Your Tesla goes places – so does your data

Electric car manufacturer, Tesla Inc, is facing a class action lawsuit due to allegations of employees sharing sensitive footage internally from cameras mounted to the company’s vehicles.[1]

The videos were purportedly shared for the “the tasteless and tortious entertainment” of Tesla employees rather than for the purpose of communicating, providing services, and improving the driving systems of Tesla vehicles.[2]

One video reportedly shared amongst employees in San Mateo, California, via internal one-on-one chats, showed a Tesla driving at high speed in a residential area before hitting a child riding a bike.  A former employee explained the video spread “like wildfire”.[3]

Whilst the reports are indeed concerning, they shed light on a growing reality, which is as the automotive industry develops, so will the privacy concerns.

In this article, we’ll take a closer look at the incident and what has been described as a “willful disregard” of privacy.[4]

Data protection concerns

Tesla equips its electric vehicles with some nifty features, such as Autopilot and AutoPark. These features are enabled by an impressive array of cameras built into its vehicles.

Recordings caught by the cameras are only transmitted to the car manufacturer where consent is provided by car owners to “improve its products, features, and diagnose problems more quickly”.[5]

Whilst Tesla collects recordings from a fleet of several million vehicles to develop and enhance self-driving car technology, it assures its customers that their privacy “is and will always be enormously important to us” and that the cameras built into vehicles are “designed from the ground up to protect your privacy”. [6]

Nevertheless, having interviewed multiple former employees, Reuters reported that between 2019 and 2022, Tesla employees had on several occasions shared highly invasive recordings caught by cameras built into its vehicles to assist driving. [7]

Some of the recordings showed Tesla consumers in awkward circumstances. One ex-employee described a video of a naked man approaching a vehicle. Other recordings were less concerning, such as photos of dogs and comical road signs that staff turned into memes.

Whilst speaking to Reuters, two former employees claimed that they were not troubled by the sharing of recordings as customers had either provided their consent or have long accepted that their privacy will not be upheld.

However, fortunately, low expectations are not yet a legal justification under the European data protection framework to process personal data.  As for consent, European data protection legislation dictates that it must be “freely given, specific, informed, and unambiguous, as well as that it must be made by way of a statement or clear affirmative action”. In this instance, given that the vehicle recordings were shared internally for reasons that had nothing to do with the provision of a safe car or the functionality of Tesla’s self-driving system, as customers were made to believe, consent is likely to be seen as invalid.  

It is also worth noting that in its Customer Privacy Policy, Tesla states “short video clips or images” shared with the car company ultimately “remain anonymous”. This would mean that the recordings which Tesla employees have access to do not constitute as personal data.

It is questionable whether this claim is true, after all, revelations from former employees suggest that the company employs a computer application which could display the location of recordings from its cars, potentially revealing the residence of a Tesla owner and thus their identity. This is also particularly concerning as Tesla’s website explicitly claims that the company does not “keep a history of where you’ve been.”[8]

Further, in many cases Tesla employees could reportedly “see inside people’s garages and their private properties”, making it fairly easy to imagine a scenario in which a distinctive object could be seen that could increase the risk of identifying customers, as well as any passer-by. [9]

As such, two main issues appear. First, the car manufacturer is not transparent about the nature and use of data it collects. Second, due to the apparent lack of training and data protection awareness among its staff, the company is exposed to risks such as potential penalties and reputational repercussions.

Broader implications

This recent incident serves as a reminder that smart cars are increasingly reliant on data and thus becoming a source of privacy concerns. Yes, smart cars bring drivers tremendous gains in both safety and convenience, but they are in many respects, smartphones with wheels, in that they have a tremendous ability to gather data, including personal data.

Many smart cars can collect data on where you go, how long you stay there, how frequently you visit.  So, hypothetically they know whether you’re a churchgoer or made a recent stop at a fertility clinic. Essentially, there is no limit to what can be inferred from the data which cars collect and how it can be used to discriminate or exploit car owners.

The former CEO of Ford, Mark Fields, perhaps said it best, “As our vehicles become part of the Internet of things and as consumers give permission to us to collect that data, we’ll also become an information company.”[10]

The true extent of privacy concerns in the automotive business remains to be known, as it is a relatively new issue.  However, the problem will likely worsen over the next ten years as automakers continue to develop self-driving technologies and smart cars with greater data gathering capabilities.

Nevertheless, there are certainly measures which can be implemented to mitigate risks associated with this growing reality.

For instance, to ensure privacy in smart cars, car manufacturers should implement privacy-by-design principles from the outset of the product development cycle. This involves conducting a data protection impact assessment to identify and mitigate privacy risks associated with the use of sensors, cameras and similar technology. They should also design systems that are secure by default, which includes using encryption and access controls to protect data from unauthorised access.

Another key consideration for car manufacturers is data minimisation. Smart cars should only collect and store the data that is necessary and should ensure that data is stored within the vehicle itself.

Transparency should become a core value for smart car companies and customers should be provided with clear and concise notices about data collection and use. Furthermore, customers should be given the ability to control their data and options to delete their data or limit its collection.

Perhaps a simpler, but effective measure, employees at car companies should receive adequate data protection training. Those privy to more sensitive data, for instance camera recordings or location data, should receive specialised training.

Finally, as an innovative company, if Tesla prioritised privacy and implemented measures as outlined above, competitors could be expected to follow suit. Privacy professionals would hope that Tesla takes this opportunity to lead by example in the automotive industry. It is also extremely important that Tesla is held accountable where data protection breaches occur, as this will signal to other car makers that they are not by any means exempt from observing privacy legislation.






[6] ibid






More Posts

Send Us A Message