Voters in Massachusetts overwhelmingly approved a ballot initiative that gives independent mechanics greater access to vehicle data, a move that vehicle manufacturers have foreshadowed could have significant cyber and privacy risk for automobiles and their drivers. Specifically, the measure allows independent mechanics (those not affiliated with a manufacturer) access to telematics data, which wirelessly collect and transmit mechanical data relating to a car’s performance and maintenance. The initiative, available here, updates and expands a “right-to-repair” law that was signed into law in 2013, giving independent repair shops universal access to vehicle diagnostic data via the physical onboard diagnostics port. Although opponents of the initiative argued that it would do nothing to improve the consumer experience, proponents contended that the amendment was necessary because the 2013 law specifically excluded access to most telematics, which allegedly put independent repair shops at a disadvantage. The initiative is seen as a win for independent repair shops; however, it comes with possible cybersecurity concerns surrounding the usage and storage of personal data. The approved initiative requires manufacturers to equip vehicles with an “open data” platform that will allow motor vehicle owners and independent repair facilities access to onboard diagnostic systems via a mobile app, starting with year 2022 models, which are already currently in production. Just as the enactment of the original right-to-repair law spurred automakers to adopt a nationwide standard for access to diagnostics ports, it is likely that the passage of this initiative will have a nationwide effect.
A major point of contention with the approved ballot initiative is the definition of “mechanical data,” which is defined as “any vehicle-specific data, including telematics system data, generated, stored in or transmitted by a motor vehicle used for or otherwise related to the diagnosis, repair or maintenance of the vehicle.” While this definition is helpful for car manufacturers, opponents of the initiative have pointed out that different car manufacturers define telematics data in different ways, and that a more granular definition of what data should be included in telematics data is absent from the initiative.
Another concern is the protection of the data that is shared, and ensuring that car manufacturers have enough time to create data platforms with security measures that comply with current data privacy and cybersecurity laws. Since model year 2022 cars are currently being designed and built, opponents have signaled that requiring auto manufacturers to create a secure platform on an accelerated timeline could lead to data security vulnerabilities. The language in the initiative, as currently written, does not specify what protections should be incorporated into the law. However, this warning has come from the largest and most vocal cadre of opponents—a coalition of automakers—who similarly opposed the enactment of the 2013 law. Since the data platforms used to transmit the data will need to be designed by the auto manufacturers, right now it is up to each manufacturer to decide the level of protections incorporated into their platform.
Our cybersecurity team is available to assist clients in interpreting how this new initiative may affect their business and their compliance efforts. We will continue to update this space with analysis of the progress of this initiative.