Maine data access law initiative advances; parties in Mass. case restate positions
By onAnnouncements | Legal | Technology
A Maine initiative is one step closer to placing vehicle data access legislation on the state’s 2023 ballot, even as the auto industry’s legal challenge to a similar Massachusetts law plays out in federal court.
Maine Secretary of State Shenna Bellows on Friday approved a petition to allow auto repair and parts store operators to begin collecting the signatures required to place the question on the statewide ballot.
Proponents now have 18 months to gather the signatures of registered voters. The minimum number required will be equal to 10% of the total votes cast in the state’s upcoming gubernatorial election in November, Emily Cook, director of communications for the Secretary of State’s office, told Repairer Driven News.
As in Massachusetts, the legislation calls for the creation of a “standardized access platform” for data generated, collected, and transmitted by vehicles. “This would solidify Mainers’ ability to get their auto fixed at their trusted independent car repair shop of choice, or to diagnose their vehicles on their own if they so choose,” the Maine Right to Repair Coalition says on its website.
“We’re pleased that the Secretary of State has given independent auto repairers across Maine the go-ahead to collect the signatures needed to get this important question on the 2023 ballot,” coalition member Tim Winkeler, president and CEO of VIP Tires and Service of Auburn, Maine, said in a statement.
According to a draft of the legislation provided by the Secretary of State’s Office, the legislation would cover all “mechanical data” generated, stored in, or transmitted by a vehicle needed for the “diagnosis, repair or maintenance of a motor vehicle.”
“Car and truck owners in the state deserve the right to choose where to get their auto diagnosed and fixed. New wireless technology threatens that right by transmitting diagnostic data directly to the manufacturer and dealer. A Right to Repair law is critical. Without it, consumers will have no choice but to go to a more expensive dealership,” Winkeler said.
Winkeler previously told RDN that the Maine coalition had been hoping for guidance from the Massachusetts lawsuit, but reached the point where it could no longer wait for a ruling if it wanted to meet deadlines for getting the measure on the 2023 ballot.
Meanwhile, the parties in the Massachusetts right to repair case have summarized their arguments in a pair of 22-page briefs, as they await a decision from a federal judge on the auto industry’s challenge of the Data Access Law approved by voters in November 2020.
The plaintiff, the Alliance for Automotive Innovation (AAI), representing the majority of the OEMs, claims that it cannot comply with the contested Data Access Law without violating the federal Motor Vehicle Safety Act [MVSA] or Clean Air Act [CAA]. Attorney General Maura Healey, the defendant, argues that AAI has failed to prove that claim.
AAI filed the suit, AAI v. Maura Healey, in November 2020, after Massachusetts voters approved the law as an update to the state’s existing right to repair law. Under Section 2 of the law, any OEM that sells a vehicle in the state that utilizes a telematics system “shall be required to equip such vehicles with an inter-operable, standardized and open access platform across all of the manufacturer’s makes and models.” The legislation became effective with the 2022 model year.
AAI is asking the court to permanently enjoin enforcement of the law. Healey has agreed not to enforce the law, pending resolution of the lawsuit.
“…[T]he automotive industry remains faced with a law crafted with the intention to gain leverage over automakers—not because anyone thought it could be complied with safely, but rather to apply pressure on automakers in negotiations over data access,” AAI wrote in a brief filed Friday. “Automakers, however, cannot comply with a law that would render their vehicles unsafe and therefore noncompliant with federal legal obligations. Their efforts to work with the Attorney General to limit some of the law’s harm have been unsuccessful. The law remains as dangerous as ever to Massachusetts’ drivers.”
Healey contends that “all that matters” in the case “is whether there is any possible future implementation of the Data Access Law that would not violate federal law. The Alliance has failed to meet that high burden.
“First, there is no provision in the MVSA or CAA, or any regulation promulgated thereunder, that conflicts with the Data Access Law on its face. No federal law or regulation addresses the cybersecurity of motor vehicles or access to motor vehicle diagnostic data…. Even now, the Alliance tellingly frames its objections to the Data Access Law in terms of the supposed ‘loss of cybersecurity protections’ and ‘cybersecurity risks’ – not as a conflict with any specific federal statute or regulation,” Healey argues in a brief, also filed Friday.
AAI renewed its previous criticism of the law’s designation of “a hypothetical third party” to oversee the security of a standardized data system.
“At the same time that the law opens up broad access to highly sensitive vehicle systems, it directly forecloses Auto Innovators’ original equipment manufacturer (‘OEM’) members from playing any meaningful role in protecting those systems,” AAI contends. “Every expert in this case agreed that immediate compliance with the technical requirements of the Data Access Law was impossible, and the evidence Auto Innovators presented at trial shows that, even with more time, there is no way to do so in a manner that is safe and maintains adequate cybersecurity.”
The Alliance asserts that the language chosen by the Maine coalition “implicitly acknowledges” this “key flaw” of the Massachusetts Data Access Law by taking a different approach. That includes “requiring the state’s attorney general to designate the independent third party; establishing a process and timeline to allow for industry input; and identifying specific International Organization for Standardization (ISO) standards to guide that effort through a structured, gradual implementation.”
Having a single third party oversee data security would make motorists more vulnerable to hackers, AAI contends.
“As it stands, a hacker seeking to control a particular OEM’s vehicles has to go car-by-car. Access to one car would not yield access to other cars. But the law changes all that and puts all security keys into the hands of a single, yet-to-be-established party that, if hacked, could lead to access to all vehicles in Massachusetts. Given the potentially dire consequences, car companies simply cannot take that risk and still comply with their federal-law safety and emissions obligations.”
Healey maintains that the Alliance’s interpretation of this provision is “overbroad, imprecise, and inconsistent with the rest of the statutory text.” The AG said that “…OEMs can insist on the cybersecurity protection of authorization so long as they are not the ones operating the authorization system, but rather use some unaffiliated company or organization to run the authorization system.”
More information
Defendant Attorney General Maura Healey’s brief on textual interpretation of the Data Access Law
Plaintiff’s brief regarding textual interpretation of the Data Access Law
Maine coalition moves to put ‘right-to-repair’ legislation before voters in 2023
Images
Featured image by nadia/iStock