Vladimir Hrle
Hrle Attorneys, Belgrade
vladimir.hrle@hrle-attorneys.rs

The proliferation of advanced surveillance technologies has outpaced the evolution of legal safeguards, potentially resulting in significant threats to privacy, the freedom of expression and other human rights. Emerging regulatory frameworks do impose binding human rights due diligence (HRDD) obligations on companies, however. This article examines the obligations of corporations, particularly those developing and distributing surveillance tools, set out in the United Nations Guiding Principles on Business and Human Rights (UNGPs) and the European Union’s Corporate Sustainability Due Diligence Directive (CSDDD) and the Corporate Sustainability Reporting Directive (CSRD).

Introduction

In recent years, the global market for surveillance technology has expanded dramatically, with sophisticated tools increasingly being deployed by state and non-state actors alike. While marketed as neutral instruments for use by law enforcement or in regard to national security, these technologies, such as spyware, facial recognition tools and biometric systems, have also been implicated in the alleged facilitation of violations of international human rights norms.

Surveillance technologies have arguably become critical instruments of state power, especially in the context of authoritarian control and the use of such surveillance is alleged to have enabled transnational repression. Dissidents living in exile are alleged to have been monitored, harassed and even abducted or killed with the help of digital tracking tools. These developments raise serious legal and ethical concerns, especially where private companies provide technologies that are later implicated in political repression, unlawful surveillance or the targeting of dissidents.

These tools are often dual use, meaning they have legitimate applications in criminal investigations or in the interest of national security, but they can be repurposed to suppress dissents or target minority groups. Regulation (EU) 2021/821^[1] governs the export, brokering, technical assistance, transit and transfer of dual-use items, products and technologies that can be used for both civilian and military-like applications.

However, export controls alone cannot prevent end-use abuse. In particular, the EU’s Corporate Sustainability Due Diligence Directive (CSDDD) and the Corporate Sustainability Reporting Directive (CSRD)^[2] operationalise corporate human rights obligations across both intra-EU and transnational contexts.

As a cornerstone of HRDD, the UNGPs,^[3] endorsed by the UN Human Rights Council^[4] in 2011 (and the basis for many of the obligations under the CSDDD), articulate the corporate duty to avoid infringing on the rights of others and to address any adverse impacts with which the company is involved.

These instruments require that businesses not only identify and mitigate risks, but also actively prevent harm and provide redress. The CSDDD and CSRD frameworks have the potential to fill critical normative and regulatory gaps by demanding continuous oversight and transparency, even after the point of sale.

On 26 February 2025, the European Commission proposed an Omnibus simplification package,^[5] including amendments to the CSRD/European Sustainability Reporting Standards (ESRS)^[6] and the CSDDD, primarily with the aim of making sustainability reporting more efficient and less burdensome for companies. The Omnibus package has been criticised for reducing the scope of due diligence to be undertaken by companies, as well as the number of corporates that will be directly within scope of the Directives’ obligations. This article takes into account the existing regulatory position at the time of writing, while noting that this may be subject to revision as part of the legislative process.

In addition, the new EU Artificial Intelligence (AI) Act^[7] requires that companies that provide and/or deploy AI-related features perform an additional layer of due diligence to ensure that the deployment of AI is not detrimental to human rights. The AI Act goes beyond the traditional HRDD as it mandates specific technical standards to safeguard human rights as well as continuous risk assessments of AI’s impact on human rights, and adds external checks on human rights compliance by introducing third-party conformity assessments for high-risk AI activities.

Corporate complicity for non-action

Surveillance technology companies now face a heightened duty to conduct meaningful HRDD. When their products are misused by repressive regimes or law enforcement agencies, they risk being directly linked to serious human rights violations.

For corporate actors in the surveillance sector, it’s necessary to adopt robust governance measures that go beyond mere legal formalism, including binding end-use agreements that prohibit the surveillance of journalists, political opponents or activists, the need to carry out third-party human rights impact assessments prior to deployment and the inclusion of termination clauses in regard to cases of misuse. These due diligence mechanisms should enable companies to identify patterns of misuse, suspend risky transactions and contribute to broader efforts of rights-based technology governance.

Under the UNGPs, corporations must ‘avoid causing or contributing to adverse human rights impacts through their own activities’ and ‘seek to prevent or mitigate adverse human rights impacts that are directly linked to their operations, products or services by their business relationships’. The principle of corporate responsibility in regard to respecting human rights is non-contingent; it applies regardless of whether state enforcement mechanisms are present or effective.

Companies that sell surveillance technologies to jurisdictions with documented human rights violations may be viewed as potentially contributing, ie, aiding and abetting those abuses. In such cases, their alleged liability may extend beyond reputational harm to possible legal consequences under national and supranational laws.

For example, the alleged misuse of Pegasus spyware by governments to surveil journalists and human rights defenders has led to legal action, regulatory investigations and the software’s exclusion from key markets.

In 2021, a number of organisations – including Citizen Lab and Amnesty International – published investigations into Pegasus. Citizen Lab had earlier claimed that Pegasus software was potentially being used in up to 45 countries, including EU Member States^[8]. Pegasus, the organisations alleged, provided government clients with near-total access to a target’s smartphone, including real-time microphone activation, encrypted communications, GPS data and private files, all without the user’s knowledge^[9]. In some cases, they said, surveillance preceded arbitrary arrests, for example, indicating that misuse of the software played a facilitating role in broader patterns of state-sponsored repression.^[10]

Following such allegations, in 2021 a number of UN human rights experts called on all states to impose ‘a global moratorium on the sale and transfer of surveillance technology until they have put in place robust regulations that guarantee its use in compliance with international human rights standards.’^[11] Noting that ‘Pegasus spyware, as well as that created by […] others, enable extremely deep intrusions into people’s devices, resulting in insights into all aspects of their lives,’ then-UN High Commissioner for Human Rights Michelle Bachelet said that ‘their use can only ever be justified in the context of investigations into serious crimes and grave security threats’ and that ‘Companies involved in the development and distribution of surveillance technologies are responsible for avoiding harm to human rights.’^[12]

The European Parliament’s 2023 Report of the investigation of alleged contraventions and maladministration in the application of Union law in relation to the use of Pegasus and equivalent surveillance spyware,^[13] resulting from its Committee of Inquiry on Pegasus and equivalent surveillance software, concluded that several Member States breached EU law, including the Charter of Fundamental Rights of the European Union, through their unregulated use of such tools.

NSO Group, which created Pegasus, has consistently and categorically denied any allegations of misuse and emphasised the critical importance of cyber intelligence tools for government intelligence and law enforcement agencies to protect civilians against serious threats such as terrorism and organised crime. With respect to the alignment to the UNGPs, the company has stated that: ‘NSO Group is unwavering in its commitment to human rights and to investigating any credible claims of misuse. Our comprehensive human rights compliance program, built in alignment with the United Nations Guiding Principles on Business and Human Rights […] reflects our dedication to ethical practices. We remain dedicated to proactive stakeholder engagement and open to dialogue with all civil society organizations. Our commitment to fostering open communication continues to be a cornerstone of our operations.’^[14]

Recent cases relating to the use of encryption communication, meanwhile, show that providers, even when participating in pursuit of a legitimate aim^[15] when working in high-risk contexts, must also go beyond legal neutrality. When credible evidence suggests their tools are likely to be misused, or when state exploitation of their platforms threatens the rights of uninvolved users, especially through mass surveillance, companies have a responsibility to proactively assess and mitigate human rights risks by conducting HRDD. This includes embedding risk assessments across the design and deployment phases, refusing or discontinuing services in high-risk contexts, maintaining transparency with the oversight of stakeholders and preparing for how law enforcement interception of their platforms might affect the privacy, due process rights and presumption of innocence of all the users.

Failing to do so not only undermines public trust in encryption and privacy technologies, but increasingly exposes these companies to legal liability, reputational damage and scrutiny in regard to their adherence to upholding global human rights standards.

The CSDDD and CSRD

The adoption of Directive (EU) 2024/1760, which focuses on corporate sustainability due diligence, aiming to enhance responsible business practices and protect human rights and the environment across global value chains, represents a watershed moment in EU corporate governance. The CSDDD mandates that in-scope companies implement due diligence measures to identify, prevent, mitigate and account for actual and potential adverse human rights and environmental impacts throughout their operations and value chains. The CSDDD tacitly recognises the dangers posed by transnational repression, wherein governments employ commercial surveillance products to target individuals located abroad. Surveillance technology providers must anticipate and address such misuse, or risk violating their legal obligations under EU law.

In the context of surveillance technology, this may include preventing the risks of adverse impacts arising from the operations of surveillance companies and the potential misuse of their products through certain downstream activities by authoritarian regimes or other actors to conduct transnational repression, which includes the practice of targeting dissidents, journalists or human rights defenders abroad through surveillance, threats or harassment. Even though the CSDDD generally excludes most downstream activities, it is clear that the end use of surveillance technologies should be covered by the due diligence process as it falls under the scope of ‘distribution, transport and storage of the product’. A new study by the European Parliament suggests that a strong obligation is placed on surveillance companies to conduct due diligence under the CSDDD:

‘The Directive is a step change in protecting people from abuses, including individuals affected by transnational repression incidents. It would mean that victims of transnational repression targeted by the company’s operations or its subsidiaries could have access to better judicial redress in Europe. If robustly implemented, it would further prevent or mitigate the risks associated with selling spyware technologies to governments that systematically commit human rights abuses’.^[16]

The Directive applies extraterritorially, capturing large EU-based companies and non-EU companies with substantial operations on the EU market. It also imposes enforcement duties on Member States, including administrative oversight and the provision of civil liability mechanisms.

Of particular relevance to the surveillance sector, the CSDDD obliges companies to:

• conduct human rights risk assessments, with a sector-specific focus;
• adopt measures to address the risks, including contract termination or product redesign;
• disclose data on their due diligence practices, annually; and
• provide remediation to affected individuals and communities.

In addition, disclosure alone is not merely a compliance exercise, it is an accountability mechanism that enables public oversight and regulatory intervention. The CSRD, effective from 1 January 2024, complements the CSDDD by mandating the public disclosure of companies’ environmental, social and governance (ESG) risks. Large undertakings and certain small- and medium-sized enterprises (SMEs)^[17] must submit sustainability reports in accordance with the ESRS, which was drafted by the European Financial Reporting Advisory Group (EFRAG).

Under the ESRS, inter alia, companies must disclose: their due diligence policies and procedures; actual and potential human rights risks in their value chains; stakeholder engagement processes; remediation mechanisms and outcomes. Most importantly, companies should conduct so-called materiality assessments and identify impacts to the company’s external environment and stakeholders. Impact materiality is assessed in part through a due diligence process, whereby organisations identify, prevent, mitigate and account for how they address the actual and potential negative impacts on the environment and people connected with their business. Under the ESRS, such impacts include those connected with the undertaking’s own operations and upstream and downstream value chain, including through its products and services, as well as through its business relationships. In the case of surveillance providers, this would mean assessing how their technology impacts the rights of people affected by those technologies.

The ESRS framework incorporates the UNGPs and the Organisation for Economic Co-operations and Development’s (OECD) Guidelines for Multinational Enterprises on Responsible Business Conduct, thereby grounding corporate reporting on established international norms.

For companies in the surveillance industry, this requires extensive stakeholder consultation with affected communities, civil society actors and human rights organisations. Companies are expected to:

• identify potentially affected rightsholders, such as journalists, political dissidents, ethnic minorities and activists;
• consult with civil society organisations, human rights experts, digital rights groups and possibly whistleblowers or diaspora communities; and
• use that input to inform their risk assessments, product design, sales practices and mitigation measures.

Without such stakeholder engagement, businesses risk omitting significant harms and enabling further abuses, especially given the high risks of misuse and abuse in the surveillance industry and the calls for heightened due diligence in this context beyond standard practices.

Conclusion

The convergence of the UNGPs, the CSDDD and the CSRD could signal a paradigm shift in the legal obligations of corporations, particularly in high-risk sectors like surveillance technology.

Corporate neutrality in the face of foreseeable harm is no longer tenable. Instead, the law now requires proactive, ongoing human rights due diligence, coupled with mechanisms for remediation and transparent public engagement. Under both the CSDDD and the CSRD, any EU-based entity involved in the development or distribution of spyware technologies is now subject to public disclosure obligations and potential liability for failing to mitigate adverse human rights impacts. Corporations must proactively embed human rights governance into their operations to avoid complicity in systemic human rights abuses involving transnational repression.

The above situations show that surveillance technology and encryption providers must embed human rights protections at every phase of the product life cycle, from design and distribution to post-sale monitoring. Doing so will not only align with emerging legal mandates but will also help ensure that innovation remains a force for empowerment rather than oppression.

The views and opinions of Vladimir Hrle expressed here are personal, and do not necessarily represent views and opinions of the International Bar Association, current or past employers or colleagues, or professional associations, or organisations with which Vladimir has collaborated.