Access to vehicle data: A look at the recent decision of the European Court of Justice

The judgment of the European Court of Justice of 5 October 2023 in Case C-296/22 represents a further decision in the debate on access to vehicle OBD information and diagnostic and other equipment by independent repairers.

In the present case, the car manufacturer Stellantis Italy (formerly FCA Italy) did not want to grant unrestricted access to data for diagnostic, repair and maintenance purposes to ATU, an independent garage chain, and Carglass, a vehicle windscreen repair and replacement company.

What was the point of contention?

At the heart of the case was the question of whether a manufacturer could make access to OBD information and diagnostic and other equipment subject to certain conditions and, if so, which ones. Stellantis Italy required, in addition to registration and personal log-in to a server designated by Stellantis, that the independent repairer purchase a paid subscription for the use of the generic diagnostic tools connecting it to the server. The measures were, according to Stellantis, necessary for cybersecurity reasons. Stellantis also referred in this context to UN Regulation 155, which will regulate the cybersecurity of cars from July 2024. According to ATU and Carglass, the EU Type Approval Regulation 2018/858 does not provide for such conditions and Stellantis' measures affect their competitiveness vis-à-vis authorised repairers. In addition, workshop costs for end consumers would increase.

What was the decision of the European Court of Justice?

The Court ruled in favour of independent repairers, stressing that additional safeguards would affect the competitiveness of repairers and be contrary to the 2018 EU Type-Approval Regulation. It clarified that independent economic operators must have full access to the information needed for their tasks in the field of vehicle repair and maintenance, without being subject to conditions other than those provided for in the Regulation. In particular, the Regulation does not foresee as a condition any prior registration or connection of the diagnostic tool via the Internet to a server specified by the manufacturer. The ECJ did not accept the security concerns raised by Stellantis and clarified that security measures must not restrict access to the data and information. Stellantis could also not rely on UN Regulation 155, which, according to the court, expressly leaves regional or national cybersecurity laws unaffected.

Consequences for the different actors

For car manufacturers, the ruling gives reason to review their strategies for data access and data security. In particular, the granting of access practised so far should be reviewed. In a first reaction to the ruling, Carglass has already called on all car manufacturers to drop all access restrictions. The ruling could also have the effect that other interested actors assert claims against car manufacturers. In particular, independent repairers may benefit from easier access to vehicle data in the future, leading to increased competition and possibly lower costs for consumers.

A look into the future: The Data Act and the UN Regulation

The decision comes at an exciting time. This is because the EU will in future enact a general horizontal regulation that will significantly expand rights of access to all types of raw and service data, including metadata: the Data Act, also known as the Data Act. This law is to be supplemented by sector-specific regulations. Nevertheless, the delineation of the various regulations will be a challenge. In addition, there are further developments: For example, the European Commission intends to present a legislative proposal on access to vehicle data shortly - probably on 29 November 2023. The Court's clarification that the UN Regulation 155 does not in principle set any limits to a European regulation of data access could encourage EU legislators to provide for particularly broad data access in the sector-specific regulation at the expense of vehicle manufacturers. Vehicle manufacturers would then have to be able to manage cybersecurity risks without "unduly" restricting access to data.