by Tea Mustać and Peter Hense //
It is no secret that Europeans take their privacy very seriously, up to the point where it may seem illogical or even cause frustration in the population. So, for example, a burglar can successfully make the case that the camera used to catch him was in fact recording illegitimately.1 On the other hand, there are good reasons why this is the case and why safeguards and limitations need to be set before we one day wake up in Orwell’s 1984 reality. Whether it is the state or Musk’s private Big Brother apparatus watching over us is irrelevant for the discussion. 2 What is relevant is that people cherish their privacy and behave differently when they know they are being observed and that respecting this fact is a fundamental building block of the European tradition and legal culture. Standing right across from that are the thousands of (potential) drive-around cameras severely intruding into the private zone of any single pedestrian or car driver going about his business thinking that nobody is watching.
To elaborate on this claim, this article will first present the controversial Sentry Mode offered by Tesla as a standard selling feature of its vehicles. Then a legal analysis of the presented system and how it measures up to the GDPR will be offered. At first glance, it may seem rather difficult to make a case against cameras, protecting the property of their owners and occasionally helping solve crimes.3 However, as even tyranny can be good while the tyranny is benevolent, so are such invasive systems only ‘good’ so long as they are used for and proportionally to legitimate purposes pursued. On the other hand, Tesla’s Sentry Mode, together with all its benefits, carries some inherent problems stemming from its GDPR incompatible features. It is the opinion of the author, that the current set-up of the system cannot be reconciled with the obligations imposed by the GDPR. However, whether this is an absolute barrier to its use in the European market or just another problem to be solved remains yet to be seen.
Tesla’s sentry mode besides its obvious benefits for the Tesla drivers, not wanting to have their shiny new cars keyed, has some rather worrisome features when everybody else is concerned. This is particularly the case because Tesla apparently considers only the driver and passengers as data-protection worthy data subjects.4 Accordingly, no data is transmitted to Tesla without the owner’s consent, except for the cases where the e-Call feature is activated. This feature, however, potentially saves the driver’s life when the car has been severely damaged,5 in which case the driver will most probably not object to the data transmission. However, opposite to what Tesla would like us to think, it is not just the persons in the vehicle that are data subjects. It is every single pedestrian, whose face has been filmed, and every single driver, whose license plate has been recorded. This encompasses a lot of (potential) data subjects, considering Tesla’s self-advertised camera quality, videos ranging up to 250 meters, together with the 360 degrees coverage of the car’s surroundings.6 These cameras are used either at the driver’s request (Dashcam) or in cases the so-called Sentry Mode automatically recognizes a ‘threat’.
To activate the Sentry Mode threat recognition system a simple click on the giant tablet located in the middle of the dashboard suffices.7 Another click further, and the car can use its advanced cameras to identify ‘threats’.8 Of course, no definition of a ‘threat’ is provided by Tesla, so we will have to use our imagination. However, when the camera recognition option is off, the car will still identify ‘threats’, albeit ‘only physical’ ones.9 This particular wording does raise some rather interesting questions about the camera system and the non-physical threats it may recognize. You might want to think twice before throwing a mean look, while passing by the luxury vehicle you still can’t afford. All jokes aside, a test conducted by futurezone did show that the car’s surveillance system is activated anytime another vehicle, or a person passes by too close to the vehicle.10 When this fact is combined together with Tesla’s self-claimed 250-meter camera reach and very solid video quality,11 this in and of itself raises a lot of concerns. For the collected data to be regarded as personal (or even biometrical), it only needs to be possible to identify the people on the recordings. On that note, there has already been examples of people installing facial and license plate recognition algorithms into the car’s system, thus turning them into real mobile surveillance systems, collecting personal data of every person recorded12
And the story doesn’t end here. Even though Tesla claims publicly that they have no access to the video recordings made, there are several instances when this is not true. Firstly, you may consent to having anonymized videos sent over for their Fleet Learning algorithm.13 This would then transmit anonymized 30 second videos from the Dash, Sentry and Cabin cameras to Tesla to train their algorithms for driving assistance. Furthermore, the training doesn’t happen only through transmission over European servers, but the US ones as well. Moreover, Tesla stays rather silent about how the videos are anonymized,14 and there have been claims they are not anonymized at all but are in fact raw data.15 Secondly, the recordings are not transmitted just for AI training. Transmissions also happen in case a ‘serious safety event occurs’.16 What a serious safety event may be is again left to our imagination and the car’s algorithms. In any event, even if the owner consents to the videos being transmitted in these situations, other bystanders might not be so inclined. That is, of course, if they are even aware they may be recorded and sent to Tesla, which most people are not.17 Moreover, considering we have no idea what exactly triggers the transmission,18 it is hard to say when something might have been transmitted and, in any case, it means the access remains persistently open since it is the company that decides on the triggering event. This is particularly problematic when observed together with the purposes for which Tesla processes the collected data. These include ‘improving and enhancing the development of their products and services’, entailing both commercial services and the improvement of safety features. 19 It is not in any way concretized which or when the data is used for a particular purpose and, considering the very wide layout of potential purposes together with the extensiveness of the data collected, this is yet another reason for concern.
The last critical feature that will be discussed here is the live camera option. Although this is an option that, like the camera recognition of critical events, needs to be manually turned on. And the live feed transmission is limited to ‘around’ 15 minutes per day.20 This does not change the fact that the option falls short of satisfying many data protection standards. Firstly, the only information provided to all the data subjects around the car is that the car lights blink in regular intervals and, that here as well as in the case of automatic Sentry Mode recordings, the interior screen shows the message that the car is recording.21 However, it is very unlikely that a regular non-Tesla-driving by passer will interpret the blinking as anything other than just that. Blinking. And when it comes to the interior screen, how exactly the people outside the vehicle are expected to read the notice is yet another mystery. Not to mention that the only thing contained in the notice is that ‘Sentry Mode is activated’ and ‘Recording’ is in progress.
What is important to emphasize in the end is how the system actually functions, because the idea of the car helping you catch the person that scratched it with a key or helping explain a serious car accident does seem like quite an appealing argument for allowing the use of such features.22 So how may the owner decide to save the video after witnessing a car crash or seeing that the car is scratched? The answer is rather obvious. The car is actually recording its surroundings constantly. And Tesla does not completely hide this fact. For instance, this information is stated on page 177 of their 322 pages long User Manual.23 However, their public proclamation that they are not a data controller and that if anyone is in any way deciding on the processing of data it is the car owner,24 does leave a slightly different impression. Maybe they think that the fact that they overwrite the recordings, if they are not saved within an hour, resolves them of any kind of responsibility. Yet one look at the GDPR tells a different story, but more on that in the next Chapter.
Why you might not want to play with all the features of your newest toy
We have already touched upon certain data protection issues in the previous Chapter. However, now a deep (or at least deeper) dive analysis will be given. First of all, Tesla itself gives a disclaimer in the user manual, that some Sentry Mode features of the vehicle may be unavailable depending on the market region.25 Second disclaimer follows right after, warning the owners to be mindful of the applicable regulations.26 This particular two fold constellation contradicts itself, because on one hand it means that Tesla can make certain features unavailable depending on the geographical location of the user, presumably shutting the option completely off in countries that banned its use,27 and yet it leaves to the drivers to check whether the remaining features can be legally used in their country. As one would not want to buy medication that may not be legal or buy a gun only to after research if this gun can be licensed and used legally, so one would also presumably not want to buy a vehicle where its legal use is questioned. Furthermore, the constellation gives the impression that it is only and exclusively the car owner who is responsible for any (illegitimate) video recordings, even though Tesla has access to the software making the recording possible as well as in certain cases to the recordings themselves.
A person responsible for data processing is defined in Article 4(7) of the GDPR as any “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. This definition, regardless of what Tesla would like us to think, encompasses both the owner and Tesla. The owner for any activation and use of the features described in the previous Chapter and Tesla for first making those features available, arguably violating data protection by design principle (Article 25 GDPR), then for deciding when the recordings start, and for processing those recordings for AI training or safety enhancement. What is also important to emphasize is that the owner and the company could also be seen as joint controllers (Article 26 GDPR). This conclusion is the only logical development from the CJEU’s recent jurisprudence in the cases concerning Jehova’s witnesses,28 Fashion ID29 and Wirschaftsakademie,30 in all of which the court decided that it was enough to identify a converging purpose between controllers to establish joint controllership. Although it may be difficult to identify a particular purpose as converging, the essence of the concept is that one controller’s processing is enabled and ‘decisively’ influenced by the other’s.31 This is certainly the case in the use of Sentry Mode. First Tesla has made the features available to the user. The user then activated the features to protect the car from damage or theft, with Tesla deciding when the car is at risk and the recording needs to start, but also subsequently collecting the data to process it for its own purposes. This chain leads to all sorts of negative consequences for the owner starting from the fact that it is the owner that is most easily identifiable and therefore also suable for any GDPR violations (including the ones made by Tesla). Up to the fact that there is no joint controllership agreement between Tesla and the owner, which is something Tesla of course does not offer since they don’t consider themselves responsible for any occurring data processing. And buckle up because there are a lot more (possible) violations to go.
The examined processing is in violation of Art. 5(1)(b) by insufficiently specifying the purposes for which the data is processed, Art. 5(1)(a), Art. 13 and 14 for failing to provide sufficient information to the data subjects, Art. 5(1)(c) for collecting far more data than necessary to keep the car safe, Art. 32 due to insufficient security measures allowing the interception of the camera signals, Art. 35 for failing to conduct a data protection impact assessment of a very intrusive, all-recording surveillance system, and even Art. 44 by transferring the data to its American mother company.32 The driver would as a (joint) controller be jointly responsible with Tesla for all violations and all illegitimate processing, which means all recording without legal ground. Thus, encompassing virtually all recordings, except arguably in the cases where the car has actually been damaged or stolen(which still fails the proportionality test for all other situations).
Among all the mentioned (potential) violations, the ‘worst’ ones are the violations of data protection principles and the failure to respect the rights of data subjects since these are the most severe violations bringing about the most massive sanctions. On that note, any recording made violates the principle of transparency requiring that data subjects are notified of any collection of their data, enabling them to exercise their rights. The fact that no mechanism for sharing such information exists may not be so surprising considering the fact that Tesla doesn’t consider (other) traffic participant as data subjects at all, but this does not change the legal consequences of the failure to provide them. For any data protection issue the only relevant assessment factor is the actual situation and not any contrary statements or agreements made. And in the present processing operation the facts tell a rather clear story. The fact that all European Tesla owners should be aware of all associated risks when, or rather before, acquiring the car cannot be emphasized enough. Buying an illegal good or a good with certain illegal features presents a material deficit of any contract by which such a good was acquired. When buying a thing (presuming you didn’t buy it on the black market) you legitimately expect you are also allowed to use it legally. But this appears not to be the case when buying this particular (at the very least) 40.000 EUR car. This makes for yet another legal problem, however, this one arguably just for Tesla, withholding this information.33
Responsibility Spill-Over Effect
There is one more aspect to the story, which brings about a rather extreme and complicated responsibility spill-over effect, and that is the fact that it is not always the same person driving the car. This is problematic because any person using the car can access and thus also activate any Tesla feature, including the legally questionable ones. How exactly this problem could be resolved is yet another food-for-thought problem we encounter. Maybe the settings could be locked to prevent other drivers from changing them? And what if the settings are locked to a non-compliant set-up? In any event, as the situation currently stands, anyone sitting behind the wheel can freely access and meddle with the car’s settings, which in turn makes the person a data controller. Albeit a controller that is almost impossible to identify. This issue is particularly prominent when talking about rent-a-car services, which are increasingly offering (sometimes even exclusively) the Tesla driving experience. Due to the necessary documentation when renting a car, these drivers would be identifiable. However, whether they would be aware of the illegality of their actions is a different question. It very well may be that the owner buying the Tesla for him/herself is willing to accept the data protections risks to keep the car safe, but the same cannot be said for every single person that sits in the vehicle for a day or two, without being in any way informed about the possible consequences.
To test the situation for ourselves, we have indeed rented the Tesla Model 3 to see what we find. And we found a lot. Not only does the rental car come with a preformated (one must say rather sleek) Tesla USB-drive, enabling the illegitimate recordings, but the disk is also not wiped clean after use, meaning that we could access previous recordings of other drivers. This is then also a problem for the particular rent-a-car service, and the data protection violation spillover effect is enough to make your head spin.34 Of course, not every driver is even aware of the surveillance features and would presumably not use them intentionally, however, the risks associated with even sitting behind the Tesla wheel are non-negligible and are something that every driver should be made aware of and warned about.35
Europe has a long history of protecting the privacy of its citizens not seldom at the expense of protecting property to the greatest possible degree.36 And it seems that despite their good looks and associated prestige Tesla cars are (still) not a good idea if one wishes to be in the data protection green zone, at least in Europe but maybe also beyond.37 At least if one wishes to use all the available features. On the other hand, in order for the Tesla owners to act responsibly they need to at the very least be aware of potential trouble they may get themselves into. Conversely in Tesla’s privacy notice or the 322-page user manual there is not even a warning that certain uses are most probably illegal in some jurisdictions, which seems like a crucial piece of information when deciding whether to buy the product.
Regarding the legality of the Tesla features themselves, it may take a lot of work and effort to make the vehicles fully GDPR compliant, while keeping the advanced security options available. This is of course one of the priorities since these are arguably also key selling points for a lot of (worried) Tesla drivers.38 Whether Tesla will find a way to make all recording features legal and reconcilable with all the GDPR remains to be seen. However, considering their complete lack of acknowledgement for the fact that they are violating or even that they are the addressee of the discussed GDPR provisions, seems to point to the opposite. In the meantime, should one absolutely insist on buying this sleek toy the possibility of using it with the Sentry Mode turned off, that is only while using its (still rather creepy) alarm functions, still remains.39 And at the very least, in that case, the customer should still be provided with all the necessary information regarding the associated risks of the full use of the product.
Tea Mustać, Research Associate at Spirit Legal Rechtsanwälte, Leipzig (Germany)
Peter Hense, Spirit Legal Rechtsanwälte, Leipzig (Germany)
1 CJEU C 212/13 František Ryneš v Úřad pro ochranu osobních údajů 11 December 2014 ECLI:EU:C:2014:2428, AP Barcelona – Auto 72/2021, GDPRhub, AP Barcelona – Auto 72/2021 – GDPRhub (accessed on the 23 January 2023).
2 Negativ-Auszeichnung, Warum der “Big Brother Award” an Tesla geht, 19 September 2020, t-online. https://bigbrotherawards.de/digitalcourage, https://www.t-online.de/nachrichten/deutschland/gesellschaft/id_88598810/datenschutz-warum-der-big-brother-award-an-tesla-geht.html (accessed on the 23 January 2023).
3 See, for example, Daniel Schurter ‚Warum Teslas «Wächtermodus» auch jeden Fussgänger betrifft‘, 24 September 2019, watson https://www.watson.ch/digital/tesla/337037325-videoueberwachung-durch-tesla-fahrzeuge-was-man-wissen-sollte (accessed on the 20 January 2023).
4 See, for example, MODEL 3 BENUTZERHANDBUCH, Dashcam, https://www.tesla.com/ownersmanual/model3/de_de/Owners_Manual.pdf (accessed on the 23 January 2023) p.173; Tesla Customer Privacy Notice https://www.tesla.com/en_eu/legal/privacy#how-we-may-use-your-information (accessed on the 23 January 2023).
5 MODEL 3 BENUTZERHANDBUCH, Dashcam, p.173.
6 https://www.tesla.com/de_DE/autopilot (accessed on the 23 January 2023).
7 MODEL 3 BENUTZERHANDBUCH, Wächter-Modus, p.175.
8 MODEL 3 BENUTZERHANDBUCH, Wächter-Modus, p.176.
9 MODEL 3 BENUTZERHANDBUCH, Wächter-Modus, p.176.
10 Florian Christof ‘Warum der Tesla-Überwachungsmodus in Österreich nicht legal ist’, 18 June 2019, futurezone https://futurezone.at/produkte/warum-der-tesla-ueberwachungsmodus-in-oesterreich-nicht-legal-ist/400522801 (accessed on the 23 January 2023).
11 https://www.tesla.com/de_DE/autopilot (accessed on the 23 January 2023).
12 Franziska Albrecht ‘Hacker baut Tesla Model 3 um: Das sind die krassesten Features’, 21 August 2019, EFAHRER.com, Hacker baut Tesla Model 3 um: Das sind die krassesten Features – EFAHRER.com (chip.de) (accessed on the 23 January 2023).
13 Tesla Customer Privacy Notice https://www.tesla.com/en_eu/legal/privacy (accessed on the 23 January 2023).
14 Datenverarbeitung und Datenschutz bei Tesla-Fahrzeugen, Kfz-Automation und informationelle Selbstbestimmung, NETZWERK DATENSCHUTZEXPERTISE, 19 October 2020, gut_2020tesla.pdf (netzwerk-datenschutzexpertise.de) (accessed on the 23 January 2023).
15 See, for example, ‚Tesla-Autokameras: Verstoßen sie gegen den Datenschutz?‘, 17 September 2020, t-online. https://www.t-online.de/auto/elektromobilitaet/id_88589260/tesla-autokameras-verstossen-sie-eigentlich-gegen-den-datenschutz-.html (accessed 20 January 2023).
16 Tesla Customer Privacy Notice https://www.tesla.com/en_eu/legal/privacy#how-we-may-use-your-information (accessed on the 23 January 2023).
17 Tesla-Autokameras: Verstoßen sie gegen den Datenschutz?; Der gläserne Autofahrer – Verstößt Tesla systematisch gegen Datenschutzregeln?, Kontraste | Politikmagazin 17.09.2020, https://www.youtube.com/watch?v=EThqgUABA_Y&ab_channel=rbb (accessed 20 January 2023).
18 MODEL 3 BENUTZERHANDBUCH, Dashcam, p.173
19 Tesla Customer Privacy Notice https://www.tesla.com/en_eu/legal/privacy#how-we-may-use-your-information (accessed on the 23 January 2023).
20 MODEL 3 BENUTZERHANDBUCH, Wächter Modus, p.176.
21 MODEL 3 BENUTZERHANDBUCH, Wächter Modus, p.176.
22 For interesting video examples, see Daniel Schurter ‚Warum Teslas «Wächtermodus» auch jeden Fussgänger betrifft‘.
23 MODEL 3 BENUTZERHANDBUCH, Wächter Modus, p.177.
24 See, for example, Tesla Customer Privacy Notice https://www.tesla.com/legal/privacy (accessed on the 25 January 2023); Tesla-Autokameras: Verstoßen sie gegen den Datenschutz?; Der gläserne Autofahrer – Verstößt Tesla systematisch gegen Datenschutzregeln?, Kontraste | Politikmagazin 17.09.2020, https://www.youtube.com/watch?v=EThqgUABA_Y&ab_channel=rbb (accessed 20 January 2023).
25 MODEL 3 BENUTZERHANDBUCH, Wächter-Modus, p.175.
26 MODEL 3 BENUTZERHANDBUCH, Wächter-Modus, p.175.
27 For instance, the Sentry Mode is already banned in Israel and certain regions in China. See Eliron Ekstein ‘What Tesla’s Sentry Mode Can Teach Us About The Privacy Versus Security Debate’,
Forbes, 26 May 2022 https://www.forbes.com/sites/forbestechcouncil/2022/05/26/what-teslas-sentry-mode-can-teach-us-about-the-privacy-versus-security-debate/?sh=79532f40504c (accessed on the 23 January 2023).
28 CJEU C-25/17 Tietosuojavaltuutettu 10 July 2018 ECLI:EU:C:2018:551 .
29 CJEU C-40/17 Fashion ID GmbH & Co. KG 29 July 2019 ECLI:EU:C:2019:629.
30 CJEU C-210/16 Wirtschaftsakademie Schleswig-Holstein GmbH 5 June 2018 ECLI:EU:C:2018:388.
31 See CJEU C-25/17 Tietosuojavaltuutettu 10 July 2018 ECLI:EU:C:2018:551, para. 73; CJEU C-40/17 Fashion ID GmbH & Co. KG 29 July 2019 ECLI:EU:C:2019:629, para. 78-79; CJEU C-210/16 Wirtschaftsakademie Schleswig-Holstein GmbH 5 June 2018 ECLI:EU:C:2018:388, para. 39.
32 See, Peter Hense ‘They might be seen as green, but Teslas are like elephants – they never forget’, 2 November 2020, JDSUPRA, They might be seen as green, but Teslas are like elephants – they never forget | Spirit Legal – JDSupra (accessed on the 23 January 2023); Franziska Albrecht ‘Hacker baut Tesla Model 3 um: Das sind die krassesten Features’, 21 August 2019, EFAHRER.com, Hacker baut Tesla Model 3 um: Das sind die krassesten Features – EFAHRER.com (chip.de) (accessed on the 23 January 2023).
33 For instance, this may violate §434 of the Bürgerliches Gesetzbuch (BGBI) protecting buyers in cases the agreed upon product features are not actually available to the buyer (or not available legally).
34 The German data protection authorities have already warned particular owners of the illegitimacy of Sentry Mode and there have been several other authorities publicly declaring the system as illegitimate. It is only a matter of time when the spill-over effect also catches the attention of the authorities. See, for example, ‘Bericht: Tesla-Besitzer wegen Wächter-Modus von Berliner Datenschutz-Behörde verwarnt‘, 7 March 2021, TESLAMAG https://teslamag.de/news/bericht-tesla-besitzer-waechter-modus-berliner-datenschutz-behoerde-verwarnt-34714 (accessed on the 23 January 2023); Florian Christof ‘Warum der Tesla-Überwachungsmodus in Österreich nicht legal ist’.
35 See, for example, Bayerisches Landesamt für Datenschutzaufsicht ‚10. Tätigkeitsbericht des Bayerischen Landesamts für Datenschutzaufsicht für das Jahr 2020‘, 2021, https://www.lda.bayern.de/media/baylda_report_10.pdf (accessed on the 25 January 2023) p.75. In the report it says that any owner activating the Dashcam or Sentry Mode is a controller within the meaning of the GDPR, this can then ad analogiam be widened to encompass any person activating the features, regardless of whether they are the owner or just a user.
36 See, for example, CJEU C 212/13 František Ryneš v Úřad pro ochranu osobních údajů 11 December 2014 ECLI:EU:C:2014:2428, AP Barcelona – Auto 72/2021, GDPRhub, AP Barcelona – Auto 72/2021 – GDPRhub (accessed on the 23 January 2023).
37 Eliron Ekstein ‘What Tesla’s Sentry Mode Can Teach Us About The Privacy Versus Security Debate’,
Forbes, 26 May 2022 https://www.forbes.com/sites/forbestechcouncil/2022/05/26/what-teslas-sentry-mode-can-teach-us-about-the-privacy-versus-security-debate/?sh=79532f40504c (accessed on the 23 January 2023).
38 Eliron Ekstein ‘What Tesla’s Sentry Mode Can Teach Us About The Privacy Versus Security Debate’.
39 See also, Florian Christof ‘Warum der Tesla-Überwachungsmodus in Österreich nicht legal ist’.