LawFlash
December 01, 2023
In two recent judgments, the European Court of Justice (ECJ) mandated information access rights by independent vehicle repairers to vehicle data under Regulation (EU) 2018/858. The judgments are likely to facilitate access to vehicle data to independent vehicle repairers.
Vehicle manufacturers will need to consider the implications of this regulation and these judgments as early as possible in designing their vehicles. Notably, there is a potential tension between this data sharing requirement and other legal obligations which may apply to vehicle manufacturers (for example, an obligation to incorporate robust cybersecurity measures in the vehicle’s design, or any data protection obligations arising from the EU General Data Protection Regulation (GDPR)).
CASE ATU AUTO-TEILE-UNGER AND CARGLASS V. FCA ITALY (C-296/22)
In its judgment (Judgment) of 5 October 2023 in case ATU Auto-Teile-Unger and Carglass v. FCA Italy (C-296/22), the ECJ held that both read and write access to the direct vehicle data stream via so-called on-board-diagnostic (OBD) ports must be granted by law to independent vehicle repairers and that any restrictions by vehicle manufacturers may not exceed the legal standards set out in Regulation (EU) 2018/858.
The Judgment was in a preliminary reference proceeding and was based on the following facts: car manufacturer Stellantis Italy (Stellantis) requested two independent repair service providers ATU and Carglass to register with, and log into, a Stellantis server via a fee-based subscription in order to perform vehicle diagnostics via OBD ports.
Stellantis argued that this request was necessary to ensure cybersecurity in accordance with applicable EU law and in particular UN Regulation No. 155, which contains uniform provisions concerning the registration of vehicles with regards to cybersecurity. ATU and Carglass challenged Stellantis’ request before the German Regional Court of Cologne, which referred certain questions of interpretation of EU law to the ECJ for a decision in a preliminary proceeding.
The Cologne Court asked the ECJ whether
Article 61(1) and (4) of Regulation 2018/858, read in conjunction with [Point] 2.9 of Annex X thereto, … also taking into account the requirements imposed on the vehicle manufacturer to guarantee the general safety of the vehicle in [item] 63 of Part [I] of Annex II to that regulation
- read in conjunction with Regulation No 661/2009 as regards vehicles type-approved prior to 6 July 2022, in particular Article 5(1) thereof, and
- read in conjunction with Regulation 2019/2144, applicable [from] 6 July 2022, and in particular Article 4(4) and (5) thereof …
[are] to be interpreted as meaning that the vehicle manufacturer must always ensure, including when implementing relevant safety measures, that the vehicle OBD, diagnostics, repair and maintenance, including the write operations necessary for these purposes, can be carried out by independent repairers using a universal and generic diagnostic tool, without any need to meet requirements, not expressly stipulated in the regulation, for the device to have an internet connection to a server designated by the manufacturer and/or for the user to have personally registered with the vehicle manufacturer beforehand?
The ECJ found, by way of interpretation of the currently applicable EU regulatory framework for vehicle on-board data, that the obligation on vehicle manufacturers to provide unrestricted, standardized and non-discriminatory access to OBD information and vehicle repair and maintenance information, pursuant to Art. 61(1) Regulation (EU) 2018/858, includes the obligation to allow independent operators to process and use such information, without being subject to any conditions other than those laid down by that regulation. OBD information must be “easily accessible” and access must go beyond a read-only possibility.
Regulation (EU) 2018/858 has the objective of ensuring effective competition in the market for vehicle repair and maintenance information services. Additionally, Regulation (EU) 2018/858 refers to recital 27 of Regulation 2019/2144 expressly setting out that security measures “should not compromise the obligations of the vehicle manufacturer to provide access to comprehensive diagnostic information and in-vehicle data relevant to vehicle repair and maintenance.”
The ECJ also found that, contrary to Stellantis’ assertions, UN Regulation No. 155 does not prevent this interpretation, as point 1.3 of UN Regulation No. 155 applies “without prejudice to […] regional or national legislations governing the access by authorised parties to the vehicle, its data, functions and resources, and conditions of such access.”
While the specific case that led to the referral to the ECJ is yet to be decided by the Cologne Regional Court and may yet be subject to appeal, the ECJ’s Judgment has already set a precedent to the extent that any access restrictions to vehicle data independent vehicle repairers may not go beyond the standards set out in Regulation (EU) 2018/858.
It remains to be seen how the German court will interpret the Judgment and the specific requirements set out in Regulation (EU) 2018/858 regarding unrestricted access to OBD information, as the ECJ did not elaborate on permissible security measures that can be adopted by vehicle manufacturers in order to prevent the misuse of data. Thus, vehicle manufacturers need to assess their current practices of making data available to independent vehicle repairers and their own authorized repairers and at the same time continue to ensure that vehicles have appropriate cybersecurity measures.
CASE GESAMTVERBAND AUTOTEILE-HANDEL E. V. ./. SCANIA CV AB (C-319/22)
In the recent ECJ judgment of 9 November 2023, case C-319/22 (Gesamtverband Autoteile-Handel e. V. ./. Scania CV AB), the ECJ once again confirmed the data transfer obligations of the automotive industry towards independent economic operators such as workshops, spare parts dealers, and publishers of technical information. In particular, the ECJ gave its opinion as to whether the spare parts database must also contain the Vehicle Identification Number (VIN) and whether the VIN is a personal dataset under the GDPR. One of the main legal arguments of the manufacturers has been that the GDPR does not allow them to share the VIN with independent economic operators.
The ECJ held that the VIN, being a mere alphanumeric code, did not, in and of itself, constitute personal data. However, this assessment might change if the registration certificate was also available, and a natural person was entered there. If, for example, workshops, spare parts dealers, or publishers of technical information could reasonably associate the VIN with a natural person with the help of further information, the VIN would constitute personal data for them and “indirectly also for the vehicle manufacturers.” The obligation to provide access to the information pursuant to Art. 61 Regulation 2018/858 constituted a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR.
Furthermore, if the data access rights under the Regulation (EU) 2018/858 constitute a legal obligation under Art. 6 para. 1 lit. c GDPR, then this obligation may also facilitate access under the new Data Act, as there may also be a legal basis under the latter for the data transfer.
EUROPEAN REGULATORY ENVIRONMENT
The ECJ’s judgments are in line with the overall European Union approach to foster competition in the automotive after-sales sector.
In April 2023, the European Commission extended the validity of the Motor Vehicle Block Exemption Regulation until 31 May 2028 and updated the supplementary guidelines on vertical restraints in agreements for the sale and repair of motor vehicles and for the distribution of spare parts for motor vehicles (Supplementary Guidelines) to clarify that data generated by vehicle sensors may be an essential input for the provision of repair and maintenance services.
Consequently, systematic discrimination by manufacturers against independent repairers in favor of authorized repairers may constitute an infringement of Article 101 of the Treaty on the Functioning of the European Union (TFEU), while the unilateral withholding of vehicle data by a vehicle manufacturer from independent repairers may constitute an abuse of a dominant position prohibited by Article 102 TFEU.
The ECJ’s judgment also suggests that the GDPR may not completely shield organizations from data sharing obligations applicable to them under other EU laws (specifically those intended to promote competition). Noting the potential tension between allowing access to vehicle data and ensuring adequate cybersecurity, the Supplementary Guidelines specifically mention that withholding inputs on the basis of potential cybersecurity concerns is subject to the principle of proportionality. The ECJ’s judgments now specify the extent to which data access must be provided by law and thus will also prove relevant for the application of Articles 101 and 102 TFEU in this area.
The upcoming EU Data Act will also have an impact on independent vehicle repairers’ rights and abilities to access vehicle data. It is intended to oblige manufacturers to make data generated by the use of their products, including vehicles, available to users or, upon request by users, to third parties free of charge.
However, as the Data Act will also contain restrictions on these obligations for the purpose of protecting manufacturers’ trade secrets, the full extent of repairers’ data access rights vis-à-vis manufacturers under the Data Act will likely be subject to further discussions going forward.
While the judgments will not be directly applicable in the United Kingdom, the overall approach of fostering competition between independent and authorized repairers is also being followed in the United Kingdom. For example, the Motor Vehicle Block Exemption Order, which came into force on 1 June 2023, provides for manufacturers to ensure that independent repairers have access to repair and maintenance information on non-discriminatory terms.
OUTLOOK
The recent judgments by the ECJ demonstrate once again that OEMs and vehicle repairers should carefully navigate the various European regulations regarding the access to vehicle data for repairers and, going forward, vehicle users.
Overall, vehicle manufacturers may need to consider any consequential impacts on the design of their vehicles, while also complying with other potentially competing obligations, notably, in relation to cybersecurity, or data protection obligations under the GDPR and the new Data Act. Morgan Lewis is constantly monitoring the relevant legislative and judicial developments in this area.