Passer au contenu principal
  • English
  • Čeština
  • Deutsch
  • Dansk
  • Español

L'ESC est une alliance d'organisations européennes qui s'efforce de réduire l'impact des communications modernes et de la consommation d'électricité sur la santé et l'environnement. Nous ne sommes pas contre la technologie, mais en faveur d'une technologie sûre et de connexions sécurisées.

Car manufacturers require access to your personal data

Car manufacturers often require access to your personal data before the car’s functions will work.

Écrit le . Publié dans Actualités d'Europe.

From a Danish Consumer magazine March 2026

The article describes how modern internet-connected cars increasingly collect large amounts of data about both the vehicle and the driver. The purpose of this technology is to make driving more comfortable and efficient through features such as navigation, calls, and smartphone integration. However, this digitalization also leads to extensive surveillance.

Cars not only record technical information about performance, but also personal data about the driver. This may include information about driving behavior, daily routines, place of residence, and even biometric data such as fingerprints when you unlock the car using a fingerprint scanner.

According to the Danish Data Protection Agency, this effectively turns the car into a “computer on wheels.” Most cars have a SIM card, meaning that almost everything that can be recorded is recorded. These data can potentially be misused.

A key issue is that many car manufacturers require users to accept extensive data collection in order to use the car’s functions at all. Although GDPR states that consent must be freely given, in practice it is questionable how voluntary it is when functions disappear if you decline. Experts point out that this may violate the rules, as it constitutes “conditional consent,” indirectly forcing users to accept the terms. As a result, most people end up approving the terms without much thought.

Consumer organizations argue that the responsibility does not lie with consumers, but with manufacturers, who create a system where it is difficult to avoid data sharing. At the same time, there is significant uncertainty about what actually happens to the collected data. It is often unclear how data are stored, used, and who has access to them.

This lack of transparency can have serious consequences. If data are not properly protected, hackers could, for example, determine when a person’s home is empty. In addition, data may be shared with third parties such as insurance companies, which could lead to higher premiums if your driving patterns are assessed negatively. Such examples have already been seen in the United States.

In addition, the car can register where you have been and your route, your driving behavior, and even your gender, language, nationality, and music preferences. It may also collect data about your communication: calls, messages, and internet activity, which can be used to map your social relationships. The infotainment system can collect data about radio, music, apps, and what you listen to.

According to FDM (United Danish Motorists that represents the interests of drivers and car owners), it is essentially only the car manufacturers themselves who have full insight into the data collection, and they often provide vague answers when asked. Experts also point to political factors, as the automotive industry has significant economic and political influence in Europe, making regulation difficult.

Therefore, the article points out, both consumer organizations and the Danish Data Protection Agency are calling for political action. One concrete proposal is to introduce a standardized “data declaration” for cars, clearly informing consumers about what data are collected, how they are used, and what consequences this has. The goal is to increase transparency and ensure that consumer rights are respected.

Biometrics and eye movements?

This is quite common in newer (especially more expensive) cars. This is called a Driver Monitoring System (DMS), and many of these systems use cameras to track your eyes. The technology is quite advanced: it can measure eye movements, facial expressions, and levels of attention in real time.

Advanced systems typically use:

  • An infrared camera (often located near the steering wheel or rearview mirror)
  • Software/AI that analyzes:
    • where you are looking
    • how long your eyes are closed
    • blinking patterns
    • head position

The system can determine whether you:

  • are looking away from the road
  • are falling asleep
  • are distracted

All of this happens inside the car—the images are usually not transmitted externally but analyzed locally.

Examples of cars with eye monitoring

This already exists in many models, for example:

  • BMW (several newer models)
  • Mercedes-Benz (e.g., S-Class)
  • Tesla (newer models with cabin cameras)
  • Volvo and Polestar
  • Toyota and Lexus (newer systems)

These systems are often combined with features such as:

  • adaptive cruise control
  • hands-free driving
  • lane assist

Why has it become so widespread?

The EU is requiring such systems in new cars from around 2026. They can reduce accidents because fatigue and distraction are major causes of crashes.

These systems:

  • know where you are looking
  • can in some cases recognize you
  • can be combined with other data in the car

If you have questions about privacy settings, contact the manufacturer—not the dealer.

When you buy an internet-connected car, you can ask the dealer about privacy settings, but the responsibility for informing consumers about data collection lies with the manufacturer, not the dealer. This is stated by Charlotte Brix Andersen, head of communications at AutoBranchen Danmark.

“It is the vehicle manufacturer’s responsibility, as they are considered the data controller for the connected vehicle. Therefore, it is the manufacturer who is obliged to inform the customer,” she says, adding that dealers typically do not have full insight into what data are collected. However, manufacturers are also required to provide this information to dealers so they can respond to consumers.

“The dealer may be able to help based on their own knowledge, but will usually refer to the manufacturer’s website or app, or to the information provided by the manufacturer,” she adds.

According to Peter Grønlund Holm from the Danish Consumer Council TÆNK (THINK), it should nevertheless be easy to refer to the privacy policy presented to consumers before data processing begins.

“These include the manufacturer’s contact details as well as options to request access and file complaints, which consumers should use if the data processing is unclear or appears unreasonable,” he says.

Data collection/surveillance required by the EU

In recent years, the EU has introduced a number of requirements that mean new cars automatically collect data or monitor driver behavior. This is part of a broader safety package from the European Union.

The key regulation is General Safety Regulation 2 (GSR2), Regulation (EU) 2019/2144, which applies to new car models from 2022 and all new cars from 2024.

Key systems (and what they “monitor”)

Intelligent Speed Assistance (ISA)

  • Uses GPS and a camera to read speed signs
  • Compares your speed with the limit
  • Warns or intervenes if you exceed it
    Data collection:
  • your speed
  • where you drive

Driver drowsiness and attention warning

  • Monitors your driving style or your eyes
    Data collection:
  • driving patterns
  • possibly facial/eye movements

Automatic Emergency Braking (AEB)

Camera and radar scan the road ahead

  • Detect vehicles, cyclists, and pedestrians
    Data collection:
  • surroundings
  • distances and movements
    (typically not personal data about you, but still constant monitoring of surroundings)

Lane Keeping Assist

Camera monitors lane markings

  • Detects if you drift out of your lane
    Data collection:
  • lane position
  • steering corrections

Event Data Recorder (EDR) — “black box”

One of the most controversial requirements is that new cars must include a system, a black box, that records data just before and during a crash:

  • speed
  • braking
  • steering input
  • seatbelt use
  • activation of safety systems

Data are stored only briefly and used mainly for accident analysis.

 eCall (automatic emergency call)

  • Automatically calls emergency services in serious accidents
  • Sends the car’s location
    Data collection:
  • GPS position
  • time
  • direction of travel

Where is the line drawn?

The EU’s official goal is road safety, not surveillance. However:

  • many systems require continuous data collection
  • the line between safety and surveillance can be blurred
  • manufacturers can combine these data with their own services

The critical point

The EU requires the functions—but not necessarily:

  • how data are stored in detail
  • how long manufacturers may keep them
  • whether they may be used commercially (primarily regulated by GDPR)

The legislation requires safety—but at the same time enables more data collection.

How to protect your data

  • Review the car’s privacy settings carefully and be critical about what you share
  • Consider whether you can do without certain features to protect your privacy
  • Request access to what data are collected and how they are used
  • Demand deletion of data when they are no longer necessary
  • File a complaint with the Data Protection Authority if you believe your rights have been violated

More about cars for EHs people: https://esc-info.eu/how-can-you-find-a-vehicle-that-is-suitable-for-ehs-people/

Sources:

Forbrugerrådet TÆNK (Danish consumer magazine) #262, 2026, https://taenk.dk

ChatGPT on system in new cars.

Translated and edited by

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur la façon dont les données de vos commentaires sont traitées.

The Europeans for Safe Connections (“we”) treats your personal data confidentially in compliance with the legal requirements of the Regulation (EU) 2016/679 (the GDPR). You do not provide us with any personal data in the ordinary browsing of the esc-info.eu ("website"). We only collect information that is insufficient to identify a person, but allows us to track simple statistics. View more
Cookies settings
Accept
Decline
Privacy & Cookie policy
Privacy & Cookies policy
Cookies list
Cookie name Active
The Europeans for Safe Connections (“we”) treats your personal data confidentially in compliance with the legal requirements of the Regulation (EU) 2016/679 (the General Data Protection Regulation).
Website
We are responsible for operating www.esc-info.eu (the “site”). During ordinary viewing, you can use these without providing us with personal information. We only collect information that is insufficient to identify a person but allows us to have an overview of simple statistics:
  • your browser programme’s name and its version,
  • your device’s operating system,
  • the (anonymised) IP-address of your device,
  • the exact time of your request,
  • the URL-address of the requested file or page,
  • the address of the website which pointed to our site (the Referrer URL),
  • the result of your request (the HTTP Status Code).
The site does not collect any information from social networks. If you click one of social media links you are redirected to those websites and there they collect themselves. If you will contact us via the contact form or subscribe to our newsletters, your name and email address will be recorded. In case of need to cancel the subscription to our newsletters, you can do so via the Unsubscribe link located in the footer of each newsletter, this will remove your name and email address from the system.
Save settings
Cookies settings