They might be seen as green, but Teslas are like elephants – they never forget

Summary of expert opinion on data processing and data protection in Tesla vehicles of 19 October 2020

“Teslas continuously gush data and have a long memory” (translation of Weichert, Gutachten über Datenverarbeitung und Datenschutz bei Tesla-Fahrzeugen, p. 34, accessible at: https://www.netzwerk-datenschutzexpertise.de/sites/default/files/gut_2020tesla.pdf): This is the conclusion of the expert opinion published on Monday (19 October 2020) by the privacy experts at Netzwerk Datenschutzexpertise. The network’s 40-page document takes aim at data processing and privacy practices in Tesla vehicles, listing Tesla’s legal infringements.

It concludes that “in many respects, Tesla’s processing of data, such as in its Model 3, infringes European privacy and consumer protection rules.” (p. 31; this and all subsequent quotations are translations of the German). From a violation of Art. 5(1)(b) GDPR due to a failure to specify precisely the purposes of data processing, to Tesla’s disregard for its information obligations under Art. 13 and 14 GDPR, the report lists numerous violations of the General Data Protection Regulation that came into force in May 2018. Consequently, it seems questionable whether Tesla’s vehicles should be allowed on European roads at all.

Thilo Weichert, the former Data Protection Commissioner for the German state of Schleswig-Holstein, writes that the study aims to “present the available knowledge about data processing and provide an assessment”. The report highlights the duty of policymakers to fulfil their “state duty to serve the public interest”, but also the need for car manufacturers to take responsibility in preventing “a similar orgy of surveillance” in car data processing to that already seen in the area of internet data processing. It also calls on consumers to recognise their responsibility – for it is up to them, by making “informed consumer choices”, to ensure that “surveillance machines” don’t find their way onto our roads (p. 34).

Tesla’s sometimes illegal actions become particularly evident in the example of video and ultrasonic surveillance, which the report says are a “a central function of Tesla cars” (p. 6). It points out that no less than eight cameras allow 360-degree all-round monitoring of the vehicle’s environment at a distance of up to 250 metres. There are three cameras at the front, two on each side, and one at the rear. These cameras are complemented by twelve updated ultrasonic sensors and a radar sensor located at the front. Besides the purpose of semi-autonomous driving, the sensors also serve as dashcams which can provide information in the aftermath of an accident (Schurter, https://www.watson.ch/digital/tesla/337037325-videoueberwachung-durch-tesla-fahrzeuge-was-man-wissen-sollte).

But accidents are not a prerequisite: the report points out that Tesla vehicles can always store the last ten minutes of footage at the touch of a button. In addition, via the USB interface it is allegedly possible to constantly read and evaluate the unedited data from four cameras, with people and vehicle number plates clearly identifiable (Humbs/Weller, https://www.tagesschau.de/investigativ/kontraste/tesla-datenschutz-101.html).

If the Tesla vehicle is set to Sentry Mode, which was introduced in 2019, the cameras are also capable of continuously monitoring their environment. The network’s report explains that the system immediately starts recording as soon as one of the cameras detects an unusual movement – a red dot appears on the screen, and recording begins. A person or another vehicle merely needs to pass close enough to the car for this to happen. The report points out that the last six seconds of the videos are also sent to Tesla by default.

Taking into account the possibilities offered by the technology, studies by security researchers showed that it was easy to connect a ‘Surveillance Detection Scout’ to Tesla’s USB interface and thus intercept all of the cameras. Vehicle number plates could be recorded in this way, and even facial recognition was possible (p. 6 f.) There is no question for the author that this is not compatible with European data protection rules. In particular, with its Sentry Mode Tesla ignores “its own data protection responsibility” (p. 32).

The expert opinion also shows that all of Tesla’s claims are characterised by ambiguity: “Whether and to what extent Tesla collects personal data is not clear from the terms and conditions” (p. 10); “It remains unclear when Tesla ‘anonymises’ which data, and by what means” (p. 12); “The description of the processed data is (...) just as vague as Tesla’s description of the processing purposes” (p. 12); “Tesla does not provide binding information on data erasure” (p. 14). However, in order for vehicle assistance systems like the one used by Tesla to fulfil their positive purposes, it is considered essential “that the systems used can be trusted by everyone involved”. This, the report argues, is only possible with “the greatest possible transparency and a fair approach” (p. 33).

According to the study, data is also transferred to the US and possibly to other third countries which do not have an adequate level of data protection. Tesla thus disregards the recent ruling of the European Court of Justice against the Privacy Shield (ECJ, ruling of 16 July 2020 – C-311/18), since “mandatory protective measures” are “not provided for” (p. 28).

Overall, Tesla made “no mention” of the GDPR in its terms and conditions (p. 22). Moreover, the report found that the company’s terms and conditions violate the provisions of the German Civil Code (BGB) in both formal and substantive terms. Nor does Tesla appear to have carried out a data protection impact assessment in accordance with Art. 35 GDPR – despite the fact that, in the author’s opinion, Tesla’s “systematically extensive surveillance on public roads” would certainly necessitate such an assessment.

As a consequence of the study, Weichert appeals to data protection supervisory authorities to take care of the “Tesla case”, also highlighting the duty of Germany’s supervisory authority in this regard. Nevertheless, the network’s report also views the work of consumer protection organisations as highly effective in preventing further data protection violations (p. 32 f.).

References (in German)

Humbs, Chris/Weller, Marcus, Gläserner Autofahrer – Verstößt Tesla gegen Datenschutzregeln?, accessible at: https://www.tagesschau.de/investigativ/kontraste/tesla-datenschutz-101.html

Schurter, Daniel, Warum Teslas „Wächtermodus“ auch jeden Fußgänger betrifft, accessible at: https://www.watson.ch/digital/tesla/337037325-videoueberwachung-durch-tesla-fahrzeuge-was-man-wissen-sollte

Weichert, Datenverarbeitung und Datenschutz bei Tesla-Fahrzeugen, 19.10.2020, accessible at: https://www.watson.ch/digital/tesla/337037325-videoueberwachung-durch-tesla-fahrzeuge-was-man-wissen-sollte