The Massachusetts attorney general and two representative OEMs have told a federal judge that they have taken no action to carry out their obligations under a contested vehicle data access law approved by the state’s voters nearly two years ago.

In a brief filed Friday, Assistant Attorney General Jared Rinehimer said the office has agreed not to enforce the law as the legal challenge by the Alliance for Automotive Innovation (AAI) plays out in U.S. District Court.

The stipulation agreed to by the AG’s office states “‘that it does not intend to, and will not, exercise its enforcement authority…to enforce any provision of the Data Access Law’ until after the Court rules on counts 1 and 2 of the plaintiff’s complaint,” Rinehimer, chief of the office’s Data Privacy and Security Division, wrote.

In separate briefs also filed Friday, the cybersecurity chiefs of General Motors and Stellantis — the AAI members chosen as representative OEMs by the Alliance — said they had independently determined that they could not comply with the Data Access Law safely, and thus had taken no specific steps toward compliance.

“Having considered for months now the Attorney General’s proposed solutions and interpretations, it remains my considered judgment that it is simply impossible to comply with the Data Access Law safely—and that the proposed methods of compliance proposed by the Attorney General’s experts are not viable and little more than interesting ideas that, when considered carefully, do not work,” Kevin Tierney, vice president of global cybersecurity at GM, wrote.

Stephen McKnight, head of global product cybersecurity for North American Engineering at Stellantis, took a similar position. “[A]fter carefully considering the requirements of the Data Access Law and its federal obligations, Stellantis has determined it cannot comply with the Data Access Law safely and, thus, has not taken any specific steps to comply with this particular law,” he wrote.

AAI filed the suit, AAI v. Maura Healey, in November 2020, after Massachusetts voters approved the Massachusetts Data Access Law. Under Section 3 of the law, any OEM that sells a vehicle in the state that utilizes a telematics system “shall be required to equip such vehicles with an inter-operable, standardized and open access platform across all of the manufacturer’s makes and models.” The legislation became effective with the 2022 model year.

A key issue in the case is whether it is possible for OEMs to comply with both federal law and Section 3. Judge Douglas Woodlock had asked the parties to report on their enforcement efforts “to provide a full development of the record especially with respect to the Court’s exercise of its equitable powers, whether in connection with a period of stay pending appeal or otherwise, in addressing [AAI’s] claims,” according to the court reporter’s notes. He said he is resolving “outstanding issues” as he prepares to issue an opinion.

AG’s role

Rinehimer wrote that the AG’s office is mentioned only once in the Data Access Law, where it is directed to “establish a ‘motor vehicle telematics system notice’ for prospective vehicle owners.” The notice should include “(i) an explanation of motor vehicle telematics and its purposes, (ii) a description summarizing the mechanical data collected, stored and transmitted by a telematics system, (iii) the prospective owner’s ability to access the vehicle’s mechanical data through a mobile device, and (iv) an owner’s right to authorize an independent repair facility to access the vehicle’s mechanical data for vehicle diagnostics, repair and maintenance purposes.”

While Attorney General Maura Healey has so far agreed not to issue the notice, the office’s Data Privacy and Security Division has prepared a preliminary draft, which has not been disclosed to anyone outside of the office, Rineheimer said. He called the draft “predecisional, non-final, and subject to internal deliberation and revision.”

Healey has also chosen not to draft rules and regulations interpreting the provisions of the law, and has told the court that it “does not intend to promulgate regulations on the Data Access Law before final judgment is entered in this litigation,” he wrote.

Rineheimer noted that the law, as currently on the books, allows vehicle owners and independent repair facilities to file suit to enforce Sections 2 and 3.

“Specifically, Section 5 states that ‘any owner or independent repair facility authorized by an owner who has been denied access to mechanical data in violation of subsections (d)(1) or (f) of section 2 [i.e., Sections 2 and 3 of the Data Access Law] may initiate a civil action seeking any remedies under law, including any remedy authorized by chapter 93A. Each denial of access in violation of said subsections shall be compensable by an award of treble damages or $10,000, whichever amount is greater,'” he wrote.

“In exercising its enforcement authority under G.L. c. 93A, the Office of the Attorney General generally focuses on specific unfair and deceptive practices that have occurred or are presently occurring and that have been brought to its attention,” Rineheimer wrote. “When determining whether to expend its limited resources on enforcement on behalf of the public, the Office of the Attorney General also considers whether there are private parties that have incentives to pursue enforcement actions.”

Stellantis’ position

McKnight told the court that, as Stellantis understands the law, it would be required to remove “critical cybersecurity controls from its vehicles,” something that it cannot do without violating federal safety obligations.

He also asserted that, since AAI and the AG interpret the law differently, Stellantis does not know what it must do to comply, and will not know until the court issues a ruling.

Finally, McKnight said any attempt to comply would rely on “certain prerequisites” that do not yet exist. “For instance, the law assumes the existence of ‘standardized’ authorization systems and an ‘unaffiliated’ third-party entity that manages those authorization systems,” he wrote. “But Stellantis cannot create either a ‘standardized’ authorization system or an ‘unaffiliated’ third-party entity. Rather, by definition, any authorization system that Stellantis creates would not be ‘standardized,’ and any third-party entity it creates to administer those authorization systems would be ‘affiliated’ with Stellantis.”

GM’s position

Tierney argued that certain requirements of the Data Access Law such as its requirements that access be given to “vehicle networks,” that vehicles be equipped with an “open access” platform, that the platform be “directly accessible,” and that this access include the ability to “send commands” to in-vehicle components are “antithetical to good cybersecurity practice… GM cannot comply with the Data Access Law for that reason alone.”

Like McKnight, Tierney raised the issue of the “practical obstacles” that stand in the way of compliance, including the disagreements over what the law requires, the lack of agreed-upon “standards” for the data access platform, and the absence of the third-party administrator envisioned by the law.

“Until such a third party does exist and creates a standardized and secure authorization system, I simply cannot even begin to design GM vehicles that comply with Section 2,” he wrote.

Tierney reiterated AAI’s position that the Data Access Law is not necessary to ensure that independent shops have the information they need to carry out safe repairs.

The telematics data sought “has very little to do with the diagnosis, maintenance, or repair of vehicles,” he wrote. “GM’s telematics service, OnStar, only transmits and receives repair data to (a) provide firmware-over-the-air updates (FOTA), whereby GM provides software updates to vehicle owners, free-of-charge; and (b) send diagnostic reports with information about the status of key vehicle systems, such as airbag, antilock braking, engine, emissions, and stability control systems, if the owners choose. Neither of these services affect vehicle owners’ ability to choose independent service providers to service their vehicles.”

“…[T]he limited diagnosis, maintenance, and repair information that is transmitted through GM’s telematics units is a small subset of the overall data that any repair shop can access via a GM vehicle’s OBD-II port,” he said.

More information

Declaration of Jared Rinehimer (Assistant Attorney General)

Declaration of Kevin Tierney (General Motors)

Declaration of Stephen McKnight (Stellantis)

Images

Featured image by Baris-Ozer/iStock