ECJ rules on vehicle data sharing obligations and GDPR (Gesamtverband v Scania)
The recent decision of the European Court of Justice (ECJ) in Gesamtverband Autoteile-Handel eV v Scania CV AB clarifies requirements under EU Regulation 2018/858 for vehicle manufacturers to provide vehicle data to aftermarket participants, including manufacturers and distributors of spare parts.
In particular, manufacturers: (i) must make all vehicle repair and maintenance information available on their website, and additionally to aftermarket participants in a machine-readable format; (ii) must create a database containing information on replaceable vehicle parts, which is searchable by aftermarket participants using the vehicle identification number (VIN) and other criteria; and (iii) cannot withhold VINs from aftermarket participants on the basis that they constitute personal data.
This decision also has wider implications under the EU General Data Protection Regulation (GDPR), as it clarifies that whether a given piece of information constitutes 'personal data' is a relative question that must be determined for each specific organisation.
Context
This ECJ judgment relates to a claim brought in the Cologne Regional Court by Gesamtverband Autoteile-Handel (GVA), a German association for independent traders of motor vehicle parts, against the Swedish vehicle manufacturer Scania. GVA alleged that Scania failed to comply with provisions under EU Regulation 2018/858 which require vehicle manufacturers to provide certain vehicle data to aftermarket participants. The Cologne court referred three questions to the ECJ for preliminary ruling, summarised below.
ECJ Judgment
Does Article 61(1) of the Regulation require vehicle manufactures to provide access to all vehicle repair and maintenance information or only information relating to spare parts?
The ECJ confirmed that the obligation to provide independent operators (including spare parts manufacturers and distributors) with "unrestricted, standardised and non-discriminatory access … in an easily accessible manner in the form of machine-readable and electronically processable datasets" extends to all vehicle repair and maintenance information. This includes all information required for diagnosing, servicing, and inspecting the vehicle, as well as any information required for the remote diagnostic support of the vehicle.
What format does this information need to be provided in?
Vehicle repair and maintenance information must be made available: (i) generally on the websites of manufacturers using a standardised format; and (ii) to independent operators (other than repairers) in a machine-readable format in an "easily accessible manner" that can be processed "with reasonable effort" using generally available computer tools and software. The ECJ further clarified that formats which require intermediate file conversion (e.g. PDF) are not deemed as machine-readable.
Information on all vehicle parts which can be replaced by spare parts must be made available to independent operators in a database that is searchable using the VIN and any additional criteria such as wheelbase, engine output, trim level or options. This information must be machine-readable.
Is VIN 'personal data' under the GDPR? If so, does Article 61(1) of the Regulation constitute a lawful basis for making VINs available to independent operators?
Scania claimed that the VIN is always personal data and refused to disclose it, on data protection grounds, to aftermarket participants. The ECJ ruled that VINs are not inherently 'personal' in nature but can become personal data for a particular independent operator if that particular entity reasonably has at their disposal the means to associate the VIN to a specific natural person. This is to be assessed by the referring court, and includes, for example, if the independent operator has access to the vehicle's registration certificate which contains both the VIN and the name of the holder. However, this excludes cases where the VIN can only be linked to a corporate owner, rather than a natural person.
Even where the VIN constitutes personal data, the ECJ considered that Article 61(1) of the Regulation constitutes a 'legal obligation' for the purposes of Article 6(1)(c) GDPR, allowing for the lawful processing and disclosure of the VIN to independent operators.
Practical Implications
Vehicle manufacturers:
- Must share all vehicle repair and maintenance information with aftermarket participants. This scope and volume of data sharing may be more than current vehicle manufacturers anticipate.
- Need to create an easily searchable database of vehicle parts information. Aftermarket participants should be able to remotely access this database without needing to connect to the vehicle, and retrieve information in a machine-readable format (e.g. should not be a PDF).
- Must share VINs with aftermarket participants.
These obligations are already in force and should be complied with immediately.
Conclusion
The ECJ has confirmed that whether something is 'personal data' under Article 4(1) GDPR depends on the means reasonably available for that specific entity to identify the natural person concerned. It is therefore possible for data to be 'personal data' for one organisation, but not for another. This is in line with the ECJ's prominent – but often misunderstood – Breyer judgment (C-582/14), as well as the General Court's recent judgment in Single Resolution Board v European Data Protection Supervisor (T-557/20) which reaffirms the relative nature of personal data.