The National Highway Safety Administration (NHTSA) has outlined an approach for automakers to comply with the expanded Massachusetts right-to-repair law without running afoul of federal safety regulations.
However, if the proposal sees the light of day, it would mean implementing just a portion of the law – which Massachusetts approved by an overwhelming margin in November 2020.
The intent of the expanded right-to-repair law was to require automakers to equip vehicles sold in Massachusetts with a standardized data platform that enables motorists to access their vehicles’ telematics data through a mobile app.
In June, Kerry Kolodziej, NHTSA’s assistant chief counsel for litigation and enforcement, sent a letter to 22 automakers urging them to ignore the data-access provisions of the law due to cybersecurity concerns.
In an Aug. 22 letter to the Massachusetts Office of the Attorney General, however, Kolodziej asserts that OEMs can comply with the law “by providing independent repair facilities wireless access to a vehicle from within close physical proximity to the vehicle, without providing long-range remote access.”
“For instance, NHTSA understands that, according to the attorney general, vehicle manufacturers could comply with the Data-Access Law by using short-range wireless protocols, such as via Bluetooth, to allow the vehicle owner or an independent repair facility authorized by the owner to access all ‘mechanical data,’ as defined by the law, for that individual vehicle,” Kolodziej says in the letter. “In NHTSA’s view, a solution like this one, if implemented with appropriate care, would significantly reduce the cybersecurity risks – and therefore the safety risks – associated with remote access.”
Kolodziej notes that the proposal stems from conversations with Massachusetts Attorney General Andrea Joy Campbell.
“Limiting the geographical range of access would significantly reduce the risk that malicious actors could exploit vulnerabilities at scale to access multiple vehicles, including, importantly, when vehicles are driven on a roadway,” Kolodziej adds in the letter. “Such a short-range wireless compliance approach, implemented appropriately, therefore would not be preempted [by the National Traffic and Motor Vehicle Safety Act].”
NHTSA Letters ‘Underscores Imperative for a 50-State Solution’
Aftermarket trade associations issued a swift response to NHTSA’s letter.
MEMA Aftermarket Suppliers called it a “step forward” that the Massachusetts Office of the Attorney General and NHTSA have acknowledged “the need to address protocols for the open-access implementation” of the law.
However, MEMA asserted that “a short-range wireless protocol is insufficient to provide consumers with repair choice and stakeholders with a level playing field going forward.”
“The letter from NHTSA underscores the imperative for a 50-state solution that ensures both consumer choice in repair and enhanced safety on our roads,” the association said in a news release. “Moreover, it emphasizes the need for a cybersecure, technical solution that prioritizes consumers and is developed by and agreed to by all stakeholders.”
MEMA Aftermarket Suppliers also pointed to HR 906 – the REPAIR Act – as “a benchmark in cybersecurity for repair access.
“MEMA Aftermarket Suppliers firmly believes that the best solution is a collaborative, federal solution and invites automakers and other stakeholder to join the aftermarket in providing expert guidance and perspective to achieve that outcome,” the association added.
Meanwhile, the Auto Care Association said it “appreciates the continued support of the Massachusetts Office of the Attorney General to support the 2020 Data Access Law and the willingness of [NHTSA] to revisit its position on the enforceability of the law.”
“The Auto Care Association is gratified by NHTSA’s acknowledgement that the Data Access Law is not preempted by the Federal Vehicle Safety Act and by its latest statement that NHTSA strongly supports the right to repair,” Auto Care said in a news release. “The Auto Care Association further supports Attorney General Campbell’s stalwart efforts to ensure that vehicle manufacturers implement the Data Access Law safely and promptly. We look forward to the auto manufacturers’ compliance with the law.”
