Amnesty International’s recent report “Shadows of Control” documents how companies from Germany, the UAE, Canada, China, the US, and France have supplied surveillance and censorship technologies to Pakistan: technologies now used to monitor over 4 million people simultaneously and enforce internet shutdowns. The report’s forensic documentation is invaluable, but its findings invite deeper legal analysis, particularly concerning corporate responsibility under international human rights frameworks. This blog explores the legal obligations of technology-originator companies, arguing that ‘adequate’ human rights due diligence must extend beyond direct sales to encompass the entire downstream supply chain.

The UN Guiding Principles on Business and Human Rights (UNGPs) establish that companies have a responsibility to conduct HRDD to identify, prevent, and mitigate their adverse human rights impacts. Amnesty concludes that the companies supplying Pakistan “failed to conduct adequate HRDD.” This finding, however, prompts a more granular question: what constitutes “adequate” diligence within complex, multi-jurisdictional supply chains?

It is important to note that the UNGPs themselves are not a legally binding document in international law. However, they establish the global standard of practice expected of all businesses and are integrated into various binding domestic laws and regional instruments, such as the German Supply Chain Due Diligence Act (LkSG) and the EU’s Corporate Sustainability Due Diligence Directive (CSDDD), creating a legal obligation for in-scope companies domiciled in those jurisdictions.

The Utimaco-Datafusion Case

A case outlined in the report, involving the German company Utimaco and the UAE-based Datafusion, serves as a poignant illustration. Utimaco manufactures the “Lawful Intercept Management System” (LIMS), a powerful software that allows for the deep inspection of digital communications. Datafusion purchases this software, integrates it into larger monitoring centres, and exports the complete system to Pakistani telecommunications providers. Under Pakistani law, these providers are forced to install such systems and grant direct access to the country’s intelligence agencies, notably the Inter-Services Intelligence (ISI). Crucially, as revealed in a 2024 Islamabad High Court case, this surveillance apparatus operates “without any supervision, oversight or control,” and without obtaining the judicial warrants mandated by Pakistan’s own Investigation for Fair Trial Act, 2013 (FTA).

This layered corporate structure presents a core legal challenge under the UNGPs, which differentiate between a company causing harm, contributing to it, or being directly linked to it through its business relationships. The extent of a company’s responsibility to act, specifically, to exercise leverage or, in the extreme, to disengage hinges on this precise distinction. A key question arises: was Utimaco, as the original technology maker, contributing to human rights abuses, or merely linked through its partner, Datafusion?

Utimaco possessed meaningful leverage (the ability to effect change in the wrongful practices of its business partner) that could have been exercised. Its LIMS product includes a technical safeguard, which is a warrant management system designed to log and audit lawful interception. The court’s revelation that Pakistani authorities had never used this system to file a single warrant in over a decade is a glaring red flag, and raises an important question: did Utimaco’s HRDD obligation extend to verifying the functional use of its own built-in compliance features? Should it have required contractual commitments from Datafusion on end-use monitoring? Arguably, yes.

Standard for Adequate HRDD       

This shows the need for a more robust and legally nuanced application of the UNGPs, where ‘adequate’ HRDD in multi-layered supply chains is understood as a proactive, iterative, and continuous process, encompassing several key, non-exhaustive obligations:

1. Context-Aware Assessment: Pre-export evaluations must scrutinize the ultimate deployment environment, not just the immediate customer. For Utimaco, this would have entailed analyzing Pakistan’s documented pattern of warrantless surveillance, evaluating the likelihood that technical safeguards would be bypassed, and anticipating how integration into state-run networks could magnify systemic rights violations.
2. Downstream Contracting: Contracts with distributors and integrators within the supply chain should not merely transfer products but embed enforceable HRDD obligations. A framework between Utimaco and Datafusion could have required independent verification of warrant system usage, mandatory reporting of compliance breaches, and escalation protocols, converting abstract responsibility into measurable duties.
3. Ongoing Monitoring: HRDD should be ongoing, recognizing that risks may change over time as the business enterprise’s operations and operating context evolve. For technologies that enable human rights violations, adequate HRDD cannot end at the point of sale but must include mechanisms for tracking the functioning of safeguards post-deployment [see Corporate Sustainability Due Diligence Directive]. Continuous monitoring would have revealed that Pakistan’s authorities systematically ignored the built-in warrant system, triggering a duty to intervene or reconsider the business relationship.
4. Clear Disengagement Triggers: When monitoring shows that leverage fails and abuse persists, companies must be prepared to terminate partnerships. Defined thresholds, such as repeated bypass of audit systems, translate the UNGPs’ guidance on ending complicity into concrete operational standards. The OECD Due Diligence Guidance too, provides that companies should consider ending relationships where efforts to mitigate risk prove ineffective. Notably, Pakistani law lacks mandatory HRDD in the context of business impacts on human rights, a gap that deters meaningful oversight, weakens incentives for companies to monitor downstream use, and ultimately allows high-risk technologies to operate without enforceable accountability safeguards.

As the Utimaco-Datafusion case makes clear, human rights due diligence isn’t a tick-box exercise. It’s about sustained attention – anticipating risks, enforcing responsible terms in contracts, and keeping oversight alive across every link in the supply chain to make sure dual-use tools are deployed in line with global rights standards.