An Underexplored Issue in Environmental (Criminal) Law

The recent global surge in the construction of data centres, together with the planning of new facilities across multiple jurisdictions, raises questions concerning corporate responsibility for environmental and human rights impacts at both national and international levels. While the environmental impact of data centres has long been discussed by scholars in technology studies and the natural sciences (see here, here and here for a few studies), far less attention has been devoted to the potential implications from the perspective of business and human rights and environmental criminal law.

Particular relevance in this context is attached to environmental criminal law, given that violations of environmental regulations may give rise to criminal liability not only for the companies concerned but also for their directors and managers. Such liability may arise in connection with environmental offences relating to the pollution of water, air, soil, or subsoil. Criminal liability may also arise in cases of negligent homicide and occupational personal injury offences. The former generally refers to workplace fatalities resulting not from intentional conduct but from the breach of occupational health and safety duties or other precautionary rules. The latter concerns breaches of workplace safety obligations that cause injury to workers without resulting in death and is therefore generally regarded as a less serious offence.

In the international legal discourse various instruments, including EU directives (Directive (EU) 2024/1203 and Directive (EU) 2024/1760), a Council of Europe convention, and proposals, have progressively devoted greater attention to environmental protection and corporate accountability. Many corporations involved in the construction, maintenance, and operation of data centres operate across several jurisdictions. As a result, environmental harm connected to data centre infrastructures may transcend national borders and give rise to forms of criminal responsibility that require corporations to take into account not only the liability regime of a single State, but also the legal frameworks of all jurisdictions in which they operate.

In this context, soft law instruments such as the UN Guiding Principles on Business and Human Rights (UNGPs) play a central role in articulating the responsibility of business enterprises to respect human rights. In particular, they establish an expectation that corporations conduct ongoing human rights due diligence across their operations and value chains, including where environmental harms may affect the enjoyment of fundamental rights.

At the outset, however, it is important to acknowledge that (environmental) criminal law, whether domestic or international, should remain a measure of ultima ratio. Accordingly, other regulatory mechanisms, particularly those provided by administrative law, should ordinarily be preferred in governing the environmental risks associated with data centres. Current developments at the global and regional level reflect precisely this tendency. The European Union and several States are increasingly investing in regulatory and research initiatives aimed at mitigating the environmental impact of data centres through other areas of law, such as administrative and private law, rather than primarily through criminal law

Yet pathological situations may arise in which criminal law becomes unavoidable. In certain circumstances, the environmental consequences associated with the construction and operation of data centres may contribute to violations of fundamental rights and constitutionally protected interests, including life, health, and the environment. These legally protected interests are not confined to domestic constitutional systems but are increasingly reflected in international human rights law. The rights to life and health are firmly established under human rights instruments, while the recognition of a human right to a healthy environment has gained significant importance in recent years, including at the United Nations level.

Key Environmental Risk Profiles in Data Centre Infrastructures

In line with the UNGPs, and in particular Principle 17, business enterprises are expected to conduct human rights due diligence to identify, prevent, mitigate, and account for adverse human rights impacts in a systematic and ongoing manner. Given the increasingly recognised nexus between environmental degradation and the enjoyment of fundamental rights (for instance, see here at para. 377), environmental risks associated with data-centre infrastructures should form part of such due diligence processes. Principle 13 further requires business enterprises to avoid causing or contributing to adverse human-rights impacts through their own activities and to address such impacts when they occur. From this perspective, the environmental footprint of data centres should no longer be viewed solely as a sustainability concern, but as a human-rights issue that corporations are expected to address through effective due diligence and risk-management measures in accordance with the UNGPs.

In contemporary digital societies, preventing the construction of data centres altogether appears neither realistic nor desirable. The central legal challenge is therefore not whether such infrastructures should exist, but rather how their environmental risks and human rights impacts can be effectively governed and reduced. From an engineering and environmental-science perspective, several risk profiles associated with data centres have already been identified, including those connected to mineral extraction processes, massive water consumption, significant energy demands, and the emission of pollutants into the atmosphere.

Each of these profiles may also correspond to distinct areas of legal risk from the standpoint of environmental criminal law. Both domestic and international legal actors should therefore begin to consider whether existing criminal-law frameworks are capable of addressing severe environmental harms connected to data centres, especially where corporate conduct operates across borders and affects vulnerable populations or ecosystems.

The First Risk: Mineral Extraction Processes and the Health and Safety of Workers during the Construction Phase

A first area of concern arises in connection with the extraction processes and construction phases associated with data centres. These facilities require vast quantities of raw materials for both their physical infrastructure and their internal technological components, including semiconductors and Graphics Processing Units (GPUs).

Recent scholarship has highlighted how the extraction processes linked to such materials may generate risks comparable, in several respects, to those traditionally associated with the fossil-fuel industry. These risks include also labour exploitation and potential human-rights violations, particularly in jurisdictions where regulatory oversight remains weak or where labour and environmental protections are inadequately enforced.

A further risk concerns the potentially hazardous nature of some of the materials used in the construction and maintenance of data centres. Workers involved in these activities may be exposed over long periods to substances capable of causing serious health consequences, including respiratory illnesses, neurological disorders, lung cancer and other forms of cancer. In such contexts, corporations bear a responsibility to ensure that workers are equipped with personal protective equipment appropriate to the level of risk involved.

Failure to adequately assess occupational risks or to provide sufficient protective measures may expose both corporations and their managers to forms of criminal liability relating to workplace deaths or injuries, including negligent homicide and occupational personal injury offences. Moreover, such failures may also give rise to considerable civil liability claims connected to severe occupational diseases. The potential risk of committing such offences not in a single State, but across multiple jurisdictions, must therefore be anticipated through a proper assessment of occupational health and safety risks.

The Second Risk: Water Use, particularly for Cooling Purposes, and its Consequences

A second area of risk emerges in relation to water use. Data centres require significant volumes of water for a range of operational purposes, most notably for server cooling. Recent engineering studies have identified a variety of cooling techniques, including evaporative cooling systems and closed-loop systems in which water circulates through external containers surrounding the servers. Among these methods, some (particularly evaporative cooling) allow only very limited water reuse, thereby raising serious sustainability concerns. Other systems, by contrast, involve direct or indirect contact between water and technical materials or chemical solutions that may result in contamination.

In this context, certain studies have also pointed to the potential use of substances such as perfluoroalkyl and polyfluoroalkyl substances (commonly known as PFAS) coatings in cooling infrastructures, further increasing the risk of environmental contamination. In several domestic legal systems, including those of Italy, Spain, France, and Germany, water used in such industrial processes may be legally classified as wastewater (see here and here), thereby triggering (strict) purification and treatment obligations before any possible discharge or reuse.

From a criminal law perspective, the key risk arises where contaminated water is not properly treated and is subsequently reintroduced into natural water sources. In such cases, corporate actors may face exposure to criminal liability for offences such as water poisoning or unlawful discharge of hazardous substances, as well as for breaches of administrative-criminal regulatory frameworks governing environmental permits and authorisations for emissions and wastewater discharge.

Another concern is that failures in water management of this kind may generate significant harm for local communities located in proximity to data centre infrastructures. As comparable environmental incidents in other contexts have shown (see ECHR, Cannavacciuolo and others v. Italy and the Miteni case among others), such harms may raise environmental law issues and, above all, human rights concerns, particularly with respect to the protection of health and access to clean water.

The Third Risk: The High Demand for Energy and Atmospheric Pollutant Emissions

A third area of risk concerns energy demand and the resulting emissions. Data centres require substantial and continuous amounts of energy in order to operate. From a transnational criminal law perspective, a key question arises when distinguishing between the use of renewable and non-renewable energy sources.

Current studies suggest that approximately 60% of the energy consumed by data centres still derives from non-renewable sources, while around 40% comes from renewable energy. Some projections anticipate a gradual reversal of this ratio in the coming years, with renewables potentially accounting for 60% or more of total energy consumption, followed by a further increase in subsequent decades. However, other analyses suggest that such projections may be overly optimistic, given the inherent intermittency of renewable energy sources such as solar and wind power. These sources cannot always guarantee a constant and reliable energy supply, particularly in the context of rapidly increasing energy demand.

In this scenario, continued reliance (at least in part) on fossil-based energy sources entails a corresponding risk of increased atmospheric pollution and greenhouse gas emissions. This risk is further exacerbated either by the geographical concentration of many data centres in already highly polluted regions, or by situations in which a large number of facilities are planned within the same territorial area. A paradigmatic example of the latter scenario is the Po Valley (Pianura Padana) in Italy, where atmospheric conditions and industrial density already contribute to elevated levels of air pollution.

From the standpoint of environmental criminal law, such circumstances may raise issues relating to offences such as environmental pollution or environmental disaster, which in many jurisdictions are subject to particularly severe penalties, including custodial sentences and financial sanctions, particularly in light of the harm caused to human rights.

Conclusions

This analysis of the main risk profiles from the perspective of human rights and environmental criminal law should therefore be taken into account in the planning, construction, development, and maintenance of data centres. Their limited environmental sustainability may, on the one hand, expose companies and corporate managers to serious forms of criminal liability where a causal link between their conduct and the resulting harm can be established in judicial proceedings, a requirement that is often particularly complex to satisfy in practice. On the other hand, it may lead to concerning consequences for human health and life, as well as for environmental protection, which is a constitutionally protected value in many States and is also recognised in various international treaties.

While it is understandable, and arguably necessary, for States and corporations seeking to remain competitive to continue investing in data centre infrastructure, such development cannot be decoupled from a rigorous assessment of environmental risks and human rights violations, which should take into account the principle of prevention as a general principle of environmental law aimed at avoiding the occurrence of environmental harm. Only through such an assessment can the expansion of data centres be reconciled with the prevention of human rights violations and the protection of fundamental legal interests at both national and international levels.

From this perspective, integrating environmental considerations into corporate human-rights due diligence is not optional, but increasingly central to responsible corporate conduct in the digital economy. As data centres continue to proliferate globally, the challenge for both regulators and corporations will be to ensure that their expansion is accompanied by effective safeguards capable of preventing harm before it occurs.