fair and transparent processing, limits automated decision-making, and mandates data protection by design.[1, 1]
  4. EU AI Act (Emerging): Although not yet fully in force, the global regulatory trajectory clearly includes dedicated frameworks for Artificial Intelligence (AI), such as the EU AI Act. These emerging regulations are critical for the TMT sector, as AI development and deployment carry profound human rights implications related to algorithmic bias, discrimination in areas like hiring or access to services, surveillance capabilities, impacts on decision-making autonomy, and the need for transparency and accountability. High-risk systems, like recruitment tools, require risk management measures and human oversight.[1, 1]

It is critical to recognise that these digital regulations should not be viewed in isolation from broader HRDD obligations. The requirements within the DSA for systemic risk assessments concerning fundamental rights, or the OSA's focus on preventing online harms, are effectively specific applications of human rights due diligence principles within the digital context.1 The underlying cause for both general HRDD laws and specific digital laws is the universal human rights framework. Digital technologies, particularly AI, are simply new vectors through which human rights can be impacted. Therefore, the effect is the need for specialised regulations that adapt HRDD principles to the unique characteristics of the digital environment, such as algorithmic systemic risks and content moderation at scale. This highlights a thematic unity: whether it is a factory floor or a virtual platform, the fundamental human rights principles remain the same, but the mechanisms of impact and thus regulation evolve. Compliance efforts related to digital regulations must therefore be integrated into a company's overarching HRDD framework, rather than being treated as separate technical or legal compliance silos.1

The scale and pervasiveness of VLOPs and AI amplify the human rights risks they pose. VLOPs operate at an "unprecedented global scale" with "profound societal influence," and their "products and services... now mediate fundamental aspects of modern life".1 This creates a distinct and amplified set of human rights risks, where the "vast user base... amplifies the consequences," and AI deployment "introduces novel risks".1 The exponential growth in reach and influence of VLOPs, combined with the opaque and complex nature of AI, means that even small design flaws or biases in AI systems, when deployed at VLOP scale, can lead to systemic, widespread, and potentially irremediable human rights harms, such as discrimination affecting millions or widespread exposure to harmful content. This creates a unique regulatory challenge: how to regulate for systemic risk rather than just individual instances of harm. The DSA's focus on "systemic risk assessments" for VLOPs directly reflects this understanding. This amplification effect directly correlates with increased regulatory scrutiny and higher penalties, such as DSA fines up to 6% of global turnover. The larger the potential impact, the greater the expectation for robust due diligence, and the higher the stakes for non-compliance. This makes proactive, comprehensive HRDD not just good practise, but a survival imperative for VLOPs.

The following table maps salient human rights risks in AI for VLOPs to relevant regulations and potential impacts on rights-holders:

TMT Risk Area

Specific Risk Examples

Relevant Regulations/Frameworks

Potential Impact on Rights-Holders

Algorithmic Bias

Corporate Sustainability Due Diligence Directive (CSDDD)

UNGPs (Non-discrimination), EU AI Act, DSA (systemic risks) 1, CSDDD, Equality legislation, ESG Criteria

Denial of opportunities, unfair treatment, perpetuation of societal inequalities, reduced autonomy

Privacy & Data Usage

Unauthorised data collection/use, data breaches, inadequate consent, intrusive tracking, unlawful surveillance

UNGPs (Right to Privacy), GDPR [1, 1], CSDDD, DSA (systemic risks) 1, UK OSA 1, ESG Criteria

Loss of control over personal information, exposure to harm, chilling effect on free expression, erosion of trust

Impacts on Decision-Making Autonomy

AI systems lacking transparency or undermining human autonomy, automated decisions without human review

UNGPs (Human Dignity), EU AI Act, DSA (systemic risks)

Reduced agency, feeling of being controlled, inability to challenge decisions, dehumanisation

Surveillance Capabilities

Facilitating government surveillance, sale of surveillance technology, intrusive workplace monitoring

UNGPs (Right to Privacy), CSDDD, EU AI Act

Erosion of privacy, suppression of dissent, increased state/corporate control, chilling effect on freedoms

Misinformation & Disinformation

Amplification of harmful false/misleading content impacting safety/democracy

UNGPs (indirect impacts on various rights), DSA (systemic risks) 1, UK OSA (illegal/harmful content)

Incitement to violence, undermining democratic processes, endangerment of public health, erosion of trust in information

Human Dignity

Dehumanising online abuse/harassment, exploitative platform practises, AI systems undermining human autonomy

UNGPs (Human Dignity), DSA (systemic risks) 1, UK OSA 1, CSDDD, EU AI Act 1

Psychological distress, social exclusion, feeling of worthlessness, erosion of self-respect

Freedom of Expression

Content moderation decisions (over/under removal), platform censorship/account suspension, algorithmic filtering impacting information access

UNGPs (Freedom of Expression), DSA (risk assessment, transparency) 1, UK OSA (safety duties)

Silencing of voices, limited access to diverse information, self-censorship, impact on democratic discourse

Accessibility

Failure to design hardware, software, and online services accessible to persons with disabilities

UNGPs (Non-discrimination), CSDDD, Equality legislation, ESG Criteria

Exclusion from digital services, limited participation in society, perpetuation of existing inequalities

Child Safety and Well-being

Exposure to harmful/illegal content (CSAM, self-harm), algorithmic amplification of distressing material, inadequate age verification/protection

UK OSA 1, DSA (children's rights) 1, UNGPs (protection of children) 1

Severe mental health impacts, exploitation, infringement of rights to safety and development

IV. The UK's Focus: Insights from the New Parliamentary Inquiry on AI and Human Rights

The UK Joint Committee on Human Rights has launched a new inquiry to examine how human rights can be protected in the age of Artificial Intelligence (AI).2 This inquiry signals a clear intent for the UK to develop a more specific and potentially stringent regulatory framework for AI's human rights impacts, moving beyond general principles.

Scope and Key Considerations

The inquiry will delve into the threats and opportunities that AI presents for human rights within the UK and assess the adequacy of existing legal and regulatory frameworks in safeguarding human rights and keeping pace with AI development.2

Key considerations for the inquiry, as outlined in its terms of reference, include:

  1. Human Rights Issues: The inquiry will focus on how AI can impact individual human rights, both positively and negatively, with a particular emphasis on privacy and data usage, discrimination and bias, and effective remedies for violations of human rights.2
  2. Existing Legal and Regulatory Framework: It will assess the extent to which the UK’s current legal framework provides sufficient protections for human rights in relation to AI. This includes evaluating whether the Government’s policy approach to deploying AI, as expressed in its “AI Opportunities Action Plan,” is robust enough in safeguarding human rights.2
  3. Possible Changes to Legal and Regulatory Framework: The inquiry will explore what would be necessary in any future UK legislation to protect human rights. Key questions include whether the same human rights standards should apply to private actors as public bodies when they use AI, and the degree to which different types of AI technology might require different regulatory approaches. It will also examine who should be held accountable for breaches of human rights resulting from AI use, on what basis, and where in the process of developing, deploying, and using AI technologies liability should arise. Furthermore, the inquiry seeks to identify additional measures needed to ensure individuals have sufficient redress for harm caused by AI and how regulation can keep pace with the rapid development of AI technology, such as agentic AI. The international nature of AI and potential consequences for human rights in the UK from its malign use by other regimes will also be considered, along with the impact of the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law, and lessons from AI regulation in other jurisdictions like the European Union.2

The deadline for written submissions on these issues is September 5, 2025.2

Implications for AI Development and Deployment in the UK

The comprehensive nature of the inquiry's questions signifies a recognition that existing frameworks, such as the Human Rights Act and the Online Safety Act, are likely insufficient for the unique challenges posed by AI. This suggests that dedicated AI regulation is highly probable. The inquiry's explicit focus on "future UK legislation," "accountability," "liability," and "redress" indicates a move towards enforceable obligations rather than mere guidelines.2 This is a proactive legislative response to close regulatory gaps and establish clear lines of responsibility.

The consideration of different regulatory approaches for different AI types, reflecting a "risk-based approach," aligns with global trends, such as those seen in the EU AI Act.2 This suggests a nuanced but firm regulatory future for AI in the UK. The inquiry's emphasis on the international nature of AI highlights the need for UK companies to consider global human rights standards and cross-border implications, reinforcing the necessity for a globally coherent human rights due diligence strategy. Companies that proactively engage with these questions and begin implementing robust HRDD for their AI systems now, anticipating future requirements, will gain a significant first-mover advantage. They will be better positioned to influence policy, adapt to new laws, and avoid the costly scramble for compliance when legislation inevitably arrives. This also implies that a "regulation-agnostic" approach, focusing on the harms that future regulations will likely target regardless of their specific legislative form, is particularly valuable in this evolving landscape.

UK's Emerging Mandatory Human Rights Due Diligence and Forced Labour Legislation

Beyond the specific AI inquiry, the UK is actively moving towards more stringent human rights compliance, particularly concerning forced labour in supply chains. The Joint Committee on Human Rights has found evidence that goods produced with forced labour are being sold in the UK, despite the Government's stated position against it, concluding that the current patchwork of domestic legislation has not prevented these goods from entering the UK market.3

Key recommendations for new legislation and enforcement include:

  1. Unlawfulness of Import/Sale: New legislation should make it unlawful to import or sell goods linked to forced labour in the UK.3
  2. Mandatory Human Rights Due Diligence (mHRDD): The UK is moving to introduce mandatory human rights due diligence requirements throughout supply chains for businesses trading in the UK.3 This would strengthen the existing Modern Slavery Act 2015 (MSA 2015) by removing the provision that allows companies to report “no action taken” and extending the reporting duty to public organisations.3
  3. Right to Civil Claim: Legislation should establish a right for those who have suffered forced labour to bring a claim for civil liability against those responsible.3 This includes a recommendation for a civil cause of action for “failure to prevent forced labour,” which would place the burden on corporations to prove they had adequate procedures to prevent forced labour, making them liable for compensation if they cannot.3
  4. Regulatory Arrangements and Enforcement: Clear regulatory arrangements are needed for imported goods, sale of goods, and ensuring business compliance with new due diligence duties, along with adequate enforcement and resources.3 Penalties proportional to company turnover (e.g., 5% of annual turnover) are being considered for mHRDD non-compliance.3
  5. Import Bans: The UK is urged to introduce an import ban to prevent goods produced using forced labour from entering the UK market. This could include a “rebuttable presumption” for goods linked to regions where state-imposed forced labour is considered to be in effect, similar to the US Uyghur Forced Labour Prevention Act (UFLPA).3
  6. Use of Proceeds of Crime Act (POCA): Law enforcement agencies like the National Crime Agency (NCA) and Border Force are encouraged to actively use existing POCA powers to prevent goods linked to forced labour from being sold in the UK and to seize assets linked to forced labour.3
  7. Free Trade Agreements (FTAs) and Public Procurement: Future trade deals are expected to explicitly include provisions concerning forced labour, and public procurement processes (e.g., under the Procurement Act 2023 and Great British Energy Act 2025) are being strengthened to exclude suppliers linked to forced labour.3

This comprehensive push for new legislation and enforcement mechanisms signifies a significant shift in the UK's approach to human rights compliance, moving towards a more robust and punitive regime for businesses failing to uphold their responsibilities.

V. The SU Method: A Strategic Approach to Human Rights Due Diligence for AI Companies

The "SU method" is synonymous with the "Human Rights Golden Thread" approach, advocating for internationally recognised human rights principles as the central organising logic for all corporate functions related to social and environmental impacts.1 This methodology provides a comprehensive and integrated framework for managing human rights risks, particularly relevant for the complex and rapidly evolving domain of AI.

Foundational Principles

The SU method is built on a harms-based and regulation-agnostic foundation. It prioritises assessing risk to people (rights-holders)—the potential severity and likelihood of adverse impacts on individuals and communities—as the primary lens for analysis and prioritisation.[1, 1] This "regulation-agnostic" approach means focusing on potential harm to people, grounded in universal human rights frameworks such as the Universal Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR), the International Covenant on Economic, Social and Cultural Rights (ICESCR), and the work of the UN High Commissioner for Human Rights (UNHCHR), rather than solely on specific laws.1 This allows for a unified, principles-based framework that can address the complex, overlapping, and sometimes inconsistent tapestry of jurisdictional requirements.

The method is deeply rooted in the UN Guiding Principles on Business and Human Rights (UNGPs) and the OECD Guidelines for Multinational Enterprises.1 These authoritative frameworks form the normative bedrock, providing a universal, principles-based foundation that allows tailored application based on the severity of impacts and inherently integrates multiple disciplines (human rights, environment, social, governance) under the umbrella of responsible business conduct.1

Core Components of the SU HRDD Framework

The SU method aligns with and integrates the UNGP HRDD process and the OECD 6-Step Due Diligence Framework, offering a structured approach to human rights management.1

1. Assessing Impacts (Identify and Assess Adverse Impacts)

The objective of this stage is to determine the current state of the business with respect to risks within its internal operations and supplier relationships.1 This involves assessing salient risks (those that are individual and grave) and material risks (those that affect the business), and providing a risk scoring based on the impact's scale, scope, and irremediability.1 The process includes requesting policies and procedures, conducting a desktop review, holding stakeholder sessions and workshops with internal functions (e.g., Compliance, Procurement, Operations, Sustainability, HR, and Legal), and analysing questionnaire responses.1

For AI, this component involves integrating algorithmic audits, bias assessments, and privacy impact assessments into the broader HRDD framework. It also entails engaging with affected user groups, such as those impacted by AI-driven decisions, to gather direct input on potential harms.

2. Integrating Findings and Taking Action (Cease, Prevent or Mitigate Adverse Impacts)

The objective here is to embed human rights considerations into internal governance and procedures, develop effective policies and codes of conduct, and create responsible, transparent practises throughout the business ecosystem.1 The process involves implementing robust risk management systems, conducting HRDD, developing actionable plans, and leveraging influence with business partners to address identified risks.[1, 1]

For AI, this means embedding insights from AI risk assessments directly into product development lifecycles, ensuring human oversight in high-risk AI systems, developing comprehensive ethical AI guidelines, and implementing robust data governance frameworks. This also includes drafting specific policies such as AI ethics policies, non-discrimination policies for AI, and transparent terms of service that clearly articulate human rights commitments.

3. Tracking Responses (Track Implementation and Results)

The aim of this stage is to continuously monitor and track compliance with policies, procedures, and terms aligned with human rights regulations and standards.1 This involves monitoring the effectiveness of actions using indicators and stakeholder feedback, including regular (annual or periodic) reviews of both suppliers and internal business functions.[1, 1]

For AI, this involves continuous monitoring of AI system performance for bias drift, assessing the effectiveness of mitigation measures, and ensuring ongoing compliance with internal policies and external regulations. Key Performance Indicators (KPIs) could include bias metrics, user feedback on AI interactions, and audit trails of AI decisions to ensure accountability.

4. Communicating (Communicate How Impacts are Addressed)

The objective is to draft comprehensive reports and compliance statements, including expert-defined supplier codes, human rights policies, compliance statements, and transparency reports.1 This also involves establishing efficient methods of engaging with stakeholders to publish these reports.1 Companies are expected to publicly report on their policies, processes, identified risks, actions taken, and the effectiveness of these measures, especially to affected stakeholders.1

For AI, this requires transparent reporting on AI governance, risk assessments, and mitigation efforts, particularly concerning sensitive areas like algorithmic bias and data privacy. This could involve publishing dedicated AI ethics reports or integrating relevant sections within broader sustainability reports, ensuring clear and accessible communication.

5. Providing for or Cooperating in Remediation

The final component focuses on offering or supporting remedy processes when the company has caused or contributed to harm.1 This involves establishing accessible grievance mechanisms for affected stakeholders, such as users impacted by AI bias or workers in the supply chain.1

For AI, this means establishing clear channels for users to report AI-related harms, providing mechanisms for appeal against automated decisions, and offering appropriate redress for harms caused by discriminatory or otherwise harmful AI systems.

Practical Application for AI Companies and VLOPs

The SU method's emphasis on a harms-based, regulation-agnostic approach is particularly suited for AI, where risks are rapidly evolving and often cut across traditional regulatory silos.1 This approach ensures that companies focus on the actual or potential negative consequences for individuals, regardless of the specific regulatory instrument that might apply.

For AI, this component involves integrating algorithmic audits, bias assessments, and privacy impact assessments into the broader HRDD framework. It also entails engaging with affected user groups, such as those impacted by AI-driven decisions, to gather direct input on potential harms.

Practical applications include:

  1. Integrating algorithmic audits into impact assessments: Proactively identifying potential biases in training data and algorithms before deployment is crucial to prevent discriminatory outcomes.[1, 1]
  2. Ensuring human oversight in AI systems: Especially for high-risk AI applications, human review and intervention points are critical to prevent automated harms and ensure accountability.[1, 1]
  3. Ethical data governance: Implementing robust policies for data collection, storage, use, and deletion is essential to protect privacy and prevent discrimination throughout the AI lifecycle.[1, 1]
  4. Tailored training: Educating engineers, product managers, legal teams, and leadership on AI-specific human rights risks and their responsibilities is vital for fostering a rights-respecting culture.[1, 1]

Leveraging Technology for HRDD

The SU Platform offers a tailored User-Interface and Portal to help you manage your compliance priorities, including supplier dashboards visualising key human rights risks, impact assessment scoring, SU reports and legal reviews.1 Technology can significantly enhance supply chain transparency, facilitate risk analysis across vast datasets, provide platforms for stakeholder engagement or grievance mechanisms, and monitor compliance indicators.1

However, the deployment of technology for compliance purposes must itself be scrutinised through a human rights lens.1 For example, using technology for enhanced worker monitoring in supply chains could raise significant privacy concerns.1 This highlights a critical paradox: the very innovation that causes new human rights challenges is also essential for navigating them. The complexity and scale of AI-driven human rights risks necessitate technological solutions for effective HRDD, such as using AI to detect bias or manage vast supplier data. Yet, this creates a new layer of risk—if the HRDD technology itself is biased or intrusive, it undermines the entire purpose. This implies a need for "ethical tech for ethical tech"—a commitment to human rights by design in HRDD tools. This paradox also presents an opportunity for companies to innovate in the HRDD tech space, developing solutions that are not only effective but also human-rights-compliant by design, potentially becoming a new competitive advantage.

The following table details the SU HRDD process steps and their specific application to AI risks:

SU HRDD Process Step

Objective and General Application

Application to AI Risks for VLOPs/AI Companies

1. Assessing Impacts

Identify and assess actual/potential adverse human rights impacts across operations and value chain; prioritise salient and material risks based on severity (scale, scope, irremediability).

Conduct Algorithmic Impact Assessments (AIAs) and Bias Audits on AI systems (e.g., recruitment, content recommendation, pricing). Evaluate training data for inherent biases. Assess privacy implications of data collection and AI processing. Map AI system dependencies and user interactions for potential harms. Engage with affected user groups (e.g., through surveys, focus groups) to understand real-world impacts.

2. Integrating Findings & Taking Action

Embed human rights insights into internal governance, policies, and procedures; develop mitigation strategies and action plans; use leverage with business partners.

Develop and implement AI ethics policies, responsible AI principles, and non-discrimination policies for AI. Integrate human oversight mechanisms into high-risk AI deployment workflows. Implement data governance frameworks for ethical data collection, usage, and deletion. Update supplier codes of conduct to include AI ethics and human rights clauses for third-party AI solutions.

3. Tracking Responses

Monitor the effectiveness of actions and HRDD processes using indicators and stakeholder feedback; conduct regular reviews of suppliers and internal functions.

Continuously monitor AI system performance for bias drift and unintended outcomes. Track user complaints related to AI-driven decisions. Monitor adherence to internal AI ethics policies and external regulatory requirements. Develop KPIs for AI human rights performance (e.g., bias reduction metrics, grievance resolution rates). Conduct periodic internal audits of AI systems and data practises.

4. Communicating

Draft reports and compliance statements (e.g., human rights policies, transparency reports); engage with stakeholders to publish reports on how impacts are addressed.

Publish transparent reports on AI governance, risk assessments, and mitigation efforts (e.g., dedicated AI ethics reports, sections in annual sustainability reports). Clearly communicate AI system functionalities, limitations, and human oversight mechanisms to users. Engage in public dialogue with civil society, regulators, and academics on responsible AI development.

5. Providing for or Cooperating in Remediation

Offer or support effective remedy processes when the company has caused or contributed to human rights harm; establish accessible grievance mechanisms.

Establish clear, accessible, and effective grievance mechanisms for users to report AI-related harms (e.g., discriminatory outcomes, privacy breaches). Provide mechanisms for appeal against automated decisions. Offer appropriate redress for individuals harmed by AI systems, which could include apologies, compensation, or system adjustments. Collaborate with affected parties to find mutually agreeable solutions.

VI. Case Studies: Real-World Human Rights Risks and Regulatory Breaches in the TMT/AI Sector

The following case studies, drawn from the provided materials, illustrate the tangible human rights risks faced by VLOPs and technology companies, and the regulatory breaches that can ensue from inadequate human rights due diligence. These examples underscore the critical need for a proactive and integrated approach to compliance.

Social Media Platform (VLOP) - Self-Harm Content

  1. Harm and Risk: This case involved a 14-year-old user exposed to content related to self-harm, depression, and suicide. The platform’s algorithm actively recommended more harmful material, increasing the user’s exposure to distressing content and worsening their mental state.1
  2. Outcome & Regulatory Breaches: A coroner’s report concluded that the user’s death was caused by over-exposure to content from the platform. The platform subsequently suffered severe financial repercussions. This incident infringed on the user’s fundamental right to life (Human Rights Act, Article 2) and right to privacy (Human Rights Act, Article 7).1 It also constituted a violation of the UK Online Safety Act (OSA), specifically Section 5, which requires the prevention of illegal and harmful content, and Section 11, which mandates platforms to put duties in place to prevent children from encountering harmful content online.1

Microblogging Platform (VLOP) - Child Sexual Exploitation Material (CSAM)

  1. Harm and Risk: This platform failed to implement adequate safeguards to protect its users from child sexual exploitation and did not remove child sexual abuse material (CSAM) from its platform. Consequently, users faced the risk of exposure to abusive and illegal content without sufficient protection mechanisms.1
  2. Outcome & Regulatory Breaches: The platform faced lawsuits under U.S. laws. The case infringed upon the user’s right to prohibition of torture (Human Rights Act, Article 3) and prohibition of forced labour (Human Rights Act, Article 4).1 Under the EU Digital Services Act (DSA), VLOPs are obligated to remove illegal content (Article 16) and conduct risk assessments (Article 34); the platform’s failure to detect and remove child exploitation content clearly breached these obligations.1 The UK Online Safety Act (OSA) also requires platforms to prevent exposure to harmful content (Section 5) and assess risks to children (Section 4).1 Stronger content moderation and risk assessments would have ensured compliance and mitigated legal risks.1 Moreover, the inability of the platform to protect its users from sexual exploitation infringed on its obligation to take steps to prevent risks in the supply chain as stated in the UK Modern Slavery Act (Section 54), demonstrating how online harms can extend to broader supply chain due diligence responsibilities.1

Large Tech Company (VLOP) - AI Recruitment Bias

  1. Harm and Risk: This company utilised an experimental AI recruitment tool which was found to systematically discriminate against female applicants. This AI system inadvertently created structural barriers for women in tech and reinforced existing gender bias.1
  2. Outcome & Regulatory Breaches: The incident sparked international criticism. The VLOP failed to uphold users’ right to respect for private life (Human Rights Act, Article 8) and the right to protection from discrimination (Human Rights Act, Article 14).1 Under the EU Digital Services Act (DSA), VLOPs must act with due diligence (Article 14) and assess systemic risks to fundamental rights, including discrimination (Article 34); the VLOP’s failure to identify and mitigate gender bias in its AI recruitment tool breached these obligations.1 Furthermore, under the EU AI Act, high-risk systems like recruitment tools require risk management measures (Article 9) and human oversight (Article 14); the absence of safeguards and oversight in the tool contravened these requirements.1 Finally, under the GDPR, organisations must ensure fair and transparent processing (Article 5), limit automated decision-making (Article 22), and implement data protection by design (Article 25); the tool’s opaque profiling and lack of human intervention breached these provisions.1

Largest Consumer Electronics Company - Supply Chain Child Labour/Exploitation

  1. Harm and Risk: Reports highlighted the risk of child labour, hazardous working conditions, and exploitation stemming from unregulated mining, particularly in the Democratic Republic of Congo (DRC) for minerals like cobalt. These unethical supply chains led to severe human rights violations and environmental degradation.1
  2. Outcome & Regulatory Breaches: The case garnered international attention and significantly increased regulatory pressure across Europe. In Germany, it strengthened enforcement of the Supply Chain Due Diligence Act (LkSG) and accelerated calls for EU-wide accountability under the CSDDD.1 The use of underage workers in hazardous mining conditions breached international labour standards under ILO Conventions 138 and 182.1 Hazardous working conditions and excessive hours also violated protections under the UK Employment Rights Act (Sections 44 and 45).1 The company also failed to meet its duties under the UK Modern Slavery Act (Section 54), which requires companies to prevent forced and exploitative labour through effective supply chain due diligence.1

These case studies powerfully demonstrate the intersectional nature of AI-related harms and the significant regulatory overlap that results. A single AI tool, for instance, can violate multiple human rights (e.g., privacy, non-discrimination) and consequently breach multiple regulations (e.g., Human Rights Act, DSA, EU AI Act, GDPR). Similarly, the microblogging platform case illustrates how child sexual exploitation material can trigger violations across human rights (prohibition of torture, forced labour), digital regulations (DSA, OSA), and even supply chain due diligence laws (Modern Slavery Act). This indicates that non-compliance in one area often cascades into non-compliance in others, significantly increasing cumulative risk. A failure in fundamental human rights due diligence at the design or deployment stage of an AI system can lead to a ripple effect of violations across different rights and thus different regulatory frameworks. This reinforces the critical need for a "golden thread" approach. Instead of attempting to comply with DSA, then GDPR, then EU AI Act in silos, a holistic, harms-based HRDD framework would identify the underlying human rights risk and then apply a comprehensive set of controls that inherently address the requirements of all relevant regulations simultaneously, leading to more robust and efficient compliance.

VII. Risks of Non-Compliance and the Imperative for Action

The evolving global regulatory landscape for human rights and AI means that non-compliance carries increasingly severe consequences. These risks extend beyond mere financial penalties to encompass significant reputational damage, operational disruptions, and even personal liability for corporate leadership.

Legal and Financial Penalties

The trend is clear: mandatory human rights due diligence is increasingly backed by substantial financial penalties and civil liability.

  1. EU Corporate Sustainability Due Diligence Directive (CSDDD): Non-compliance can result in maximum fines of not less than 5% of a company’s net worldwide turnover, alongside potential civil liability for damages; and administrative orders.1
  2. German Supply Chain Due Diligence Act (LkSG): Companies face fines up to 2% of their average annual global turnover and potential exclusion from public tenders for up to three years.1
  3. EU Digital Services Act (DSA): Non-compliance can lead to significant fines, potentially reaching up to 6% of a company’s global turnover. Enforcement examples include fines for failure to mitigate discriminatory content or algorithmic bias risks.1
  4. UK Online Safety Act (OSA): Enforcement by Ofcom can result in fines up to £18 million or 10% of global turnover, whichever is higher.1 Similar to the DSA, fines can be imposed for failures to mitigate discriminatory content or algorithmic bias risks.1
  5. Canada Fighting Against Forced Labour and Child Labour in Supply Chains Act: Non-compliance can lead to fines up to CAD 250,000 and potential personal liability for directors and officers.1
  6. General Data Protection Regulation (GDPR): While specific AI non-compliance penalties are not detailed in the provided snippets, the case study of AI recruitment bias highlights GDPR breaches (Article 5 on fair and transparent processing, Article 22 on limiting automated decision-making, Article 25 on data protection by design), implying that significant fines are applicable for such data protection failures.1
  7. UK’s Emerging Legislation on Forced Labour and mHRDD: Proposed new legislation in the UK aims to introduce mandatory human rights due diligence requirements with penalties proportional to company turnover (e.g., 5% of annual turnover).3 It also seeks to make it unlawful to import or sell goods linked to forced labour in the UK.3
  8. Right to Civil Claim: New UK legislation is recommended to establish a right for those who have suffered forced labour to bring a claim for civil liability against those responsible, including a civil cause of action for “failure to prevent forced labour”.3
  9. UK Modern Slavery Act (MSA): Currently, there are no direct financial penalties for non-compliance, but failure to adhere carries significant reputational risk. It is important to note that potential future penalties and broader HRDD obligations are under consideration.1
  10. California Transparency in Supply Chains Act (TISC) & Australian Modern Slavery Act (MSA): These acts currently do not impose direct financial penalties for non-disclosure. However, they carry significant reputational consequences, and in California, the Attorney General can seek injunctive relief. In Australia, the responsible Minister can request action or publish details of non-compliance, and a review suggests potential penalties.1

Reputational Damage and Loss of Trust

Beyond direct financial penalties, human rights infringements can inflict severe and often irreversible damage to a company's reputation. The case studies demonstrate severe financial repercussions for a social media platform and international criticism for a large tech company following human rights violations.1 Failure to comply with transparency requirements, as seen in the UK MSA, California TISC, and Australian MSA, carries significant reputational risk.1 This erosion of consumer confidence and investor trust can profoundly impact brand value, market standing, and long-term viability.

Operational Disruptions and Market Access Implications

Non-compliance can lead to tangible operational disruptions. Companies may face exclusion from public tenders, as is possible under the German LkSG 1 and increasingly under new UK public procurement rules (e.g., Procurement Act 2023).3 Supply chain disruptions due to forced labour or other human rights issues can result in product delays, increased costs, or even consumer boycotts.1 Furthermore, a poor human rights record can create barriers to market entry or expansion in jurisdictions with increasingly stringent HRDD requirements.

Personal Liability for Directors and Officers

An emerging and critical trend is the imposition of personal liability on corporate leadership for human rights breaches. The Canada Fighting Against Forced Labour and Child Labour in Supply Chains Act explicitly includes "potential personal liability for directors/officers who knowingly participate in an offence".1 This signals a growing expectation for individual accountability at the highest levels of corporate governance.

The following table summarises key regulatory penalties for non-compliance in AI and human rights, illustrating the escalating stakes for businesses. The increasing percentage of global turnover as a basis for fines highlights the dramatic escalation of financial stakes, directly necessitating a higher imperative for robust compliance. The inclusion of personal liability for directors and officers adds another critical layer of risk. This table serves as a powerful tool for building the internal business case for investing in comprehensive human rights due diligence, demonstrating that the cost of proactive compliance is likely to be significantly lower than the potential costs of non-compliance.

Regulation

Type of Non-Compliance (AI/HR Context)

Financial Penalties

Other Consequences

EU CSDDD

Failure in comprehensive HRDD & environmental DD across value chain

Max fines not less than 5% net worldwide turnover

Civil liability for damages; Administrative orders

German LkSG

Failure to implement risk management system, conduct HRDD/environmental DD

Fines up to 2% average annual global turnover

Exclusion from public tenders up to 3 years; BAFA oversight & orders 1

EU DSA

Failure to conduct systemic risk assessments (incl. discrimination), remove illegal content, transparency

Up to 6% of global turnover

Administrative orders, reputational damage 1

Canada Fighting Against Forced Labour and Child Labour in Supply Chains Act

Failure to report on steps to prevent forced/child labour, false statements

Up to CAD 250,000

Potential personal liability for directors/officers 1

GDPR

Unfair/opaque processing, automated decision-making without safeguards, lack of data protection by design (as seen with AI bias)

Up to €20 million or 4% of annual global turnover (whichever is higher)

Reputational damage, data subject claims 1

EU AI Act

Non-compliance with high-risk system requirements (e.g., risk management, human oversight, transparency)

(Implied, aligned with EU regulatory fines)

Market exclusion, reputational damage, civil liability [1, 1]

UK MSA

Failure to publish adequate annual transparency statement on modern slavery

Currently no direct financial penalties

Significant reputational risk; potential future penalties 1

UK Emerging mHRDD Legislation

Failure to implement mandatory HRDD, import/sale of forced labour goods

Proposed: Penalties proportional to turnover (e.g., 5% of annual turnover) 3

Unlawfulness of import/sale; Civil claims for survivors; Exclusion from public tenders 3

California TISC

Failure to disclose efforts re: slavery/trafficking in supply chains

No direct financial penalties

Enforcement by Attorney General via injunctive relief only; reputational consequences 1

Australia MSA

Failure to submit annual statement addressing mandatory criteria

Currently no direct financial penalties

Minister can request action/publish non-compliance; penalties under review 1

VIII. Recommendations for Proactive Compliance and Risk Mitigation

To navigate the complex and increasingly stringent human rights and AI regulatory landscape, VLOPs and companies utilising AI must adopt a proactive, integrated approach to compliance. The following recommendations, aligned with the SU method's "golden thread" philosophy, provide a roadmap for robust human rights due diligence and risk mitigation.

Strategic Integration of HRDD Across All Business Functions

Human rights principles must be embedded as a "golden thread" into core business policies, management systems, and governance structures.1 This requires assigning clear responsibilities for HRDD across all relevant departments, including Legal, Product, Engineering, Procurement, Human Resources, and ESG teams.1 Breaking down existing silos and fostering cross-functional collaboration is essential for achieving a holistic view of human rights risks and ensuring consistent application of standards across the entire business ecosystem, from supply chain to user experience.1

Robust Risk Assessment and Mitigation Tailored to AI's Unique Challenges

Regular and comprehensive Human Rights Risk Assessments (HRRA) are critical, focusing on "salient risks" to people across the entire value chain, including AI development, deployment, and use.1 This necessitates implementing specific AI-centric assessments, such as algorithmic impact assessments, bias audits, and privacy impact assessments, to proactively identify potential biases in training data and algorithms before deployment.[1, 1] Developing and implementing effective mitigation measures, such as human oversight mechanisms for high-risk AI, adhering to ethical AI design principles, and establishing robust data governance frameworks, are paramount for preventing automated harms.[1, 1] Particular attention must be paid to child safety, ensuring AI systems and platforms are designed with robust age verification, content filtering, and protective measures to prevent exposure to harmful material or exploitation.[1, 1]

Continuous Monitoring and Reporting with Transparent Metrics

Companies must establish systems for ongoing monitoring of human rights performance, including the behaviour of AI systems and practises within their supply chains.[1, 1] Leveraging technology platforms, such as those offered by Supply Unchained, can facilitate data aggregation, risk visualisation, and the tracking of key performance indicators (KPIs) related to human rights.1 A commitment to transparent reporting on HRDD processes, identified risks, and mitigation efforts, both internally and externally, is crucial, aligning with frameworks like the CSRD and emerging AI regulations.[1, 1]

Meaningful Stakeholder Engagement Throughout the AI Lifecycle

Proactive and meaningful engagement with potentially affected stakeholders—including users, workers, communities, and civil society organisations—is essential at all stages of AI development and deployment.1 Establishing accessible and effective grievance mechanisms is vital for individuals to report harms caused by AI systems or business operations.1 Crucially, insights derived from stakeholder feedback must be systematically integrated into risk assessments, the design of mitigation strategies, and remediation processes to ensure that responses are genuinely effective and address the concerns of those most impacted.1

Cultivating a Rights-Respecting Culture from Leadership to Frontline

A genuine, leadership-driven commitment to prioritising human rights must permeate the organisational culture.1 This involves providing tailored, comprehensive training across all organisational levels—from the Board and senior management to engineers, product teams, sales, HR, and procurement—on human rights risks specific to their roles and the implications of AI.[1, 1] Reinforcing this commitment through clear policies, internal accountability mechanisms, and potentially linking human rights performance to incentives can further embed a culture of respect for human rights throughout the organisation.1

IX. Conclusion: Leading with Principle – The Strategic Advantage of Integrated Human Rights Compliance

The complex and demanding global landscape leaves TMT companies, particularly VLOPs and those extensively utilising AI, with little choice but to engage seriously with human rights compliance.1 Attempting to navigate this environment through fragmented, reactive, or jurisdiction-specific compliance efforts is inherently inefficient, costly, and increasingly risky.1 The proliferation of mandatory due diligence laws, coupled with intensifying stakeholder expectations and the integration of human rights into core ESG considerations, creates an undeniable imperative for a strategic shift.

Embedding internationally recognised human rights principles as a "golden thread" throughout the organisation's risk management, governance, and operational processes transforms compliance from a reactive necessity into a proactive driver of resilience, brand value, investor confidence, and responsible innovation.1 This integrated approach positions companies for greater sustainability and long-term value, mitigating risks that are increasingly scrutinised by financial markets.1 The investment required to implement such a system, streamlining multiple risk assessments into one cohesive framework, yields strategic benefits that can significantly outweigh the costs of non-compliance.

In the Technology, Media, and Telecommunications sector, where innovation shapes human experience at an unprecedented scale, embedding a fundamental respect for human rights is not a peripheral concern.1 It is, and must increasingly be recognised as, absolutely core to responsible business conduct, ethical innovation, and enduring leadership in the digital age.1 Embracing a proactive, integrated strategy centred on the human rights "golden thread" is not merely an ethical obligation; it is a critical strategic necessity for navigating the complexities of the 21st-century global landscape, managing profound risks, and securing sustainable success and societal legitimacy.

Works cited

  1. The Human Rights Golden Thread: Streamlining Compliance in the TMT Sector Amidst Regulatory Convergence (Supply Unchained)
  2. New inquiry: Human Rights and the Regulation of Artificial Intelligence, accessed July 25, 2025, https://committees.parliament.uk/committee/93/human-rights-joint-committee/news/208676/new-inquiry-human-rights-and-the-regulation-of-artificial-intelligence/#:~:text=The%20Joint%20Committee%20on%20Human,of%20Artificial%20Intelligence%20(AI).&text=AI%20technologies%20may%20offer%20significant,they%20also%20pose%20serious%20risks.
  3.  Forced Labour in UK Supply Chains – UK Parliament Committees, accessed July 25, 2025, https://committees.parliament.uk/publications/49011/documents/257592/default/

Learn more from legal and compliance experts

More resources

Sep 01, 2025

The Human Rights Golden Thread: Streamlining Compliance in the TMT Sector .

Read more

Sep 01, 2025

Navigating Human Rights in AI : A Strategic Compliance Framework for VLOPs and AI Companies .

Read more

Sep 01, 2025

A Practical Guide to Human Rights Due Diligence .

Read more