In our previous post, we explained how the US November 3rd election resulted in developments that were overlooked. Namely, the expansion of the recreational and medicinal cannabis market. Another underreported but critical development took place in Massachusetts where Bay Staters voted en mass to require car makers to give car owners and their independent mechanics access to their vehicle’s mechanical telematic data by 2022.
We believe Canada will soon follow Mass’ leap forward, but this leap may carry with it significant consumer privacy implications.
Why is this an important issue?
As car makers implement more technology into the cars we drive, our cars become increasingly complicated. There was a time, which some of us remember, when cars were purely mechanical vehicles with no computers. But those days are long gone. Cars now have several onboard computers, and often, to diagnose an issue, mechanics need access to those computers.
Initially, wired access to those computers was enough. Hence the initial 2012 Mass right to repair law, which only mandated car makers to give access to the data stored on the car’s computers. Now, the slow-moving trend is to send more of our car’s data to the cloud, and car makers are not required to give access to that data to the owner and independent mechanics.
What is mechanical telematic data?
The approved statute defines “telematics systems” as “any system in a motor vehicle that collects information generated by the operation of the vehicle and transmits such information . . . utilizing wireless communications to a remote receiving point where it is stored.”
Imagine this scenario: you are driving, you just passed 35,000 km, and upon reaching that milestone, your car’s maintenance schedule requires service. Then, your car sends a notification to your dealer. Your dealer then texts you “Good day! It’s time to book your next maintenance appointment. Click here to book a time.”
With this new law, you or your independent mechanic can access this data sent to your dealer/car maker, but this can raise privacy-related concerns. A car’s telematic systems are not just related to service schedules. They also include data from other places, like the car’s infotainment systems, which can send out data related to driver behaviour, biometrics, location, and personal conversations.
But, in reality, the law limits access to “mechanical” telematic data, which is defined as “any vehicle-specific data . . . generated, stored in or transmitted by a motor vehicle used for or otherwise related to the diagnosis, repair or maintenance of the vehicle.” Due to this limit, concerns over this law implicating personal information appear to be overblown. For example, WCVB fact checked car makers claims that granting access to telematic data would, for example, allow anyone to access your most personal data stored in your car.
What’s going on in Canada?
Canada’s “right to repair” cars standard was borne from the 2009 Agreement Respecting the Canadian Automotive Service Information Standard (“CASIS”), which was a voluntary agreement entered into by the major Canadian industry players. Car makers agreed to share their service and repair information with aftermarket providers, such as independent mechanic shops.
The Automotive Industries Association of Canada takes the position that CASIS is unclear on whether it includes the “sharing of wireless data with the aftermarket.” We agree that ambiguities remain. But focusing on this misses the bigger picture here: when Massachusetts initially put forward their 2012 right to repair law, car makers followed it nationwide. If the rest of the US follows Massachusetts’ recent leap forward, we likely are not far behind.
The right to repair movement has been gaining traction across the globe, and across industries. For example, in the European Union, appliances such as washing machines and fridges will soon come with more right to repair guarantees.
The right to repair is also significant for farmers and manufacturers of farming equipment. When farming, the ability to harvest on time is crucial. Waiting 5 hours for someone to come and fix your John Deere while a storm is coming is not always an option.
In reality, the issue is not one of access. Giving consumers more choice over who accesses their data does not create a privacy issue. Rather, the issue is the amount of data flowing into the cloud. Quite simply, the more information put online, the more susceptible we are to data breaches.
In light of the growing right to repair movement and increasingly uploading data to the cloud, manufactures and independent repair shops need to better understand their data management responsibilities. They should also consider what safeguards they should include to better mitigate their cyber-risk. This may include cyber-insurance, data protection agreements, privacy policies, and online-terms and conditions.
Should you have any questions regarding the safeguarding and management of your data, please do not hesitate to contact Siskinds’ Data Protection, Cybersecurity, & Privacy Law Practice Group.
This article was written in collaboration with lead co-author Savvas Daginis.