Tort Liability of Private Safety Auditors in Global Value Chains

Abstract Private safety auditors are key constituents of modern risk governance in global value chains (GVCs). However, high-impact safety incidents causing extensive harm inside and outside the chain have cast widespread doubts as to the integrity and rigour with which these commercial auditors carry out their professional services. Civil liability has been considered an important legal instrument to incentivise auditors to improve audit accuracy and integrity. Relying on English law, this article assesses the extent to which this premise holds true for product safety and social auditing. To that end, it studies the liability exposure of private safety auditors for negligent auditing in GVCs. It is argued that this exposure is primarily a function of the contractual obligations these auditors undertake to perform for producers or suppliers in GVCs. This finding draws attention to the need to better understand and define the scope of the safety audits offered for risk management purposes within GVCs.


I. Introduction
Private safety auditors are key constituents of modern risk governance in global value chains (GVCs). Large buyer firms such as retailers and brands rely on these commercial auditors to monitor and assure supplier compliance with regulatory standards on matters of product safety, worker protection and environmental sustainability. 1 Private auditors thus provide invaluable information about the safety risks traded commodities may pose to end users of produced goods, as well as the degree to which foreign suppliers handle occupational health and safety risks for workers involved in production or the risks to the environment or communities in the vicinity of production. This compliance information assists large buyer firms in the management of reputational concerns and liability risks associated with the structural outsourcing of production in GVCs to foreign suppliers. In turn, it enables these firms to make strategic decisions about which suppliers to include or exclude in their chains. 2 However, the information that private safety auditors provide is not always complete or accurate. There are various examples in which the failure of auditors to report regulatory non-compliance have been implicated in major safety incidents that caused significant and widespread harm. The fire that raged in the Ali Enterprise factory in Karachi, Pakistan, in September 2012, killing 260 workers and leaving thirty more injured, is a tragic example of this. Just weeks before the blaze, private auditors had certified the factory as meeting a global private standard designed to attest safe working conditions, the SA8000 standard. 3 The high death toll was reported to be related, amongst other things, to the fact that many of the workers were trapped by locked emergency exists. 4 This was a violation of the applicable standard. 5 Scholars, governments and activists have advanced several explanations of why audit information about supplier compliance in GVCs may prove invalid. Central in this body of literature are conflicts of interests between the professionalism of auditors and the financial benefits they gain from auditing their clients. Empirical research on auditing practices in GVCs suggests that auditors are more lax when they: monitor their own paying clients; have the opportunity of cross-selling other business services such as consultancies or trainings to audited firms; face more competition on the price of auditing services; and operate in corrupt environments in which they receive side payments from the firms they audit. 6 One instrument to bolster audit quality and integrity is that of imposing tort liability on auditors for the negligent performance of their contracted professional services. 7 Third parties that benefit from compliance with the standards that private safety auditors are assigned to monitor under a services contract with the supplier firm may use tort law as a means to claim compensation for the losses they have suffered because of negligent auditing. For safety audits, these third parties primarily involve those who rely on the validity of the audit for the safe use of the product (ie the end user, businesses and consumers alike) and those who are involved in the production process and stand to gain from astute inspection of protective health and safety standards (ie workers). 8 The assumption underlying the measure of imposing tort liability is that the threat of incurring such liability, as it stands, creates sufficiently strong incentives for private safety auditors to improve the reliability of their audits. In other words, the threat of liability needs to be credible enough to create incentives for improvement. This contribution assesses the truth of that assumption by assessing the liability risk that private safety auditors face for providing incomplete or inaccurate compliance information via their contracted services in GVCs. While recognising that, in this context, factors such as prescription periods, (third-party) litigation funding and conflicts of law 9 play a significant role in shaping auditor exposure to civil liability in tort, the focus of the analysis here is on the material conditions governing auditor liability vis-à-vis third-party beneficiaries.
Using English tort law as the legal domain of analysis, this article argues that the liability risk that private safety auditors face in GVCs is distinctively determined by the contractual obligations they undertake to perform auditing services for the supplier firms. The "what", "who", "when", "how" and "why" of safety audits are key proxies for courts to determine whether or not to impose a common law duty of care on the auditor towards third parties at risk of suffering a loss from negligently performed audits. In the absence of any legislative framework that holds differently, it is the contract between the supplier firm and the private safety auditor that principally defines these variables. Accordingly, it is held that the auditing contracts, including the audit standards and protocols these impose, play a central role in the allocation of tort liability concerning the safety risks to which third parties are exposed in GVCs.
This contribution is organised as follows: Section II sets out the structural role that private safety auditing plays in the modern governance of safety in GVCs. To that end, it discusses the pervasiveness and practices of food safety auditors and social auditors. Whereas the former assess regulatory compliance by primary producers, food manufacturers and suppliers for the purposes of placing safe food on global markets, the latter conduct audits to assess compliance with fundamental labour standards and human rights in global production networks. The extent to which these auditors hold themselves out as controlling the risks of physical harm for a defined class of persons, as we will see in Section III, is key in determining whether to assign to them a duty of care under the English common law tort of negligence. Establishing whether an auditor owes such a duty is a threshold issue. If no duty is established, the auditor is not answerable under tort law for any false information provided through its audit. By focusing the analysis on the duty element, the article will thus be able to offer an accurate picture of the liability exposure that private safety auditors face under English tort law and the common law jurisdictions relying on it. This descriptive legal analysis provides the basis for normative considerations around the need for subjecting private safety auditors in GVCs to liability for negligence in Section IV. Section V offers brief conclusions.

II. Private safety auditing in global value chains
Private auditing plays a key role in managing safety in GVCs across a wide range of economic sectors. The rise of this specific private governance mechanism can be explained by the increased desire of lead buyer firms to manage the reputational risks associated with the structural outsourcing of production in GVCs. These risks are significant given that the law and public institutions in production locations in the Global South may not be able (or willing) to ensure the levels of safety buyer firms headquartered in the Global North require of them. 10 At the same time, firms and individuals who buy products marketed by these lead firms are ever more concerned about the safety of products being traded or the protection of workers and the environment involved in production. 11 While lead firms continue to administer audits to verify compliance with safety standards, they increasingly outsource that verification task to third-party professionals. 12 Supplier firms contract with these professionals to periodically conduct compliance audits and pay a commercial fee for these auditing services. Supplier firms are typically required to do so based on enforceable obligations that are part of the supply contract with the lead buyer firm or as part of the latter's private procurement scheme that manages their eligibility for a supply contract. 13 Accordingly, lead firms outsource the monitoring of compliance to for-profit, private, third-party auditors, without having to bear the costs of such monitoring directly.
To illustrate the pervasiveness of the activities of commercial third-party private safety auditors in GVCs, this section highlights the international practices of food safety auditing and social auditing. In both domains, a mature global industry of commercial third-party auditing has developed over recent decades. 14 These developments have also sparked discussion in the literature regarding audit quality and integrity, as well as the role of auditor liability to strengthen industry practice.

Food safety auditing
Private safety auditing is part and parcel of modern food safety regulation. 15 Since the 1990s, major food companies and retailers in Europe and the USA have developed private food safety standards for producers and suppliers of fresh produce and other (agri-)food products. The factors that drove the rise of these standards include the growing concentration of the economic power of food companies and retailers, the increase of global trade in food, the outbreak of recurrent international food safety crises, including bovine spongiform encephalopathy (BSE), a general perception amongst the public of failing government institutions and novel concerns amongst consumers about safety, animal welfare, dietary habits, the environment and fair trade. 16 Compliance with private food standards is monitored through refined certification schemes, which typically operate based on private third-party auditing. 17 There is a wide range of food safety auditing schemes, both at the national and international level. A leading scheme is GLOBALGAP. This is, in fact, the world's most widely implemented private food safety scheme for agricultural food products. GLOBALGAP works with more than 2,000 trained third-party auditors at some 150 accredited certification bodies to perform compliance audits at more than 200,000 certified producers in over 135 countries. 18 These accredited certification bodies may be local players, but a fair share of them (approximately 20%) are subsidiaries of global for-profit auditing firms, such as Bureau Veritas (BV), Det Norska Veritas (DNV), Lloyds, Registro Italiano Navale Group (RINA), Société Générale de Surveillance (SGS) and the TÜV Group. 19 GLOBALGAP currently includes in its membership food producers, suppliers, retailers and food service providers, and it has developed a variety of private standards, each concerned with a different topic, including food safety, animal welfare and labour conditions. Food safety is regulated via GLOBALGAP's Integrated Farm Assurance (IFA) scheme, which consists of different modules that apply to the product groups of crops, livestock and aquaculture. 20 While GLOBALGAP is an important auditing scheme, it is certainly not the only one. Firms supplying different retailers or markets are frequently confronted with multiple, partly overlapping schemes, each having its own audit standards and protocols. The resulting compliance costs are said to impede market access for small and medium-sized enterprises (SMEs), especially those in developing countries. 21 In response to these and other concerns, a group of global food retailers established the Global Food Safety Initiative (GFSI) in 2000. This industry organisation benchmarks competing private food safety standards following a set of baseline requirements with a view to coordinate, converge and ratchet up existing standards and enhance compliance with food safety laws. 22 To give an impression of the centrality of the GFSI in the food auditing industry, it was estimated in 2006 that 75-99 per cent of food products sold by the world's leading supermarket chains were certified under GFSI-benchmarked schemes. 23 The GFSI has leveraged its pivotal position in industry to push leading international auditing schemes to adopt more stringent auditor training and audit protocols to increase food safety audit reliability, which has been a real concern. 24 For one, audited suppliers have been linked to major outbreaks of food-borne disease. For example, the German enterohaemorrhagic Escherichia coli (EHEC) outbreak of 2011 was traced back to organically certified fenugreek seeds imported from Egypt. The outbreak led to 3,842 cases of foodborne disease, including 137 deaths in Europe and North America. 25 In other instances, the outbreak was alleged to be related to poor auditing. One example concerns the contamination of cantaloupes in the USA with Listeria monocytogenes, which caused 147 reported cases of serious illness and 33 deaths. 26 The source of contamination was Jensen Farms, a grower based in Colorado. PrimusLabs, a commercial third-party auditor, had provided Jensen Farms a food safety certificate based on an audit performed by a subcontracted entity. The grower required this certificate by the distributors and retailers in order to do business with them. Victims of the outbreak claimed more than $50 million in damages in lawsuits against, inter alia, PrimusLabs. While several state courts acknowledged that the auditor owed the plaintiffs a duty of care in negligence, the factual question of whether the auditor breached its duty was never answered in trial. PrimusLabs settled the lawsuits before trial. 27 Incidents such as these, along with persistent concerns amongst the public authorities responsible for the enforcement of local food safety laws about private auditing, have driven the GFSI to bolster the quality of private food safety auditing. Over the years, the GFSI has developed stricter requirements on issues such as auditor competence, unannounced visits and fraud prevention. In May 2022, twelve global audit schemes have been shown to meet these standards. 28 One of the achievements of this gradual ratchetting up of auditing standards is that local food safety authorities in Canada, the Netherlands, the UK and the USA have come to integrate the audit status of food business operators under GFSI-benchmarked schemes as an indicator of the risk profile the operator has. An audited status typically leads to less frequent or less extensive inspection visits by the food authorities. 29 Consequently, public and private food safety controls have started to become more integrated in several jurisdictions.

Social auditing
Social auditing involves the practice of assessing producer or supplier compliance with fundamental labour standards and, more broadly, human rights. Social auditing emerged in the 1990s as a response to increased public awareness about serious labour rights violations by foreign suppliers, especially in the apparel, footwear and textile industry. Non-governmental organisation (NGO) reporting and extensive media coverage about forced labour, child labour, unfair and unequal pay and unsafe working conditions in GVCs tarnished the reputation of major brands in the industry. 30 Since then, numerous transnational private regulatory initiatives have been developed to effect change in labour practices. 31 The potential of these initiatives, amongst which private codes of conduct backed by social auditing are a principal instrument, was critically assessed by many. In particular, scholars and NGOs have called for more transparency and accountability towards the ultimate beneficiaries (ie workers and local communities) and the safeguarding of the independence of monitoring actors. 32 The industry of social auditing is led by large international auditing firms. 33 These firms are the very same firms that were observed to play a big role in food safety auditing. All of these have a long history in safety auditing, originally relating to the safety of maritime shipping. The audit firms have expanded their commercial activities in the last two decades to the domain of corporate social responsibility (CSR) to provide social auditing services to foreign producers and suppliers operating in GVCs of multinational firms based in the Global North. These producers and suppliers typically contract with a local chapter of the international auditing firm, which then performs the audit against payment of a commercial fee. Alternatively, the subsidiary may choose to outsource the auditing to audit firms or individuals with local expertise, as happened in the case of the tragic Ali Enterprise factory fire. 34 Regulations on non-financial reporting and supply chain due diligence that have emerged since the 2010s, including those discussed in the contributions by Villiers and by Lafarre and Rombouts in this Special Issue, have created further scope for the social audit industry to grow.
Similarly to food safety auditing, there are several competing schemes for social auditing. In terms of numbers, the SA8000 standard is the most widespread scheme. 35 Social Accountability International (SAI) developed this scheme in 1997 using substantive fundamental labour standards found in the Universal Declaration of Human Rights, conventions of the International Labour Organization (ILO) and national laws. These standards related to child labour, forced labour, occupational health and safety, working hours, remuneration as well as worker discrimination, freedom of association and collective bargaining. 36 Like GFSI-benchmarked schemes for food safety, the SA8000 standard operates on the basis of third-party auditing, which implies that the audits are carried out by auditing firms that have been accredited for that purpose by the Social Accountability Accreditation Services (SAAS). 37 BV, DNV, Lloyds, RINA, SGS and the TÜV Group again appear on the list of SAASaccredited auditing bodies. 38 Competing audit schemes involve the Business Social Compliance Initiative (BSCI). The BSCI was launched in 2003 by the Brussels-based Foreign Trade Association. Now branded as Amfori BSCI, the initiative is a membership organisation offering some 2,400 membercompanies a platform to enable them to improve social performance in their supply chains. 39 The BSCI Code of Conduct is, like the SA8000 standard, based on fundamental labour standards. SAAS-accredited auditing bodies (ie the very same for-profit audit firms recognised under the SA8000 standard and the GFSI-benchmarked schemes for food safety) check its compliance. 40 Despite its similar approach, the BSCI has been critically described as "SA8000-lite" as it offers less robust auditing standards then SAI's auditing scheme. 41 Poor auditing under the BSCI Code of Conduct by TÜV India was alleged to have played a role in the harm that was caused to workers and their families in the tragic collapse of the Rana Plaza building in the Dhaka District of Bangladesh in 2013. 42  36 "SA8000® standard" (SAI) <https://sa-intl.org/programs/sa8000/> (last accessed 20 September 2022). 37 "SA8000® Accreditation Program" (SAI) <https://sa-intl.org/services/assurance/sa8000-accreditation/> (last accessed 20 September 2022. 38 All named firms are accredited, but for Lloyds (LRQA), for with the accreditation expired in 2019. "SA8000 Accredited Certification Bodies" (SAI) <https://sa-intl.org/resources/sa8000-accredited-certification-bodies/> (last accessed 20 September 2022). 39 "Amfori BSCI" (Amfori) <https://www.amfori.org/content/amfori-bsci> (last accessed 20 September 2022); "Our Members" (Amfori) <https://www.amfori.org/content/our-members> (last accessed 20 September 2022). 40  to TÜV India, since the cause of the collapsethe weak structural safety of the buildingwas not part of the scope of the social audit TÜV India was contracted for. 43 In addition to the traditional safety audit firms named above, the "Big Four" (ie Deloitte, EY, KPMG and PwC) are reported to have become formidable players on the global market for social auditing. Fransen and LeBaron suggest that the rise of legislation covering modern slavery and human trafficking (eg the California Transparency in Supply Chains Act 2010 and the UK Modern Slavery Act 2015) has led the Big Four to adopt comprehensive programmes to aid companies to meet the new requirements for disclosure on transnational labour standards in GVCs. 44 Producers or suppliers that wish to improve their compliance with social standards can sign up to these voluntary programmes, which are developed and audited by the audit firms themselves, as alternatives or complements to the SA8000 or BSCI schemes.

III. Tort liability of private safety auditors under English law
In discussing the scope of the international practices of food safety auditing and social auditing, the previous section highlighted the significance of audit reliability to the effectiveness of private safety auditing as a risk governance mechanism in GVCs. Economic conflicts of interest and the social relations that surround commercial third-party auditing, as currently organised, may compromise that reliability and can lead to widespread harm amongst those who rely on or stand to gain from the veracity of the audits. 45 Tort liability is seen as an important regulatory tool to strengthen audit reliability. This position assumes auditing firms are answerable under tort law for the harm that is caused by their negligence. Only to the extent that auditing firms are answerable may the threat of tort liability operate as an incentive to improve audit rigour, quality and integrity. Therefore, this section turns to the conditions governing the civil liability of private safety auditors. It will use English common law as the jurisdiction of analysis. This focus is not by accident. Common law courts around the world, including those in export-orientated countries in the Global South, such as Bangladesh, India and Pakistan, frequently rely on English law as a source to clarify standards of tort liability in novel cases.
Tort claims against a private safety auditor based on English law will be treated under the tort of negligence. A claim in negligence is successful where the claimant demonstrates that they suffered a loss because of a breach of a duty of care that the auditing firm owed to them while performing the auditing services. To determine the existence of a duty of care for the defendant vis-à-vis the claimant, it must be foreseeable for the defendant that the  45 It should be noted that despite powerful allegations put forward by NGOs and victims as to the flagrant failure of private third-party auditing to ensure safe products and safety production practices, there is no empirical evidence of systemic failures of such auditing attributable to conflicts of interest. Nonetheless, there are cases that reveal that such conflicts lead to audit failure. One prominent example is the breast implants scandal of the French producer Poly Implante Prothèse (PIP). In 2021, the Paris Court of Appeal ruled that the auditing firm involved (TÜV Rheinland) negligently certified the producer of the implants due to a lack of impartiality on the part of its subcontracted auditor (TÜV France) and was therefore liable under French tort law for the harm suffered by victims who received faulty breast implants. See  claimant would suffer a loss if they failed to take reasonable care, there is a sufficiently proximate relationship between the claimant and the defendant and it would be fair, just and reasonable, as a matter of legal policy, to impose a duty of care on the defendant. In assessing whether these three elements are satisfied, the law of negligence demands that an approach based on precedent be followed, considering the closest analogies with previous decided (categories of) cases. 46 If novel cases emerge, the court should proceed incrementally, recognising a duty of care more easily in situations that are similar to an "existing pocket of liability" 47 or "previously recognized duty situations". 48 To do so allows for a step-by-step development of the law of negligence, whether this may be expansive or restrictive.
Private safety auditors in GVCs, as noted, are primarily concerned with providing professional services to assess the (level of) compliance of a corporate entity (the auditee) with the health and safety standards specified by the audit contract. Once that assessment and related compliance information are disclosed (be it in the form of a certificate, label or any other form of attestation), claimants may place reliance on it and suffer a loss if the information proves false. There are a number of established authorities in English case law that deal with negligent inspections and inaccurate compliance information that foreseeably resulted in physical harmeither personal injury or property damageon the part of the claimant. These cases straddle the borderlands between different categories of negligence cases, namely "directly inflicted physical harm" and "assumption of responsibility for the risk of physical harm". 49 In these case categories, as will be discussed, a principal concern of the courts in establishing that the defendant owes the claimant a duty of care has been the element of proximity. 50 This element concerns the question of whether there is a relationship of sufficient closeness or nearness between the claimant and defendant relevant to the allegedly negligent act or omission.

Previously recognised duty situations a. Direct physical harm
In considering the existence of a duty of care for a defendant auditor for physical harm suffered by the claimant and the necessary proximity between the former and the latter, an important matter within the English law of negligence is the question of who is primarily responsible for the risk involved. A defendant generally owes a duty of care to the claimant if they carry primary responsibility and engage in conduct foreseeably importing the risk of personal injury for the claimant. Those concerned with safety audits or inspections may carry such primary responsibility. This follows from two established authorities on negligent safety inspections of property closely and directly affecting the claimants. The first is Clay v. Crump, in which an insecure wall at a building site had 46 50 The element of "foreseeability", while constitutive for the existence of a duty of care, was not found to be problematic for claimants to demonstrate in cases involving negligent audits and inspections. collapsed on a workman. 51 The relevant defendant was an architect, who had been contracted and charged with the responsibility of preparing and supervising the works on site. The architect had relied on the opinion of another that the wall was safe, but had he inspected the property himself, its dangerous condition would have been immediately apparent. Applying the legal principles laid down in Donoghue v. Stevenson, 52 Ormerod L.J. considered that the architect, by reason of his contractual arrangements, must have had in his contemplation the builders who would go on the building site. 53 As such, the contracted role of the architect to supervise the building site and the workmen on it established the required proximity between the defendant and claimant in this case.
The second authority is Perrett v. Collins, which involved the negligent inspection of an aircraft. 54 The aircraft, constructed from a do-it-yourself kit, was fitted with an incompatible gearbox. Knowing of this change, the relevant defendant, a private safety inspector, signed a permit to fly under the relevant statutory regulations. 55 When the owner of the aircraft took it for a test flight, he was unable to control his descent and his passengerthe claimantwas injured. Following the case of Clay, the element of proximity was found to be satisfied on the ground that the defendant's acts had "the more or less inevitable consequences of causing physical injury to the claimants". 56 The safety inspector was found to have a critical role in the safety inspection of the aircraft: without its inspection, as required by statute, the aircraft could not have taken off. Moreover, upon approval of the aircraft, a passenger is entitled to assume that the applicable safety requirements are met and to rely on it being the case that those involved in such inspection have taken proper care. 57 In more general terms, then, proximity exists in cases of physical harm where the claimant "belongs to a class which either is or ought to be within the contemplation of the defendant and the defendant by reason of his involvement in an activity which gives him a measure of control over and responsibility for a situation which, if dangerous, will be liable to injure the [claimant]". 58 Do the food safety and social auditors discussed in this article find themselves in a situation in which they have a measure of control over and responsibility for a risk that is likely to injure the claimant in the same way as the defendants in Clay and Perrett? Surely, these auditors carry a degree of responsibility for the safety of the products, processes or premises they audit. However, that responsibility is not primary, in the sense that the audit is constitutive of the source of risk involved. The auditee is primarily responsible. It is their business operations that carry with them the risk to which the claimant is exposed. Food safety and occupational health and safety laws squarely place that responsibility on the food business operator and the employer involved. 59 For the private auditors discussed here, there are no contracts that discharge the auditees from their responsibility of safety and impose it on the auditors as happened between the building owner and the architect in Clay, nor are there statutes that impose on auditors a public law function as held by the aircraft inspector in Perrett. In fact, audit contracts typically impose on 51  auditees the legal obligation to comply with all relevant safety regulations and will require them to indemnify the auditors for any civil liability for damage caused to third parties by the breach of those regulations. 60 Accordingly, it cannot be held in general that, for the case category of directly inflicted physical harm, food safety and social auditors are in a sufficiently proximate relationship with claimants injured following a negligent audit. Support for this position is found in the case of Marc Rich and Co. v. Bishop Rock Marine Co. Ltd. 61 In this case, a vessel called the Nicolas H sank and along with it the cargo it carried. The cargo owners suffered physical harm (ie property damage) and sued the classification society that had surveyed the vessel to establish its seaworthiness. The defendant had previously recommended that even though the Nicolas H showed cracks in its hull, the vessel could complete her voyage with temporary repairs. These repairs proved inadequate and the vessel sank a short time afterwards. The House of Lords found the defendant not to owe a duty of care to the cargo owners. Lord Steyn (with whom a majority concurred) found that the case did not involve the direct infliction of physical damage. In his view, the ship owner bore primary responsibility for the vessel sailing in a seaworthy condition, the role of the surveying defendant being a "subsidiary one". 62 Lord Steyn held further that the absence of any contact between the claimants and defendant, while not being necessarily decisive, argued against demonstrating proximity. The claimants, it was reasoned, did not suggest that they were aware that the classification society had inspected the vessel and simply relied on the ship owners to keep the vessel seaworthy and the cargo safe. 63 b. Assumption of responsibility for the risk of physical harm This does not conclude the duty question. English courts have developed several theories in the law of negligence to overcome the proximity gap between a harmed claimant and a defendant who carries secondary responsibility for the risk leading to that harm. As such, courts may impose a duty on a defendant even if the defendant did not directly cause the damage, but a third party did. 64 Important for the analysis here is the case category in which the defendant had themself assumed responsibility for the risk of physical harm to which the claimant was exposed. 65 The test for this doctrine of "assumption of responsibility" consists of two legs. 66 The first requires that the defendant voluntarily took on the responsibility to take care to prevent or avoid the harm suffered by the claimant. 67 Whether they did is objectively determined by looking at the particular skills, profession, control or other relevant capabilities the defendant had in relation to the claimant. 68 The second leg of the test requires the claimant to have reasonably relied on the defendant's assumption of responsibility. 69 Even if the plaintiff shows that these two conditions are met, policy reasons may militate against the imposition of a duty of care on the defendant. 70 A discussion of these legal principles in relation to the risk of physical harm is found in Watson v. British Boxing Board of Control Ltd. 71 In this case, an injured boxer sued Britain's professional boxing association for negligent medical treatment when he sustained a brain haemorrhage during a match. The defendant had drafted regulations governing the safety of professional boxing, including immediate medical care of boxers who received personal injuries while taking part in a fight. However, these safety standards proved to fall behind standard medical practice. Relying on the authorities of Clay, Marc Rich and Perrett, Lord Phillips, MR, found the defendant to be in close proximity with each individual boxer fighting under its rules, including the claimant. The facts producing such proximity involved: • The function and objective of the defendant (ie to care for the physical safety of its members); • The claimant being part of a determinative class of persons, both in time and number, such that the defendant, when defining its safety standards, ought reasonably to have had within its contemplation the claimant as being closely and directly affected by its activities; • The defendant actively encouraging and supporting its members in the pursuit of an activity that inevitably involved physical injury and that requires medical precautions against such injury; • The defendant controlling every aspect of that dangerous activity, including the medical treatment that would be provided; • The defendant requiring individual boxers to sign for a boxing match a contract on terms under which its safety standards will apply; • The claimant, as a member boxer, placing reasonable reliance upon the defendant to look after his safety given that the defendant held itself out as treating the safety of boxers as of paramount importance and had, or had available, medical expertise as regards such safety. 72 Two cases confirm Watson as the leading authority to establish the proximity necessary to found a duty of care in cases involving the indirect infliction of physical harm caused by a defendant's negligent advice, which foreseeably and directly affected the safety of a claimant. The first is Wattleworth v. Goodwood Road Racing Company Ltd & Ors, 73 which concerned a racer who died in a crash on a race circuit licenced by the national motor sports association. It was alleged by the widow of the racer that the death was caused by the negligent design of the safety measures that the defendant association had advised the circuit owner to implement. Davis J. accepted the defendant as owing a duty of care to the deceased racer as it had assumed a responsibility for racetrack safety. To support that conclusion, attention was drawn to the defendant's measure of control over track safety, its acknowledged expertise in this domain, its universal desire to achieve high safety standards for circuits and the reasonable reliance of racers that those who had undertaken responsibility for safety matters exercised all due care. The defendant's assumption of responsibility could not be displaced by the alleged indeterminacy of the class of persons to which a duty of care would be owed, nor by the defendant's terms and conditions of the licencing arrangements for racers. 74 70 This applies to cases involving pure economic loss mostly. See  The second is the case of Sutradhar v Natural Environment Research Council, in which the defendant had, on its own motion, conducted a study to assess the hydrochemical character of water in a region of Bangladesh. 75 The Bangladeshi government had relied upon the research report to construct a tubewell for drinking water. However, the report had not tested the water for arsenic, nor did it explicitly state that arsenic was not tested. The claimant was one of the people affected. He alleged that the defendant knew or ought to have reasonably known that the report would be relied upon as a statement that the tubewell water was fit to drink. The House of Lords held that the defendant could not be held to owe a duty to the claimant for lack of proximity "in the sense of a measure of control over and responsibility for the potentially dangerous situation". 76 The defendant had no control whatever, in law or in practice, over the source of danger (the supply of drinking water). Unlike in the authorities of Clay, Perrett and Watson, no statute, contract or other arrangement existed through which the defendant could be said to have assumed responsibility for the risk to which the claimant was exposed. Moreover, the class of potential claimants could be the entire population of Bangladesh or, at least, that of the testing area. It led one Lord to note that "the essential touchstones of proximity are missing". 77 2. The case of Das v. Weston: the role of audit scope, timing and reliance The body of English case law just described was used to found two judicial decisions in the more recent Canadian case of Das v. Weston. 78 This case involved a negligence claim brought by injured workers and family members of deceased workers in the aftermath of the devastating collapse of the Rana Plaza building in Bangladesh in April 2013. The defendants involved the Canadian retailer Loblaws and the global auditing firm Bureau Veritas. The former had contracted the latter to conduct social audits for a garment supplier that operated in the collapsed building. While the claim was primarily dismissed for being statutebarred by the applicable Bangladeshi Limitations Act, the decisions of the Ontario Superior Court and Ontario Court of Appeal include highly relevant considerations as to the question of when a private safety auditor owes a duty of care to workers of value chain partners under English law, and by extension under Bangladeshi and Canadian law. 79 The claimants alleged that Bureau Veritas had negligently failed to conduct reasonable inspections and to report any safety issues to Loblaws to ensure that they were remedied. The Canadian courts dismissed these allegations. Bureau Veritas was not held to owe a duty to the claimants, essentially because it had not assumed responsibility for the risk to which the injured claimants were exposed, namely the structural integrity of buildings in which the claimants worked. Its contracted function and objective were of a more limited material scope. Loblaws had contracted the auditing firm to audit and inspect the supplier's compliance with its private standards, which spoke to workplace health and safety. The standards did not, however, address the structural integrity of the buildings in which the supplier operated. 80 79 The courts recognised that for all jurisdictions, the case against Bureau Veritas constituted a novel case. In those circumstances, Bangladeshi and Canadian judges draw on English law to establish the legal principles for the case. 80 As Perell, J. held in Das v George Weston Limited, 2017 ONSC 4129 para 446: " : : : the contract, in this case, a limited remit for a social not a structural audit, still remains relevant to determining the ambit of that duty of it had negligently audited an aspect within the ambit of its contracted services, and employees of the audited supplier were injured as a result of that negligence, it would owe a duty of care to them. 81 The case of Das v. Weston draws attention to a second material fact that limits the duty private safety auditors may owe to injured workers. That fact concerns the element of time. The responsibility that a private third-party auditor may assume will not last in perpetuity. Bureau Veritas had inspected the supplier twice: in 2011 and 2012. In early 2013, Loblaws terminated its contract with Bureau Veritas and contracted another auditing firm (ie several months before the collapse). The responsibility assumed is thus time-bound. As held by the Canadian courts, the duty owed will not extend long beyond the termination of the contract. 82 What supplementary period would be considered reasonable depends on the circumstances at hand. One relevant factor will arguably involve the period of validity of the certificate, label or any other form of attestation of compliance for which the audit or inspection serves as a baseline. That period may differ depending on what the audit standards or protocols require as imposed by the audit contract. In addition, the source of the danger may be relevant. Risks related to the design or structural features of production facilities (eg the availability of flight plans, sprinkler systems and emergency exits for fire hazards) will not change much over time. If the auditing firm fails to report the absence of such a safety feature and an incident that could have been prevented by that feature occurs after the auditing contract has lapsed, the firm may still be said to owe a duty. Other risks might be more time-dependent and subject to change (eg new product designs) and may thus create new risk profiles for the audited firm that effectively require re-inspection. In that case, a duty will less likely be owed.
Third, the case of Das v. Weston deals with the matter of reliance. The courts dismissed the assertion of the claimants that the supplier's employees relied on Loblaws and Bureau Veritas to ensure their safety in the workplace. On this point, Perell J. of the Ontario Superior Court drew specific attention to the improbability that the employees, many of them illiterate in Bangla and in English, would know about, depend upon or be influenced by the standards, the audits or the contractual arrangements between the retailer, supplier and auditor in coming to work. 83 While the absence of direct exchanges between the claimant and defendant auditor or the awareness of the first about the activities of the latter are important in considering whether the element of proximity is satisfied, these features should not be seen as necessarily decisive. 84 The authorities in English law discussed above all suggest that of primary concern is whether the defendant has a sufficient measure of control over and responsibility for the source of danger to which the claimant is exposed and that, as a consequence of that control or responsibility, they have or ought to have within their contemplation the class to which the claimant belongs as being closely and directly affected by its activities. Feldman J.A. was therefore more accurate in her opinion where she reasoned that no reliance could be placed on Bureau Veritas because structural safety was beyond the scope of responsibility that it had assumed under the audit contract. 85 care". On appeal, Feldman J.A. similarly reasoned that the analogy with the case of Clay, as relied upon by the claimants, broke down due to the limited scope of the audit contract: "While that case imposed a duty of care on the architect to a third party, the duty was limited to negligence in the performance of his contractual functions. Here, Bureau Veritas' limited retainer did not extend to conducting a structural audit of Rana Plaza", 2018 ONCA 1053, para 197. A similar argumentation was applied by the National Contact Point for the OECD Guidelines in Germany in a complaint lodged against TÜV India because of its alleged substandard auditing practices. See

Is the duty owed fair, just and reasonable?
Once the elements of foreseeability and of proximity are established, the question is whether, as a matter of legal policy, it is fair, just and reasonable for the defendant auditor to owe to the claimant a duty to prevent or avoid harm arising from the potentially dangerous situation. Such considerations of policy may militate against imposing a duty of care. Typical considerations include the negative impact that the exposure to liability may have on a defendant who acts in the public interest or otherwise pursues laudable societal activities or goals ("defensive behaviour"), the availability of insurance against the liability imposed, the risk that the defendant is exposed to indeterminate liability ("opening the floodgates") and the burden that this will place on the court system and its public funding. 86 Where the claims in negligence involve direct physical injury, English courts have generally shown little sympathy for these policy considerations. 87 Also for the classes of cases of concern here, the courts have been very reluctant to uphold arguments advanced by defendant auditors or inspectors to the effect that recognition of a duty would be unfair, unjust and unreasonable. The exception is the case of Marc Rich. Lord Steyn's reasoning was primarily grounded in the particularities of the organisation of maritime trade and, within it, the allocation of risks for cargo loss through a balanced system of international rules, contracts and liability insurance. Moreover, societies like the defendant operate to fulfil a role that promotes collective welfare (ie the safety of lives and ships at sea). This role would be at risk if classification societies would be exposed to claims coming from cargo owners, who already have contractual claims against the ship owners. Such duplication of this liability is unjust because societies cannot, via contracts, limit such liability in the way a ship owner can vis-à-vis cargo owners. 88 However, Marc Rich is considered an authority that is irrelevant for cases of personal injury. In Perrett, the considerations regarding the duplication of liabilities, insurance and the presumed negative implications of a duty for the continuation of the work of safety inspectors could not dispose of the duty that the defendant aircraft safety inspector owed to the claimant for personal injury that resulted from a dangerous activity that the defendant had a measure of control over. 89 Similarly, in Watson and Wattleforth, considerations of the insurance position of the defendants, the implications of a duty for their role in safety management and the possible opening of the floodgates of liability did not displace the desirability or reasonableness of the duty of care that was imposed on the defendants. 90 Further, it was found unreasonable to deny the duty as this would leave the claimant with no remedy. 91

IV. The case for a duty of private safety auditors
The analysis of English law suggests that the tort of negligence provides a clear scope for subjecting on private third-party auditors a duty of care for physical harm caused by 86 These considerations may hark back to the elements of foreseeability and proximity. It has indeed been recognised early on that the three separate requirements of the duty test "are, at least in most cases, in fact merely facets of the same thing". Caparo, supra, note 46, [633] (Lord Oliver). See also Watson, supra, note 71, [86]. 87  negligent audits, in particular where the auditor has a degree of control over the source of danger involved. In the light of the importance of private safety auditing for risk management purposes in GVCs, the role that such auditing is assigned to in current and future regulation of corporate accountability in GVCs and the ongoing contestation around the proper scope of liability for safety auditors, 92 this section will further argue the need for subjecting private safety auditors in GVCs to liability for negligence.
First, the exposure to civil liability would strengthen audit integrity and reliability. Auditing firms and the individual auditors they contract would be disincentivised to relax audit standards, cut corners and inflate audit scores. 93 When a duty of care is imposed, the defendant auditor is required to exercise reasonable care. The standard of care is one of reasonable skill and care. 94 For professional services such as auditing, that standard normally involves the ordinary level of care exercised in the profession, trade or industry. 95 That level of care is at times expressed by self-regulatory norms and codes. 96 For safety auditors as discussed in this article, these would include auditor protocols and policies of schemes such as GLOBALGAP, SA8000 and the BSCI, the accreditation standards as required under these schemes (eg GFSI, SAAS), common practices (ISO/IEC Guide 65:2005) and, where available, governmental standards. 97 Consequently, to prevent a breach of their duty of care and avoid liability vis-à-vis groups of victims of unsafe products or practices, private auditing firms will need to conform to the common practices and standards of their profession. This also applies to the individual auditors or auditing firms they contract to perform the auditing services, thus offering a second argument for exposing auditing firms to liability for negligence. Most of the audit failures discussed in this article concern the situation in which the alleged negligent auditing services were carried out via subcontracting, either by an independent 92 See eg the pending damages claim against the German auditing firm TÜV SÜD before the German courts. In this claim, based on Brazilian law, 1,100 claimants allege that the firm, operating through a foreign subsidiary, negligently certified the Brumadinho dam in Brazil as safe in 2018. That dam collapsed four months later, as a result of which 272 persons died and significant environmental damage was sustained. See M Binder, "Die Haftung von Zertifizierungs-und Prüfunternehmen als gebotener Bestandteil eines effektiven Lieferkettengesetzes" (Verfassungsblog, 10 June 2020) <https://verfassungsblog.de/die-haftung-von-zertifizierungs-undpruefunternehmen-als-gebotener-bestandteil-eines-effektiven-lieferkettengesetzes/≥ (last accessed 20 September 2022); "TÜV SÜD lawsuit in Germany (re role in Brumadinho dam collapse)" (Business & Human Rights Resource Centre) <https://www.business-humanrights.org/en/latest-news/t%C3%BCv-s%C3%BCd-lawsuitin-germany-re-role-in-brumadinho-dam-collapse/> (last accessed 20 September 2022). 93  , concerning the dismissal of an employee of the auditing firm (Ernst & Youngnow EY) after he blew the whistle on an unethical and unprofessional audit, which was carried out by an EY subsidiary for a Dubai gold refiner. As a result of this audit, potential international money laundering was covered up. After finding that EY owed a duty to the employee, Kerr J. held the standard of care to be defined by the Code of Ethics for Professional Accountants adopted by the International Federation of Accountants as an "objective source of acceptable standards" [677]. It was established that this code was breached at EY's highest levels of management, eventually leading to EY's liability in negligence vis-à-vis its former employee for his loss in earnings. 97  contractor or by a foreign subsidiary. 98 As auditing firms can be responsible for the negligence of their employees, independent contractors and foreign subsidiaries, 99 they will have an incentive to carefully select qualified auditors for their subcontracted services, properly train them in the use of the standards and protocols applicable and astutely monitor their overall performance within the audit scheme. 100 Since the liability exposure of auditing firms may also extend to the negligence of their employees and subcontractors, this will further spur auditing firms to improve the rigour of audits and avoid liability for negligence. For victims of subcontracted audits that were negligently performed, such liability can also offer an effective remedy, where otherwise there would be none. After all, the independent contractors or foreign subsidiaries involved might not prove solvent enough to compensate for the extensive harm that can be done in the context of safety auditing in GVCs.
Third, civil liability for negligence would make private safety auditors accountable for the justifiable reliance that others place on their professional activities and representations such as certifications, labels or other kinds of attestations of compliance with safety standards. Both consumers and commercial buyers rely on such attestations to the effect that these accurately represent the safety of the products that they buy for personal or professional use. 101 In addition, workers or other third parties that are intended to benefit from professional safety auditing can be said to rely on the accuracy and integrity of such auditing. English law, as discussed above, does not require contact between defendant auditor and claimant for such reasonable reliance to exist. Instead, the crucial element is that the defendant auditor exercised relevant control over the source of danger to which the claimant was exposed, and that through that control they had or ought to have had within their contemplation the class to which the claimant belongs. 102 Accordingly, auditing firms may be exposed to various sizeable categories of claimants beyond those who contracted their services, which will further incentivise them to use reasonable care in performing these services.
Fourth, there are several knock-on effects that the exposure of private safety auditors to liability for negligence has for the attainment of public regulatory goals. Depending on the scope of the audit and the auditing standards, the imposition of a duty for these auditors to use reasonable care will lead to higher compliance levels amongst products produced in GVCs and thus better consumer protection. It may also decrease the chances that lead firms and other commercial buyers in GVCs purchase non-conforming products, and it can help to protect workers from unsafe working conditions. Further, accurate and rigorous auditing may also complement existing public mechanisms of oversight, which in GVCs might be ineffective or even corrupt at the local level of production. In addition, the financial resources, technical knowledge and skills amongst public inspectorates may be lacking at this level, as a result of which rigorous private safety auditing is a much-needed complement. 103 Thus, liability exposure of private safety auditors can help to develop the necessary monitoring and enforcement capacity in GVCs.
Admittedly, the infrequency and episodic nature of civil litigation against private safety auditors does not generate enough pressure to effectively change the behaviour of these professional actors. The exposure to liability may not sufficiently deter individual auditors from cutting corners and incentivise them to better their professional services. What is clear, however, is that civil litigation for harm caused by (alleged) negligent auditing in GVCs does assist in setting the agenda of public and private entities concerned with safety auditing. High-impact incidents involving private safety auditors, such as the Poly Implante Prothèse (PIP) breast implants scandal, the Ali Enterprises factory fire or the Rana Plaza collapse, have each shaped the way in which activists, NGOs, policymakers and legislatures think about health and safety in GVCs. 104 Regardless of whether the claimants are successful in their damages actions against private auditing firms, the litigation they start will generate media attention and bring to light information about the design and implementation of audits. As such, it plays an important role in signalling whether and how business associations, audit scheme owners, policymakers and legislatures can improve and support the reliability of private safety audits.
Finally, it may be contended that the liability exposure for private safety auditors in GVCs will lead these auditors to shy away from their business, especially in high-risk contexts. 105 There is little conclusive empirical evidence on whether civil liability leads defendants to develop defensive practices and stops them from engaging in harmful behaviour. 106 The English courts have not been persuaded by this argument in recent times. 107 Instead, they have insisted on the ability of defendants to take out insurance as a measure to guard against significant liability costs and, in turn, redistribute the costs of insurance via the price of their auditing and surveillance activities. 108 In addition, auditors can insert indemnification clauses in the contracts that they sign with the producers and suppliers that they audit. 109 As a result of these clauses, auditors can effectively shift the costs of liability to the audited firm. To be clear, these contractual indemnities will not immunise auditors from claims by third parties harmed because of a negligent audit. However, if the negligence is related to non-compliance by the auditee that foreseeably and directly caused harm to a third party, the auditee will have to carry the costs of liability following from a successful damages claim that the third party brings against the auditor.

V. Conclusions
This contribution has sought to discuss the civil liability of private safety auditors for harm caused by their negligence within GVCs. Relying on the analysis of English tort law, the liability exposure of these auditors, who perform a crucial risk management function within GVCs, is held to be distinctively determined by the purpose and scope of their professional services, as outlined by the contractual obligations that they undertake to perform vis-à-vis audited firms. It is the audit contract, including the audit standards and protocols referenced in it, that principally defines the extent to which the auditor holds a degree of control over or responsibility for the source of danger to which the claimant was exposed. Only if that control or responsibility is established, also in relation to the time frame in which the danger arose, will the auditor owe a duty of care to the claimant. This implies that no duty is owed if the claimant is exposed to a risk that the auditor did not have control over, nor will it be owed if the claimant falls outside the class of persons that the audit scheme was intended to protect or suffered the kind of harm that the scheme was not intended to prevent. Therefore, and in the absence of any statutory regulations defining the role and competence of private safety auditors, the scope for civil liability of these auditors within GVCs is intimately linked to the specific auditing contract and scheme involved. 110 This finding draws attention to the need to better understand and define the scope of the safety audits offered for risk management purposes within GVCs. In this respect, social auditing is a rather elusive concept. It involves a very wide range of topics, risks and harms. Social auditing is liable for creating the impression that all conditions affecting the health and safety of workers in the workplace are within the scope of the auditing activities, whereas they are not. 111 In this respect, product safety audits are more transparent. Their purpose is to prevent safety risks for potential buyers, and the auditors involved will readily understand who will be closely and directly affected by their activities if they would act without proper care. This explains the position of the courts, who have more readily accepted a duty of care on the part of product safety auditors. Accordingly, not all private safety auditors involved in the risk governance of GVCs are exposed to the same degree of liability risks.
Financial support. This contribution is part of the project "The Constitutionalization of Private Regulation" (2017-2021) funded by the Netherlands Organisation for Scientific Research (NWO) under the Innovational Research Incentives Scheme (Veni Grant no. 451-16-011). Visit www.paulverbruggen.nl/projects for more information. 110 Arguably, the ground on which the private auditor holds control over or has responsibility for a risk to which the claimant is exposed does not matter. That ground may be contractual, statutory or even incidental in nature. See the main text at notes 76 and 77, as well as Glinski and Rott, supra, note 7, 110 and 116-17. However, for the reasons explained in Section II, the audits occurring in GVCs will for the most part be only contract-based. 111 The unsuccessful legal claims brought by victims of the Rana Plaza disaster are evidence of this. See supra, notes 43 and 80.