Congress Considers Right to Repair Bill for Vehicle Owners
Last week, the House Energy and Commerce Committee voted to send the Right to Equitable and Professional Auto Industry Repair (REPAIR) Act to the full U.S. House of Representatives for consideration. This legislation, if enacted, would give car owners access to their vehicle-generated data and repair data and tools from vehicle manufacturers. It would also grant owners certain rights over the use of that data, including the right to delete it, and would prevent recipients of vehicle-generated data from selling, transferring, or licensing that data absent certain exceptions. As indicated by its name, the REPAIR Act is reflective of the so-called “right to repair” movement to allow consumers and independent repair shops access to the same data for repair and maintenance that manufacturers make available to themselves or franchised dealers. It also has important implications for data privacy in modern vehicles, which generate increasingly large volumes of information.
U.S. Department of Commerce Finalizes Connected Vehicles Supply Chain Restrictions
On January 16, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published a Final Rule formalizing prohibitions on certain connected vehicles (CVs) transactions involving hardware and software linked to the People’s Republic of China (China) and Russia.1 The Final Rule is scheduled to take effect on March 17, 2025. However, given that the Final Rule is one of several new regulatory frameworks on trade issued in the final days of the Biden administration, it remains to be seen what will happen with these regulations after January 20.
NHTSA Proposes Sweeping Voluntary Program for Vehicles With Automated Driving Systems
On December 19, 2024, the Chief Counsel of the U.S. Department of Transportation’s National Highway Traffic Safety Administration (NHTSA or the Agency) signed a notice of proposed rulemaking (NPRM) in which the Agency proposed a sweeping voluntary program relating to the evaluation and oversight of motor vehicles equipped with automated driving systems (ADS). NHTSA defines ADS-equipped vehicles, which can also be called autonomous vehicles (AVs), as vehicles designed to fully perform the driving task without any expectation of an attentive human driver.
U.S. Department of Commerce Issues Proposed Rule on ICTS Supply Chain for Connected Vehicles
On September 26, 2024, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published a long-awaited rule proposing to ban certain connected vehicles transactions involving hardware and software linked to the People’s Republic of China (China) and Russia. BIS also proposed extensive compliance obligations for importers and manufacturers of connected vehicles and related components, which come as the automotive industry continues to grapple with how to protect critical safety-related data as vehicle interconnectivity increases.
EU Reaches Political Agreement on Cyber Resilience Act for Digital and Connected Products
On 30 November 2023, the EU reached political agreement on the Cyber Resilience Act (“CRA”), the first legislation globally to regulate cybersecurity for digital and connected products that are designed, developed, produced and made available on the EU market. The CRA was originally proposed by the European Commission in September 2022. Alongside the recently adopted Data Act, Digital Operational Resilience Act (“DORA”), Critical Entities Resilience Act (“CER”), Network and Information Systems Security 2 Directive (“NISD2”) and Data Governance Act, the CRA builds on the EU Data and Cyber Strategies, and complements upcoming certification schemes, such as the EU Cloud Services Scheme (“EUCS”) and the EU ICT Products Scheme (“EUCC”). It responds to an increase in cyber-attacks in the EU over the last few years – in particular the rise in software supply chain attacks which have tripled over the last year –as well as the significant rise in digital and connected products in daily life which magnifies the risk of such attacks.
