EV Privacy : More than just your salary sacrificed?
I'll preface this with saying I do not have a salary sacrifice car (my employer doesn't offer it yet), but many friends and family do. Also, this has a focus on Tesla as this is what I'm most familiar with, but I expect a lot of other EVs offer similar 'features' that are potentially problematic.
Who is the 'owner'?
The finance company, legally, without question own your car. No problem. They also hold the V5 (which is a completely different rant) but modern EVs have apps that offer a range of features, some of which are only available to the owner and some of which are available to any driver, and the owner.
Indeed "Ask The Police" previously stated
The registration document should show the registered keeper, i.e. the day to day user (this may be an employee who has it as a permanent perk with his/her job).
Until I queried this anomaly when writing this article, at which point they changed it, seemingly carving out an exception to the established rule to make leasing companies compliant, whereas their previous interpretation of the rules would not have been... but, again, that's another rant.
Owner in Tesla's eyes
The "Owner" of a Tesla can add and remove drivers, another driver cannot. Also, the owner can view charging history and performance data, drivers cannot (this is really odd, because it would be nice to know these stats!)
Therefore, you are basically a guest user of your 'own' car (that you pay for!), and the leasing company ultimately can control your use of it, and you need to go through them to add additional drivers.
Imho, and i'll outline why below, in the case of a salary sacrifice Tesla, the 'owner' (in Tesla's app etc) should always be the primary end user of the vehicle - NOT the leasing company.
What else can they do?
Most EVs, perhaps especially Tesla, are very advanced and basically 'IoT' (Internet of Things) devices that can be managed via apps, or via APIs. Tesla, helpfully, make their API public so you can see the full range of features available.
Remember, all of these are available to the leasing company as well
Well, beyond seeing where the car is at any time, and adding/removing drivers, they can also open and close the trunk / frunk, change the volume of the entertainment system, start/stop conditioning, start and stop charging, change charge limits, open and close the charging door, remove pin to drive, lock/unlock the car, flash the lights, honk the horn, change the track on the stereo, navigate to a new destination, turn on/of heated seats / steering wheel, play a sound through the external speakers, start your car, change the PIN, set dog/camp mode, change the temperature, turn the external cameras on/off, set a speed limiter (with a PIN the driver doesn’t know potentially!), open the sunroof, trigger your garage door opener, open windows, and access your calendar....
Not great that they can see where the car is or... wait a minute... external cameras?
Sentry Mode
Tesla's Sentry Mode is pretty awesome, and also pretty scary. It's effectively a 360º camera system that records your vehicle when parked. I've talked before about the problem of this with rental cars, and the amount of data captured, but for your own car it's a useful feature.
You can even remotely view those cameras live at any time (as long as it's parked) using the Tesla app...
...but so can the leasing company*
Together with realtime location information (helpfully fed to them by Tesla via the Fleet API) this opens up access to swathes of personal data about you, your children, your friends etc, basically anyone around you. None of whom have consented to a third party processing their data.
Now, Tesla themselves have thought about the security of this, and the camera feed is end-to-end encrypted, so Tesla cannot see the video. In this respect, if the leasing company is the "owner" of the car, they have more access than Tesla themselves.
You can turn this off from within the car, but it can be turned on again via the API remotely without the driver being aware.
* It should be noted I do not for a minute believe that leasing companies are actively using this functionality in this manner or at all, however it remains a concern that the ability to do this exists.
Special Category Data
Some data is held to a higher standard in GDPR, this is "Special Category Data" and includes information that reveals or concerns racial or ethnic origin, political opinions, religous belief, trade union membership, health, sexual orientation etc. This also includes inferred data.
Could you infer religious belief by a car being driven regularly to a mosque or church? What about sexual orientation or health being derived from attendance at a clinic or hospital?
This is all potentially data being processed by a third party without your knowledge or consent both in the form of metadata, and potentially video!
So, what's the problem?
As I said, I don't think leasing companies are likely to be abusing this (although some friends' DSARs in the coming months could be interesting) but that the access even exists creates a few problems in my mind;
Firstly, we accept that Tesla and other auto manufacturers have access to this data (but not the end to end encrypted video), but they have rigorous policies and better resources to ensure their systems are secure than a typical leasing company.
Secondly, imho, I'm concerned this paints a huge target on leasing companies who no doubt have a single API key with Tesla with which an attacker could compromise a large number of vehicles.
This is especially the case when it's common knowledge (thanks to press releases and interviews) who large corporations use for their salary sacrifice schemes.
They become the weakest link in a security chain, and as the end user you don't really get a say in the matter.
Leasing companies haven't even thought about it?
I've read the contract and driver documentation guides from two seperate leasing companies, and neither of them even mention data gathered from a vehicle or its users, how it is used, or how access to it is protected.
So, either they've simply not thought about this additional vehicle data, or they're processing it without telling their customers - either way is completely unacceptable.7
Are Salary Sacrifice cars "Fleet Vehicles"?
It is my view (and common sense) that a salary sacrifice car should differ from a "fleet vehicle" and it's questionable whether or not this sort of access is appropriate for the former.
A "fleet vehicle" is typically paid for by a company, primarily used for work, and an employee has use of it and is likely to expect their employer has some access or telemetry.
Salary sacrifice vehicles however are paid for by the employee and promoted as an cost-effective way of operating an EV primarily for personal purposes (often by multiple family members) and therefore should be considered personal vehicles.
Principles of Data Protection
We need to consider whether, at the moment, this data is;
- Processed lawfully, fairly, and transparently
- Collected for specified purposes only
- Minimised as much as possible (limited to what is necessary)
- Kept in a form which permits identification for no longer than necessary
- Protected against unlawful loss or access
And, finally, that the controller is able to demonstrate compliance with the above ('accountability')
I would suggest at the very least that if this data is processed at all it is not fair (it is unreasonable to 'spy on' the keepers of salary sacrifice vehicles), nor transparent (no mention of this data at all in the documentation). Further, to comply with the principle of data minimisation, the simplest solution is not to have access to it in the first place.
Simple Solution
The "vehicle owner" from the point of view of any electronic app-based access to a salary sacrifice car or its configuration should be the customer, not the leasing company.
This doesn't mean they're the legal owner, there's already well-established processes for this, but they should have full (and sole) control of the functionality of the vehicle if they're paying to lease it.
This is something Tesla could easily accommodate whilst still giving some limited access to the leasing company (e.g. the ability reset the vehicle at the end of the lease)
Maybe, some day, the ICO will take notice and issue formal guidance regarding this and leasing companies' hands will be forced, or maybe the ICO will side with them and decide having all this data is proportionate, who knows.
But, until then, if you have a salary sacrifice Tesla (or other EV I expect!) know that you're not the only one who can control, or in some cases literally watch your car.