At the heart of the case was the fundamental question of whether manufacturers can impose conditions on access to OBD information and diagnostic tools. The auto manufacturer had required registration and personal login to a server it designated, as well as a paid subscription to generic diagnostic tools linked to its server. The manufacturer argued that these measures were necessary for cybersecurity, citing UN Regulation 155, which will regulate automotive cybersecurity from July 2024. ATU and Carglass argued that these conditions were not covered by the EU Type Approval Regulation 2018/858 (Regulation), and that they harmed their competitiveness against authorised repairers, ultimately increasing costs for consumers.
The ECJ sided with the independent repairers, emphasising that additional access restrictions would hinder competition and be in conflict with the Regulation. The ECJ clarified that independent repairers should have full access to the information necessary to carry out their tasks of repairing and maintaining vehicles, without the imposition of conditions beyond those set out in the Regulation. In particular, the Regulation does not require prior registration or connection of internet-based diagnostic tools to a server specified by the manufacturer. The ECJ dismissed the manufacturer's cybersecurity concerns, emphasising that security measures should not impede access to data. The Court also rejected the manufacturer's reliance on UN Regulation 155, stating that this regulation explicitly leaves regional or national cybersecurity laws unaffected.
For car manufacturers, this ruling requires a reassessment of their data access and security strategies. Access restrictions that have been enforced may need to be reconsidered. The repair specialist in question has already called on all car manufacturers to remove access restrictions. This ruling may encourage other stakeholders to pursue claims against car manufacturers, to the particular benefit of independent repairers.
Indeed, this ruling should be viewed within the context of the ongoing legal dispute spearheaded by service and parts companies advocating for automobile data being shared with third parties. Reference is made to another landmark decision in the Case C-319/22. The ECJ clarified in that ruling that auto manufacturers must provide vehicle identification numbers (VIN) and offer associated technical information to aftermarket providers and suppliers, in a format suitable for direct electronic processing.
The timing of this decision is also significant as the EU plans to introduce a comprehensive horizontal regulation, the Data Act, which will significantly extend rights of access to raw and service data, including metadata. This Data Act will be complemented by sector-specific legislation. However, the distinction between these regulations is a challenge. In addition, the European Commission will propose legislation on access to vehicle data, possibly as early as November 2023. The ECJ's ruling clarifies that UN Regulation 155 does not inherently limit the scope of a European data access regulation, potentially inspiring EU legislators to introduce comprehensive data access provisions in sector-specific regulations, while requiring vehicle manufacturers to manage cybersecurity risks without unduly restricting data access. This marks a significant shift in the landscape of data access and security in the automotive industry.