Tesla Avoids Data Privacy Sanctions for Its Sentry Mode From the Dutch DPA

6. March 2023

Tesla has recently been in the spotlight of the Dutch Data Protection Authority (DPA) for its vehicles’ onboard security camera hardware. In the Netherlands, built-in car cameras and other video recording devices, such as home security monitoring cameras, are prohibited from filming public roads due to data privacy concerns of capturing a passersby on the video who are unaware and do not consent to being taped. Everyone has the right to privacy, and EU law sets out clearly how individuals, companies, and government agencies must go about their business if they collect personal data of individuals. Simply put, you cannot gather videos of individuals without their consent, except in certain circumstances set forth in the law. However, some companies and even government agencies have run afoul of the data privacy laws in the Netherlands. For example, Tesla avoided data privacy sanctions from the Dutch DPA.

An example of this was early in February 2023 when the DPA fined the Rotterdam police department EUR 50,000 for using two cars, during the height of the pandemic, equipped with cameras that monitored whether individuals were 1,5 meters apart from one another. The police failed to perform a data protection impact assessment even though there was a high likelihood that personal data of large groups of individuals would be gathered without their consent. The failure to conduct this assessment is a violation of the Police Data Act and led to the fine. Further information on this incident can be found here.

The DPA’s recent investigation into the car manufacturer, Tesla, resulted in changes to the automobile’s “Sentry Mode”, thereby strengthening the privacy of individuals in the Netherlands. The Sentry Mode is meant primarily to be an anti-theft and vandalism feature by using four external cameras on the vehicle to record the surrounding images. When enabled, the images were saved for one hour, which may lead to serious privacy concerns. With more Teslas on the roads, you could potentially be constantly watched by Tesla vehicles. If it was parked in front of someone’s house, the cameras might be able to see inside the windows. Both of these were major privacy concerns.

Tesla made some corrections to the way their vehicles collected images in Sentry Mode. Here are the key changes and privacy enhancements put in place by Tesla:

  • Sentry Mode is now disabled by default and must be activated by the user if they wish to use it,
  • When Sentry Mode is turned on, it can only capture a maximum of 10 minutes of video,
  • The default setting is that it only collects the last minute of video, but this can be changed by the owner to store the full 10 minutes,
  • Sentry Mode now is only activated when the vehicle is touched (as opposed to previously where it activated when it detected activity or movement near the vehicle); and,
  • The car only begins filming after “being told to record” after a notification is sent to the vehicle owner, where they are prompted whether or not to record.

It is also critical to point out that the video was always only stored in the vehicle and cannot (and could not) be shared with Tesla. In my opinion, this fact, as well as the immediate and comprehensive changes that Tesla took to reduce the privacy impact through Sentry Mode, are the likely reasons why the Tesla avoided avoids data privacy sanctions from the Dutch DPA. However, the DPA officially states that Tesla was not fined because the legal ownership and responsibility of the video rest with the car owner and not Tesla itself since Tesla never receives any personal data. More information on the investigation and ruling can be found here.

Caspar Miller
Head of Regulatory