It is almost time to lay the 2020 U.S. election season to rest, and with luck, the results of many highly anticipated races will arrive with clarity. Privacy professionals will have their eyes on whether Proposition 24, the California Privacy Rights Act, passes in the Golden State, as well as which party takes control of the Congress and thus has the inside track in shaping a potential federal privacy law.
While the CPRA has dominated the attention of the privacy industry, another ballot initiative in Massachusetts has sparked debate about the information collected by connected vehicles.
Question 1 in Massachusetts will have state residents voting on whether to update the 2013 Motor Vehicle Right to Repair Law. If passed, the ballot initiative would require car manufacturers to equip any car that uses telematics systems, which collect and wirelessly transmit mechanical data to a remote server, with an open access data platform starting with model year 2022 vehicles. This would give independent repair facilities access to more information to assist with vehicle maintenance and repairs.
Arguments in favor of the ballot initiative, such as one the one made by The Boston Globe Editorial Board, state it is "inherently unfair for car manufacturers to have sole access to a vehicle’s mechanical data, because it gives their dealerships an advantage over independent auto-repair shops."
Independent repair facilities would only have access to such data with the consent of the vehicle owner and do not need authorization from the car manufacturers.
One of the major points of contention with Question 1 is the lack of clarity around the definition of "mechanical data." The ballot initiative defines mechanical data as "any vehicle-specific data, including telematics system data, generated, stored in or transmitted by a motor vehicle used for or otherwise related to the diagnosis, repair or maintenance of the vehicle."
"The bill speaks of terms of mechanical data that’s used for or related to diagnosis repair or maintenance. The thing that’s a little tricky is that it’s not defined at a more granular level than that," Morrison & Foerster Partner Julie O'Neill said. "Even car manufactures define telematics in different ways. I think a big sticking point for people considering how to vote on this initiative or for down the road when companies are seeking to comply it is what exactly falls within that bucket."
Coalition for Safe and Secure Data Spokesperson Conor Yunits said one of the reasons why the group is opposing Question 1 is the "otherwise related to" portion of the mechanical data definition. Yunits said it's a caveat that expands the amount of accessible personal information that goes well beyond what is needed for vehicle maintenance and repair.
Of all the information gathered by connected cars, none might be more sensitive than location data. For the ballot initiative, O'Neill said Question 1 was written in a way in which location data is not included in the definition of "mechanical data."
Yunits and the Coalition for Safe and Secure Data have a different view. Yunits said the current Right to Repair law specifically cites how location data can be used, but no such reference can be found within the revamped version up for vote.
"In the existing law paragraph, Section 2 Paragraph F, it does explicitly prevent the sharing of navigation data. They included no such language in Question 1. The Question 1 folks will say it’s not about location data, but they explicitly removed the prohibition against sharing location data from the existing law," Yunits said.
Other concerns around Question 1 revolve around whether the information used by the platforms will be properly protected. The National Highway Traffic Safety Administration expressed concerns car manufacturers would not have enough time to create open data platforms with the proper security measures in place to ensure compliance with the law.
Yunits said this highlights another issue with the ballot initiative, as it could lead to an irreversible trend that could leave data open to a host of bad actors.
"We are not concerned with local mechanics having this information. Our concern is that once you open up this wireless gateway into the vehicle computers, you are essentially opening a door that can’t be closed again," Yunits said. "Any sophisticated bad actor that’s either trying to get access to information or put ransomware in your car or anything else, once they are in your car wirelessly, they are going to have endless opportunity to try and get around any precautions that are built in and get access to whatever other information is in the vehicle."
Should Question 1 pass, it does not necessarily mean the law has to be set in stone. O'Neill said lobbying efforts could be made to have the state Legislature extend the compliance window to give manufacturers more time to shore up the open data platforms and seek a carveout from the definition of mechanical and telematics data to address location information.
She added it is important to note the attorney general of Massachusetts will be required by law to prepare a notice for motor vehicle owners to explain telematic systems and what information would be collected under the expanded Right to Repair law. O'Neill said vehicle owners could use the notice to better understand data access and perhaps inform their decision about whether to go to an independent repair shop or the automotive dealer.
Both O'Neill and Yunits expect other ballot initiatives to pop up in other states. O'Neill said the conversations and concerns around Question 1 should be explored further as the amount of data collected by vehicles continues to grow.
"I wouldn’t be surprised to see some push for a review or maybe or a broader look at what’s being collected and if there are valid reasons for collection of that and what notice, if any, is provided to car buyers when they are buying their car to understand that manufacturers are already collecting so much of this," O'Neill said. "This ballot initiative does raise that question as to whether this is a topic that deserves a closer look by folks who are interested in privacy and data security."
Photo by CHUTTERSNAP on Unsplash