EULAs: Who owns, responsible for what happens to data?
By onBusiness Practices | Legal
A panel of four diagnostic scanning company leaders agree that when it comes to data retrieved from vehicles, the owner isn’t explicitly defined.
In most cases, the owner of the data is the owner of the vehicle but, for the sake of protection, the panelists from AirPro Diagnostics, Repairify, Elitek, and Autel said repair centers should take full responsibility for where the data ends up.
On Oct. 31, the Collision Industry Conference (CIC) Data Access, Privacy and Security Committee brought together panelists Don Smith, Elitek Vehicle Services senior director; Chuck Olsen, AirPro Diagnostics automotive technologies solutions senior vice president; Cris Hollingsworth, Repairify president, and Paul Marshall, Autel senior product and operations manager to discuss the basics of end-user license agreements (EULA).
Marshall called EULAs “the tie that binds” Autel with its community of users.
“We really work to be transparent on what we save, what we discard, and what we track,” he said. “Any of our users can go into our settings [web]page, read it, they could ask questions; [if] they don’t agree with it, they could tell us and we could actually work with it.”
The company’s EULAs are also available on Autel tools, he added.
Hollingsworth added that EULAs will often include not only who owns the data but the software and the process and will describe what the protection rights are.
Olsen summed it up as a document that specifies the usage rights and protection of intellectual property of the program author and the user obligations.
“One of the things that’s tricky about EULAs as well, and most EULAs say this could change without notice, is that they change,” Olsen said. “Unfortunately, I’ve learned the hard way a couple of times with some of those things that changes do happen and they [EULAs] look the same. They can be very long and very wordy but whatever it is that you agree to in that — with the data and how the data is being used with the provider — it’s your responsibility.”
That responsibility includes knowing if the data is being shared with other parties, he said.
Smith said the definition of responsibility for where and how the data is used is simple for Elitek: if they collect it, they’re responsible.
“We’re responsible for it just as the shop owners are responsible for the data,” he said. “If they’re collecting it from their customers from that vehicle, they’re responsible for it; when they come in and save their name, phone number, address, credit card information at the shop… We feel like that’s part of the right to repair — that it implies that the vehicle owner owns the data, which puts the responsibility for the data on us.”
Ultimately, and arguably most importantly, repairers should abide by the EULA that applies to the hardware used to access the vehicle interface, such as the scan tool, whether through the OBD II port or a remote provider’s scan tool.
“The easiest thing to do to mitigate your liability is reduce the data you’re collecting and only collect the necessary data,” Smith said. “Also, make sure you’re talking to your customers about removing personal data from their vehicles.”
However, the definition of “personal data,” i.e. personally identifiable information (PII), can vary. It’s often characterized as full name, address, phone number, and email address.
For example, Hollingsworth shared that while VINs aren’t included as PII in North America, they are in Europe under the General Data Protection Regulation (GDPR), and ownership, put simply, is a mess, he said.
“It’s layered data based upon where it’s being generated,” Hollingsworth said. “I think we can all agree that when it comes to the vehicle owner, whoever generates the data should be the owner of that but there are different regulations that put that into question… Today, for the most part, the law says it belongs to the person who owns the IP but then that gets a little bit confusing because what if some of that data from the consumer comes up into that process? Now you’ve got data overlap and you’ve got overlapping regulatory requirements.”
To add to the confusion, some data is accessible and/or owned by OEMs under agreements consumers sign at OE dealerships, he added.
Mitigating the risk of customer information leaks through data breaches also require protection protocols on the repair center’s end.
As for the diagnostics providers, they said they avoid the risk by either not collecting PII or, if it’s collected, they don’t store it.
“The things that we really pay attention to is one, what’s the tool connected to? And if their subscription is up to date and that’s it,” Marshall said. “Credit card processing is done by a third party. We don’t want to go down that road. Basically, we protect ourselves by accumulating less data.”
Olsen said repairers should also be protected with a customer work authorization as a “must-have” in addition to abiding by EULAs.
“There is a ton of data that’s in the vehicle and needs to be documented for proof that you did the right things to the vehicle,” he said. “Beyond that purpose, there really isn’t much other purpose or value… I haven’t seen a diagnostic scan tool that accesses that type of information and if that did become available to access that type of information we would probably alert somebody because it isn’t needed, like, trip history data, phone records, and driving behavior… There is another level of tools that usually takes a court order to retrieve that block black box data if there was a death, if there was something involved where there’s some type of litigation going on.”
The panel did share the PII protection information with a caveat, however: reputable shops, sublet providers, and dealerships that use reputable scan tools can’t access vehicle black box data, such as trip data.
Smith added that it’s unclear what non-reputable businesses and scan tools can access.
“Could it [scan tool] be collecting data that the user can’t see… but uploading it? These are things we don’t know,” he said. “If you’re a shop owner, know your sublet providers whether it’s the dealership, a mobile, [or] remote. Use reputable companies that you know and trust. That’s how you have to protect yourself.”
That doesn’t mean bad actors can’t find access to vehicle data, or even vehicle functions.
“If you want to be a nefarious actor, you actually can modify tools and once you have access to the vehicle, you can modify,” Hollingsworth said. “And if you do have the ability to get around secure gateways, you can get access to sensitive parts of the vehicle. The industry is playing ethically and playing effectively by the rules but you need to be aware as a shop owner on whether or not somebody is enabling or helping a nefarious actor who is then trying to potentially get access to vehicles for whatever reason.”
For example, he added, some technicians own their own scan tools and while they’re the ones that agree to the EULAs on it, the shop could ultimately be held responsible in court. The same goes for technicians who use shop-owned tools and agree to EULAs without the business owner’s knowledge.
Marshall added that Autel only collects the data that is shown on its tools’ scan reports, which is stored locally and the user has the choice to upload it into the cloud.
In January, attorneys Steven Bloch and Lawrence H. Pockers shared during a CIC meeting that the PII chain of custody should be of the utmost importance to shops, adding that a list of standard operating procedures (SOPs) and best practices should be put together by each business. They said the SOPs should meet applicable state laws and potential federal legislation for what has to be included in customer disclosures and notifications, guidelines for protecting PII, and getting customer consent.
At the April CIC meeting that followed, concerns over “far-ranging” data collection through Autel’s EULA were brought to light. By the July meeting, Autel shared from the open mic that the company had released a new EULA.
The document had previously stated that a broad array of customer data could be collected, shared, and governed by the People’s Republic of China. The EULA also wasn’t accessible for review after the user agreed to or denied it.
When asked during the November panel discussion where EULAs can be found, Smith said they’re typically buried within the software.
“Some of them you actually have to reinstall the software to get a copy of the EULA. Some of them don’t allow you to print it. Some of them, you have to take screenshots. It’s going to vary by hand tool.”
Olsen said he’s found the same to be the case.
“I would like to see that change,” he said. “I would like to see a standard for EULAs that have a date [nd] that are available on the website that can be reviewed at regular intervals just so that you can check that things have changed. A technician, he’s not going to read that document. He’s trying to get a job done. He scrolls to the bottom and clicks ‘I agree.’ If there’s a change in there, the company or their legal people need to have access to it so that they can review it.”
Hollingsworth said EULAs are available on tools, on demand, and online but there’s no consistency on where they’re found.
A lawsuit is pending in a Michigan federal court filed against Opus and Drew over a EULA between the companies and AirPro that was signed Feb. 13, 2017. AirPro filed suit in December 2022.
Under the terms, the parties agreed to exchange information with one another, including “business strategies, pricing, techniques, computer programs, methods, drawings, formulas, specifications, software, or other data of a business or technical nature[.]”
AirPro claims Drew used what it learned to become a direct competitor and violated a license agreement for AutoEngenity’s Giotto product. AutoEngenity is a Drew subsidiary and is named as another defendant in the AirPro suit in addition to Opus President Brian Herron. They’ve been accused of unfair competition.
Images
Featured image credit: Hailshadow/iStock
Secondary image (From left): Dan Risley, CIC Data Access, Privacy and Security Committee chair; Trent Tinsley, CIC Data Access, Privacy and Security Committee co-chair; Don Smith, Elitek Vehicle Services senior director; Chuck Olsen, AirPro Diagnostics automotive technologies solutions senior vice president; Cris Hollingsworth, Repairify president, and Paul Marshall, Autel senior product and operations manager discuss the nuances of understanding and abiding by end-user license agreements (EULAs) on Oct. 31, 2023 during a CIC meeting in Las Vegas, Nevada.