In the coming years, data collected by vehicles will be subject to a new EU regulatory regime consisting of horizontal rules applicable across many industries and vertical rules designed specifically for the automotive sector. In February 2022, the EU Commission adopted a proposal for a new Data Act, which is currently working its way through the EU legislative process. The Data Act sets out overall principles for data access to connected products, introducing user rights to access and share data, contractual principles for business-to-business data exchange, and switching principles for cloud services.
According to the Commission, however, the Data Act may not go into sufficient detail for the provision of data-dependent services in the automotive sector. Problems with the disparity of available data and access modes across vehicle brands, as well as the interplay between access to data and relevant cybersecurity and safety measures, are not addressed through the Data Act. Accordingly, in March 2022, the EU Commission launched a consultation on potential EU initiatives in relation to data collected by vehicles. The consultation will run until June 21, 2022, and the Commission will publish its conclusions in late summer. Meanwhile, the Commission will conduct a targeted survey with stakeholders.
The Commission is considering three policy options in relation to in-vehicle data. The least intrusive (short of doing nothing) would be to impose equal access rights to functions (e.g., the possibility of remotely unlocking the vehicle door for a shared mobility service) and resources (e.g., the possibility of displaying speed limit information on the vehicle dashboard for a navigation service, or to charging/discharging the battery for electric vehicle related services).
Under this option, manufacturers would need to publish lists of vehicle data, functions and resources accessible on a specific model or version of a vehicle. Rules would also address the interplay between the right to access data, functions and resources and the applicable cybersecurity rules, as well as introducing reporting obligations for manufacturers. According to the Commission, this option would encourage broader and fairer access for independent service providers and have the flexibility to accommodate future developments and take account of differences between manufacturers. As no data would be specifically required to be available in a particular format, however, this option may not facilitate the tasks of public authorities who need to access some crucial sets of data (e.g. on the level of pollutant emissions) for enforcement-related reasons.
In an intermediate approach, the EU would also impose a requirement to demonstrate the availability for access of a minimum list of data, functions and resources, remotely and in a specific format. This would include bi-directional communication with the driver through a vehicle’s human-machine interface, as well as continuous and secure access to the on-board diagnostic port. The possibility of proposing services across brands could create a stronger business case for the provision of data-driven services and address governmental bodies’ data needs for, e.g. monitoring traffic, CO2 or pollutant emissions or vehicle safety. This option could have a more beneficial impact on employment, safety and the environment, but implementation might take longer due to the need for standardization.
Under the most intrusive option, EU rules would impose not only a minimum list of data, functions and resources, but also governance rules on access. This option could facilitate equal and secure access to vehicle data, functions and resources, and ultimately create a more level playing field and greater incentives for investment in the independent provision and development of new services, with potentially greater benefits. However, it could also increase vehicle manufacturers’ costs and require an even longer implementation period.
The collection and sharing of data among (actual and potential) competitors raises significant antitrust issues. The Commission recently published draft general antitrust guidelines for the assessment of data sharing and pooling (among other things), which will likely apply from 2023-2033. Meanwhile, the Commission’s motor vehicle block exemption regulation is also under review. The Commission is expected to adopt a replacement block exemption for a five-year period from mid-2023-2028 with specific rules for in-vehicle data sharing.
Automotive sector stakeholders, including not only manufacturers but also automotive suppliers and distributors and providers of related products and services ranging from telecommunications, entertainment, insurance, fuel/charging stations and aftermarket services, will have to navigate an increasingly complex regulatory landscape. In addition to the specific measures described above, these include the new EU AI regulation, Digital Market Act, Data Governance Act and updated product liability rules, as well as constantly evolving data privacy and localization rules. As in many sectors, EU regulation is likely to cascade into other jurisdictions. The Commission’s consultations thus offer a precious opportunity for stakeholders to influence the future regulatory landscape.