Are You Agreeing to Share Customers’ Data with China?

by Chasidy Rae Sisk

Today’s vehicles are complex supercomputers on wheels that include continually advancing technology that improve drivers’ safety and convenience, but those same systems that enhance the driving experience also collect a plethora of data about the vehicle and its owner.

Social security numbers, driver’s license numbers, vehicle identification numbers…personally identifiable information (PII) is “any information that permits the identity of an individual to be directly or indirectly inferred,” per the US Department of Homeland Security’s website, and in today’s digital economy, PII is so valuable that it has often been dubbed “the new gold.”

Over the past several years, the collision repair industry has become increasingly concerned with protecting consumers’ personal information as more and more states explore and pass data privacy laws. In many instances, shops have been shocked to find that data has been leaked (learn about some of these scenarios at this link), but during the most recent Society of Collision Repair Specialists (SCRS) Open Board Meeting, Executive Director Aaron Schulenburg brought a new concern to light that had been shared with the association by a member: an end user license agreement (EULA) in some diagnostic tools allows a wide selection of customer data to be collected, shared and governed by the People’s Republic of China!

Schulenburg expressed concerns with the possibility that business owners may be completely unaware of the stipulations in the EULA. He suggested a likely scenario where a shop owner buys a diagnostic tool and hands it to the technician to set it up, noting that the EULA only populates during the setup process. “The shop owner may be completely unaware of what the agreement is. The technician may not even read it, likely won’t; they’ll probably just hit ‘I agree’ or ‘disregard’ so it goes away and they can move on with the process.”

But the EULA in question contained some “striking” verbiage that Schulenburg feels the industry should be aware of. The EULA indicates, “The software is subject to China laws, including those governing the privacy and security of your information. If you register and use the software, you are transferring your information to Autel in China. By providing your information to Autel through the software, you consent to the transfer of your personal information to China, and our handling of your information in accordance with applicable China requirements.”

It also requires users to “provide notice to and acquire a consent from each customer (or prospective customer) to the collection of vehicle data obtained from a customer’s vehicle using the device that this software is housed on and the sharing with and use of such data by Autel and third parties in accordance with this agreement.”

Specifically, acceptance of the EULA provides consent for collecting, processing, storing and transferring data by Autel, including vehicle registration (such as name and address), technical data and related information and “vehicle data obtained from a customer’s vehicle, including but not limited to make, model, year of manufacture, equipment features, vehicle identification data, repair, maintenance and wear related data generated during use/repair and odometer reading.”

“[The EULA] talks a lot about data and where the data is going, that data will be exchanged in China and governed by the laws of China, and that you, as the person using this tool, will provide notice to and acquire consent from each customer or prospective customer…and that the software is subject to China’s laws, including those governing the privacy and security of your information. If you register and use the software, you’re transferring your information to Autel in China…I think that’s something we should be aware of,” Schulenburg stressed, pointing out that the EULA does not appear to be available online or anywhere else after it has been accepted during setup.

Admitting that he’s unaware whether the EULA in question is typically found on scan tools and suggesting the industry further explore that question, he asked, “Is this okay? Is this something that the industry is willing to accept? Is anybody going through the process of notifying consumers of this if that’s what you’re agreeing to? If your technician agreed to it without reading it, and you were never made aware, how do you responsibly protect customers’ information if you don’t even know this is an obligation you’ve agreed to?”

Furthermore, shops could be beholden to privacy agreements with other entities with whom they do business, Schulenburg suggested. For example, if a carrier insures government employees or active members of the military, what expectations might they have about maintaining those individuals’ privacy?

“We’ve spent a lot of time discussing data,” he acknowledged. “We’ve talked about how data impacts our small businesses – where it ends up going, what we can do to control it reasonably…and many times when we have that conversation around data, we’re talking about the software solutions that we use and the concern about when we’re writing a repair plan or documenting damage. How do we make sure that we do a responsible job for our customers of maintaining that information while we also have a responsibility to share that electronic information with other people during the repair process? What are our roles and responsibilities, especially as more state privacy laws populate?

“That’s a challenge that the industry has found itself in, and it will continue to be an issue that we need to talk about,” he added, predicting that the Collision Industry Conference’s (CIC) Data Privacy Committee will likely tackle this topic at future meetings.

“Collision repairers need to understand their EULAs with all of their partners and how the data could potentially be shared intentionally or accidentally with the companies they do business with,” CIC Data Privacy Committee Co-Chair Dan Risley (CCC Intelligent Solutions) told Hammer & Dolly last year, long before this issue came into the spotlight. “This sets the stage for a discussion on the data chain of custody.”

The day after Schulenburg’s jaw-dropping depiction of the developing “industry issue,” CIC Chair Frank Terlep issued a warning to the CIC body:

“If you or someone within your organization have purchased the specific technologies to perform diagnostic services, I want you to understand that you may have agreed to a EULA that allows the tool company and its affiliates, partners and agents to read, collect, transfer, process and store registration data, technical data, vehicle data…basically anything they want. But it gets better…You’re also agreeing that the data may be processed or transferred to China, where you have fewer rights related to data, and my guess is most of the collision repairers who have agreed to this don’t realize it.”

By agreeing to the EULA, “either you or someone within your business has agreed that you’re supposed to tell the consumer that you’re collecting data on their vehicle and sharing that vehicle data with another country,” Terlep continued. “You also agree that the software and the agreement you’ve accepted is subject to the laws of China, plus you agree to transfer your information to China, consent to the transcript of your personal information and the handling of this information, not according to US laws but in accordance with Chinese requirements. And last but not least, you agree that any dispute resolution, interpretation and modification is governed, not by the wonderful (if sometimes flawed) laws of the United States but by the laws of the People’s Republic of China…I want everybody to be aware that this is going on in virtually every collision and mechanical shop in our country today because we need to know what we’re agreeing to as an industry.”

Terlep concluded by confirming that CIC’s Data Privacy Committee will be further investigating this information and reporting on their findings during an upcoming meeting. Stay tuned to Hammer & Dolly for more details as they become available. 

Want more? Check out the July 2023 issue of Hammer & Dolly!