EU secondary market for automotive repair and maintenance receives further clarity on access to vehicle data

This will hugely affect car owners, providing them with more affordable options for repairing their cars.

The 2018 automotive market surveillance regulation (Regulation 2018/858) governs the type approval and market surveillance of automotive vehicles and trailers in the EU. It focuses on the approval and market surveillance of motor vehicles, trailers and related components, with the aim of guaranteeing safety, environmental protection, and compliance with EU legal requirements. The judgments confirm that article 61 of the Regulation, which contains a legal obligation for car manufacturers to make certain data available to independent market participants, serves as a ‘legitimate ground’ for the processing of personal data under the General Data Protection Regulation (GDPR). They also illustrate the importance and challenges of data sharing in the automotive sector.

Car manufacturers must grant unrestricted, standardised and non-discriminatory access to on-board diagnostic (OBD) information, diagnostic and other equipment and tools, including full references and available downloads of the respective software, to independent repairers. This also includes the vehicle's repair and maintenance information. The information must be available in an easily accessible form, such as machine-readable and electronically processable files.

The vehicle data access framework in the regulation requires car manufacturers to provide technical information captured by onboard devices and other vehicle components to independent repair operators, ensuring non-discriminatory access compared to authorised sellers and repairers. Access to the vehicle's security functions granted to authorised dealers and repairers should also be made available to independent market participants. As far as the reprogramming of control systems is concerned, it should be carried out in accordance with international standards and with manufacturer-independent hardware. This regulation is intended to ensure that vehicles are designed, built, and assembled in such a way as to minimise the risk of injury to passengers and other road users.

Dr. Stephan Appt, expert for the automotive sector at Pinsent Masons, said: “This type of (vehicle component) data can sometimes be qualified as ‘personal data’. Considering the data protection laws (the GDPR), this could prohibit the authorised manufacturer from sharing it with the independent vehicle repairer”.

The two recent EU judgements – issued on 9 November and 5 October – go some way towards addressing this problem. By confirming that Article 61 qualifies as a statutory obligation for vehicle manufacturers to process vehicle component data that may qualify as personal data. As a consequence, it is a lawful processing ground for the sharing of this information by the vehicle manufacturer with the independent vehicle repair and maintenance market.

Jeroen Schouten, technology specialist at Pinsent Masons, added: “It is important to stress the gist of article 61, namely: establishing an effective competition in the market for vehicle repair and maintenance information services. By opening up access to critical data, the regulation ensures that the independent vehicle repair and maintenance market can compete with authorized dealers These two rulings of the ECJ show that Regulation 2018/858 can serve as an effective tool in creating a more efficient and fair market for the automotive sector. However, they also illustrate that there are still many legal (data protection) questions in relation to data-sharing in the automotive sector.”

Where do these judgments leave the car manufacturers? In response to the judgements, car manufacturers will need to revisit their data access and privacy and security policies to ensure their compliance with the Regulation and with the GDPR.