Tesla makes car security cameras settings more “privacy-friendly” after Dutch watchdog probe

The DPA investigated Tesla's camera-based “Sentry Mode” security system, which is designed to protect the vehicle against theft or vandalism while it is parked. It does this by taking footage with four cameras on the outside of the vehicle. Originally, when Sentry Mode was enabled, this system was on by default. The cameras continuously filmed everything around a parked Tesla and stored one hour of footage each time.

Following the investigation, Tesla made a number of changes to the system, including setting the cameras to off by default.

‘Many Teslas that were parked on the street often filmed everyone who came near the car, and also stored that footage for a very long time. If every vehicle does that, you get a situation where you can no longer walk freely on the street without being spied on,' said DPA board member Katja Mur.

The DPA’s investigation did not result in a fine or other sanction for Tesla. In fact, during the investigation, it found that not Tesla but the owner of the vehicle must be regarded as the data controller, and therefore legally responsible for the processing of the footage the vehicle captures.

“While in this case it was determined that it remains the legal responsibility of the owner of a vehicle to configure the camera settings correctly and respect other people's privacy, this case does show that the DPA, through dialogue, will encourage companies to enable their end users to comply with the law by implementing privacy-by-design measures,” said privacy and cyber expert Sari van Grondelle of Pinsent Masons.

Sentry Mode cameras are now turned off by default, and triggered only when the car is touched instead of when suspicious movement is detected by the cameras. Tesla has also significantly shortened the length of the stored footage, from one hour to up to 10 minutes. The footage is now stored in the car and not shared with Tesla.

Other newly added privacy features include flashing headlights that act as a warning to passers by that filming has begun, and sending a text message to the owner requiring approval to begin filming when the system is triggered.

“This is a notable case because the provisions of the GDPR dealing with privacy-by-design and privacy-by-default contain obligations for the 'data controller', and not the producer as such. Although the GDPR says in the recitals that producers should be ‘encouraged’ to take these principles into account, formally this is not legally binding. So Tesla was encouraged to take these measures whilst it was not legally responsible to do so,” Van Grondelle said.

Katja Mur of the DPA also praised the adjustments made by Tesla. She said: “Thanks to the adjustments Tesla has made, anyone who happens to walk past such a car is protected. Tesla is also thereby reducing the chances of Tesla drivers violating the law by illegally filming people.”