Who Owns Your Black Box Data? An Overview of U.S. EDR Laws and Regulation

Part 2: Who Owns Your Black Box Data? An Overview of U.S. EDR Laws and Regulation

Event Data Recorders (“EDR”) are regulated in the United States under 49 CFR § 563, which ensures that all EDRs record and collect data in a readily usable manner, and that car manufacturers provide commercially available mechanisms to retrieve crash and pre-crash data from EDRs. But who owns that data?

The federal Driver Privacy Act of 2015 limits data retrieval from EDRs and expressly rests ownership of EDR data with the owner or lessee of the vehicle. Specifically, it provides that “[a]ny data retained by an event data recorder (as defined in section 563.5 of title 49, Code of Federal Regulations), regardless of when the motor vehicle in which it is installed was manufactured, is the property of the owner, or in the case of a leased vehicle, the lessee of the motor vehicle in which the event data recorder is installed.” 49 CFR § 24302(a)(“Limitations on Data Retrieval from Vehicle Event Data Recorders”).

According to the National Conference of State Legislatures, as of 2021:

at least 17 states—Arkansas, California, Colorado, Connecticut, Delaware, Maine, Montana, Nevada, New Hampshire, New Jersey, New York, North Dakota, Oregon, Texas, Utah, Virginia, and Washington—have enacted statutes relating to event data recorders and privacy. Among other provisions, these states provide that any data collected from a motor vehicle event data recorder may only be downloaded with the consent of the vehicle owner or policyholder, with certain exceptions.

Exceptions include in the event of a court order or to aid in a law enforcement investigation.

In at least three additional states—Florida, Missouri, and Tennessee—the issue of EDR data ownership has not been legislatively addressed but has been addressed, at least to a degree, by the courts. In Florida, a court found that data recorded by an EDR may not be accessed by anyone other than the owner of the vehicle in which the EDR is installed. See State v. Worsham, 227 So. 3d 602 (Fla. Dist. Ct. App. 2017). In State v. West, albeit in a footnote, a Missouri appellate court cited to the federal Driver Privacy Act of 2015 and recognized that EDR data is owned by the owner of the vehicle and cannot be accessed by someone else without the driver’s consent. See State v. West, 548 S.W. 3d 406 (Mo. Ct. App 2018). In a criminal case in Tennessee, the court found that the owner of the vehicle had a reasonable expectation of privacy in EDR data, suggesting the data is the property of the vehicle owner. See State v. Holladay, 2006 WL 304685 (Tenn. Crim. App. Feb. 8, 2006).

With domestic lawmakers seemingly in agreement on the ownership of EDR data, we see little reason to debate ownership of connected vehicle data (or “VPD”). As partner Mike Nelson recently mused in a publication on this very point: “I don’t see the difference between VPD and EDR data. . . . Think about some judge in a Tesla case 10 years from now. ‘Wait a minute, there’s a homicide and this driver wants the data on the car to defend himself, and you’re telling him he can’t have it because you own it? That’s baloney,' he said, imagining the judge’s reaction to the facts at hand.” Carrier Management, “Who Owns Tesla Vehicle Performance Data?” (Mar. 9, 2022).

Legislative momentum also appears to be building behind this notion, including with the “Right to Equitable and Professional Auto Industry Repair (REPAIR) Act” introduced by Congressman Bobby Rush (D. Ill.) in February. As introduced, the REPAIR Act would prohibit vehicle manufacturers from withholding data or imposing barriers to limit the ability of “a motor vehicle owner or the motor vehicle owner’s designee to access vehicle-generated data.” While “vehicle-generated data” is defined in the Act to include data necessary for diagnostics and repair, the Act also leaves open the possibility that the definition could be expanded to “add additional types of data . . . regardless of whether those types of data are related to motor vehicle repair, taking cybersecurity and privacy into consideration, to allow consumers and their designees to directly access additional types of vehicle-generated data, and for additional purposes.”

For more information, check out Part 1 of this series (“What’s the Big Difference? EDR v. Data Logger v. ‘VPD’”), and stay tuned for Part 3 on international laws related to vehicle data recordings.

Posted April 15, 2022

Copyright Nelson Niehaus LLC
The opinions expressed in this blog are those of the author(s) and do not necessarily reflect the views of the Firm, its clients, or any of its or their respective affiliates. This blog post is for general information purposes and is not intended to be and should not be taken as legal advice.