Tesla’s Sentry Mode is a privacy violation on wheels

Peter Hense
Spirit Legal
Contact
LinkedIn
Facebook
X
Send
Embed

Spirit Legal

Images by Unsplash / Collage by Robert Handrow

The article highlights the privacy concerns surrounding the use of cameras in monitoring public spaces and how these issues are particularly relevant in Europe, where privacy is a fundamental aspect of the legal culture. The article specifically focuses on the Sentry Mode feature offered by Tesla vehicles, which raises questions about its compatibility with the General Data Protection Regulation (GDPR). The author presents a legal analysis of the system and argues that it cannot be reconciled with the GDPR obligations.

Sentry Mode

Tesla's Sentry Mode camera system raises concerns about data protection and privacy. The cameras, which are either triggered manually or automatically when the car recognizes a threat, have a 250-meter range and 360 degree coverage, filming the faces and license plates of not only those in the car but also pedestrians and other drivers. While Tesla claims that the videos are not transmitted to the company without the owner's consent, there are instances where anonymized videos are sent over for their Fleet Learning algorithm and in the case of a serious safety event. The live camera option, which needs to be manually turned on and has a limited 15-minute per day transmission, also falls short of satisfying data protection standards as there is no clear way for data subjects outside the car to know when it is recording. The collected data is used for improving and enhancing Tesla's products and services, but it is not specified which data is used for which purpose, adding to the concerns about the extent and potential misuse of the data collected by the Sentry Mode cameras.

Legally problematic features

Tesla warns in its user manual that some Sentry Mode features of the car may be unavailable based on the user's geographical location and reminds owners to be aware of the applicable regulations. This creates a contradiction as it implies that Tesla can disable certain features in countries where they are banned, but it is up to the drivers to determine the legality of the remaining features.

A person responsible for data processing is defined in Article 4(7) of the GDPR as any “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

This puts the responsibility solely on the car owner for any illegitimate video recordings, even though Tesla has access to the software and recordings. This raises concerns about data protection under the GDPR. The definition of a person responsible for data processing encompasses both the owner and Tesla, as the owner activates the features and Tesla makes them available and processes the recordings for AI training or safety enhancement. The owner and Tesla could also be seen as joint controllers.

The processing of data is in violation of multiple articles of the GDPR, including insufficient specification of purposes for processing, failure to provide information to data subjects, collecting more data than necessary, insufficient security measures, and failure to conduct a data protection impact assessment. The driver would be jointly responsible with Tesla for all violations and illegitimate processing. The most severe violations are the failures to respect the rights of data subjects and violations of data protection principles. The fact that no mechanism for sharing information exists and Tesla does not consider traffic participants as data subjects is not a defense for these violations.

European Tesla owners should be aware of the associated risks before acquiring the car, as buying a product with illegal features presents a material deficit in the contract. The legality of using the car is in question, and this presents a problem for Tesla who may be withholding this information.

Spill Over Effect

The fact that it is not always the same person driving a Tesla creates an extreme and complicated responsibility spill-over effect. Any person using the car can access and activate any feature, including the legally questionable ones, making them a data controller. This is particularly problematic in rent-a-car services, which are increasingly offering exclusively the Tesla driving experience. Due to necessary documentation when renting a car, these drivers would be identifiable, but it is uncertain whether they would be aware of the illegality of their actions. The owner of the Tesla may be willing to accept the data protection risks keeping the car safe, but the same cannot be said for every person that sits in the vehicle without being informed about the possible consequences.

In a test, the rental of a Tesla Model 3 came with a preformatted Tesla USB-drive that enables illegitimate recordings. The disk is not wiped clean after use, meaning previous recordings of other drivers can be accessed. This creates a problem for the rent-a-car service and raises data protection violations. Not every driver is aware of the surveillance features and would not use them intentionally, but the risks associated with sitting behind the Tesla wheel are non-negligible and should be made known to all drivers.

Conclusion

Tesla cars may not be suitable for those who prioritize data protection, at least in Europe. Despite their attractive features, Tesla owners need to be aware of the potential privacy risks associated with using the car. However, Tesla's privacy notice or user manual does not mention the potential legality issues of using the features in some jurisdictions. Making the vehicles fully compliant with the General Data Protection Regulation (GDPR) while preserving advanced security options will be a challenge for Tesla. While it remains to be seen if Tesla can reconcile all recording features with the GDPR, their lack of acknowledgement for the potential violations is concerning. If someone still chooses to buy a Tesla, they can turn off the Sentry Mode and only use it as an alarm. In any case, buyers should be informed of the risks associated with full use of the product.

See also in-depth analysis by Peter Hense and Tea Mustac: https://dpoblog.eu/tesla-sentry-mode-big-brother-on-four-wheels

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Spirit Legal | Attorney Advertising

Written by:

Spirit Legal
Spirit Legal
Contact
more
less

Spirit Legal on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide