Repairer Driven News
« Back « PREV Article  |  NEXT Article »

Maine R2R group close on making draft data entity recommendations, privacy and security still in debate

By on
Legal
Share This:

Maine’s Right to Repair Working Group will review draft recommendations to the legislature regarding the state’s new R2R law on Dec. 2.

The group’s purpose is to make recommendations to the legislature on what responsibilities and/or compliance enforcement duties a not-yet-created independent entity would have when it comes to repair data access to independent repair shops and consumers. It’s required to submit a report on its findings to the legislature by Feb. 28, 2025.

The group agreed Monday on several measures that will go into the draft; however, there was debate about whether cybersecurity and consumer privacy should be part of the entity’s responsibilities for which a consensus wasn’t reached.

Maine Chief Deputy Attorney General Christopher Taub, who serves as chairman, led the members in filling out a “decision log” according to how the law is currently written. He noted that each item could be changed under the independent entity’s authority if it so chooses.

    • Will the entity be a gatekeeper for access to the data? No
    • Will the entity decide whether the manufacturer must grant access to the data for a specific request? No
    • Will the entity implement a credentialing or verification process? No
    • Will the entity establish a standardized process of accessing data across all manufacturers, or will each manufacturer implement its own process? The entity may offer non-binding recommendations for best practices implementation to OEMs
    • Will the entity need to have rulemaking authority? No, at least not initially.
    • Will the entity need to have enforcement authority? No but it will have the authority or ability to refer matters to the AG’s Office for enforcement, and the AG can bring up matters for enforcement based on complaints received.
    • Will it be an independent board or commission or part of an existing agency? Taub said he envisions a freestanding board or commission that wouldn’t be housed within any part of state government but it would need logistical/administrative support to hold meetings.
    • Will there be staff? No
    • Will there be funding? No, other than perhaps per diem pay to members for expenses to attend meetings.
    • Who will be on the entity and who will convene it? This wasn’t decided on Monday. Taub did say that the AG’s Office shouldn’t be an entity member because it would be a conflict of interest and that the chair should be a neutral party.

Regarding consumer privacy issues, Meagan Sway, who represents consumer advocacy on the working group, said building both into the entity’s design is crucial to make sure consumer information is protected.

“As a general privacy advocate… I could see being brought in to develop policies and think about policies but to be part of a group every meeting and to be part of contacting auto manufacturers feels like outside the scope of that,” she said. “The [complaint] investigation part feels a little separate. It’s really crucial to have privacy baked into the design of the group and have DV [domestic violence] advocates talking about making sure that people are not using this group to get at people’s information.”

Jeff Groves, the group’s representative for aftermarket parts distributors and retailers, said the fundamental issue is consumers should have the option to be in control of who has access to their data.

“In this context, with respect to this piece of legislation, we’re talking about diagnostic and repair data so it’s a limited subset with respect to privacy anyway,” he said. “There are a lot of things that telematics does with data that is not contemplated with this that people probably really should be concerned about. As long as the focus is on making sure that the consumer is the one who authorizes the release of whatever diagnostic and repair information to whomever they choose, I think as long as you protect that, I don’t know that you’re going to have too many other privacy issues with respect to this subset of data.”

Taub noted that the issue may be moot since the working group had already decided from previous meetings that the entity wouldn’t be managing data. Sway suggested there be language in the group’s recommendations letter that specifies the entity should advise with privacy experts.

“I think it is important to keep privacy in mind from the beginning and if we just take it out completely, it’s too easy to not think about it,” she said.

Caitriona Fitzgerald, the group’s data privacy advocacy representative, agreed. “I think if it’s explicit that the entity has to take privacy in particular… into account, that is sufficient. I don’t necessarily think it has to be someone on the body.”

Tesla Service Engineering Director Brian Boggs, who represents automakers for the group, said he thinks the entity should have members with cybersecurity and data privacy expertise. For example, data privacy expertise would be helpful when complaints require a decision on whether data should be available, he said.

“Although we talk often about this as an owner-authorized platform, there are times when the ‘owner’ is not the owner — a man-in-the-middle attack, a relay attack, or a phishing attack,” Boggs said. “Phishing attacks are also overlapping into the world of data privacy. I envision this entity, vehicle manufacturers, and independent repairers being presented with challenges in the coming years of truly knowing and trusting when they’re getting an electronic request to authorize some individual that they’re not physically present with to access their vehicles.”

Ultimately, the group decided to continue the discussion on both topics at its next meeting as well as develop a running list of ambiguities group members take issue with in the statute that should be part of the report to the legislature.

Images:

Featured image credit: Capuski/iStock

Share This: