A new data privacy concern regarding scan tool end-user license agreements (EULAs) was brought to the attention of the collision repair industry last week during the Collision Industry Conference (CIC)’s meeting in Richmond, Virginia.

An Autel Technology Corp. EULA, discovered by a Society of Collision Repair Specialists (SCRS) member and discussed during both the SCRS open meeting and CIC conference, states a broad array of customer data can be collected, shared, and governed by the People’s Republic of China.

The agreement specifies that using the tool gives consent for collection, processing, storage, and transfer of data by Autel, including:

• • “Vehicle registration, including but not limited to name and address;
  • “Technical data and related information, including but not limited to vehicle, system and application, and peripherals; and
  • “Vehicle data obtained from a customer’s vehicle, including but not limited to make, model, year of manufacture, equipment features, vehicle identification data, repair, maintenance and wear related data generated during use/repair, and odometer reading.”

The EULA also says that “Your use of an Autel device or download of the Software update will be deemed as Your acceptance of the constraints mentioned hereunder. …Autel will not collect, process or use any other personal information.”

Schulenburg explained concern if a shop owner buys a diagnostic scan tool, then lets a technician set it up, there may be a EULA that isn’t read, or is agreed to without the owner ever knowing.

“We’ve spent a lot of time discussing data over the past several years,” he said. “We’ve talked about how data impacts our small businesses — where it ends up going [and] what we can do to control it reasonably. And many times when we have that conversation around data, I think we’re often talking about the software solutions that we use; the concern about when we’re writing a sheet, when we’re writing a repair plan, or documenting damage how do we make sure that we do a responsible job for our customers of maintaining that information while we also have a responsibility to share that electronic information with other people?

“That’s a challenge that the industry has found itself in and has been discussed at CIC, has been discussed by SCRS, and it will continue to be an issue that we need to talk about. …The shop owner may be completely unaware of what the agreement is,” he said. “The technician may not even read it, likely won’t, will probably just hit ‘I agree’ or disregard, it goes away, and they move on with the process.”

Terms in the agreement that Schulenburg found “striking” were that the end-user would have to provide notice to and get consent from each customer or prospective customer to collect their vehicle data using the device to be shared with third parties and would be subject to China’s laws.

The specific provision read “you” – the business who is using the tool and accepting the terms – “will provide notice to and acquire consent from each customer (or prospective customer) to the collection of vehicle data obtained from a customer’s vehicle using the device that this Software is housed on and the sharing with and use of such data by Autel and third parties in accordance with this Agreement.”

Schulenburg shared that he wasn’t sure if this type of EULA is typical on scan tools. The Equipment and Tools Institute (ETI) told Repairer Driven News that it is.

ETI Executive Director Brian Plott said he hadn’t read the EULA in question but confirmed EULAs, in general, “can be problematic” with collision repair customers, insurers, and business practices. He didn’t provide further detail when asked follow-up questions. Since Autel is an ETI member, Plott said the issue is being investigated internally.

Schulenburg posed several questions for the industry to consider: “Is this typical? Is this OK? Is this something that the industry is willing to accept? Is anybody going through the process of notifying consumers of this if that’s what you’re agreeing to? Because when you click, ‘I agree’ or ‘I disagree,’ the end-user license agreement goes away and it doesn’t appear to be available online in any other way, shape, or form outside of that. So if your technician didn’t read it and just agreed to it and it went away and you weren’t made aware when you are trying to do your job of going, ‘How do I responsibly protect my customer’s information?’ You may not even know that this is an obligation of yours or something that you agreed to in addition to that you may be beholden to privacy agreements with other entities that you do business with.”

Because of a recently announced long-term collaboration agreement between Repairify and Autel U.S., RDN asked Repairify if they were aware of the EULA, which a copy of was provided to them by RDN, and if they have any concerns about it. The collaboration agreement between the companies allows for the use of Repairify’s patented global OEM remote diagnostics, calibrations, and programming solutions through Autel’s remote-capable products across North America.

“This is not an issue that pertains to us,” Repairify said. “All Repairify customer services and solutions are protected under the local laws of the country of origin. Any and all data collected or provided in the United States is protected by U.S. laws and does not leave the United States territory in any manner.”

Autel didn’t respond to RDN’s request for comment by the publication deadline.

RDN asked Steven Bloch, Stamford-based attorney and Silver Golub & Teitell partner, and Lawrence H. Pockers, a Philadelphia-based attorney with Duane Morris, for their thoughts on the EULA. Both attorneys offer legal help to collision repair shops in adhering to privacy laws on the books, including drafting EULAs and customer disclosures.

“There are some very problematic things in this particular EULA in terms of the fact that there’s a collection of far-ranging information and data,” Bloch said, noting that he and Pockers weren’t providing specific legal advice. “But at the same time, there are a lot of specifics that are left unsaid. There don’t seem to be a lot of guardrails on there for protection. While there are some minor qualifiers about not collecting other personal information it’s to be determined what personal information is collected in the first place and whether or not trust can be placed in the counterparty here as to what that constitutes and what’s done with it.”

He added that the use of the data is “almost without limitation in terms of its scope,” and how it’s shared and used. Other concerns Bloch noted are that data can be used for undefined “legitimate” business purposes and some of the provisions are under unspecified Chinese regulatory or contractual requirements.

“It specifically says, which should be a red flag — if not more troubling for the shops that are agreeing to this — that the use and the storage and transmission to its affiliates may occur in various countries including China, that don’t offer the same or any data protection or information privacy laws. That right there highlights and acknowledges the potential for risk of misuse and unauthorized access. It also requires… obtaining the shop’s customers’ consent to agree to all that, which is doubly troubling.”

Lastly, he noted, the EULA requires litigation of any disputes pursuant to the Chinese legal process and to be completed in China, which Bloch said could mean a significant burden and unknown contingencies and risks for shops.

A specific section stood out to Pockers, which reads:

“Autel may use this data for the following purposes:

• • Completing this Agreement;
  • Providing our products and services;
  • Customer or supplier administration;
  • Administering, maintaining, personalizing and improving our products and services;
  • Developing new products and services;
  • Inquiries and customer service request You submit to Autel;
  • Statistical purposes and reporting;
  • Compliance with legal, regulatory or contractual requirements and Other legitimate business purposes so long as the data is anonymized in a way that can’t reasonably be associated with You or a vehicle.”

Pockers said the last bullet point is the only one that is specific to data anonymity. And the section regarding customer consent of data collection and use seems problematic to Pockers because shops would have to figure out how to get customer consent specific to the EULA for every repair, posing a logistical headache, he said.

“Are shops supposed to put the entirety of this agreement in front of their customers and get those customers to then say, ‘Yes, we sign on to everything in this agreement?’ Are you supposed to create a new document that is appended to the paperwork that a customer fills out? How, as a practical matter, do you obtain that consent specific to this EULA, other than simply a consent that would be as broad as broad could be with respect to shop customers?”

When RDN asked Bloch and Pockers if shops should have EULA SOPs, the resounding answer was yes. They said SOPs should protect shops against liability for what data is collected, how it’s used, and who it’s shared with throughout the chain of custody and backed up by agreements with each entity in the chain.

“This one seems to be a little more problematic and down toward that one end of the troublesome range of EULAs that we’ve seen,” Bloch said. “We’re in the process of reviewing and analyzing EULAs, and in particular those that pertain to scan tools or diagnostic tools and the like but this one and its open issues, landscape, and inherent risks seem to be an outlier.”

Images

Featured image credit: ipopba/iStock