EU Car Camera Law: What It Means for Your Privacy (2026)
Since July 7, 2026, every new car sold in the EU must include an infrared camera aimed at the driver's face. The Advanced Driver Distraction Warning (ADDW) system tracks your gaze, head position, and eye movement whenever you're above 20 km/h. The EU says data stays in the car. But there's no independent audit to verify that claim, Volvo already admitted to processing driver data on cloud servers, and the US is adopting similar requirements by September 2027. Here's what the mandate actually requires, where the privacy gaps are, and what you can do about it.

What Changed on July 7
The EU's General Safety Regulation entered its final phase on July 7, 2026. Every newly registered car, van, truck, and bus in the European Union must now ship with an Advanced Driver Distraction Warning system - ADDW for short. The system uses an infrared camera pointed at the driver's face to detect when attention drifts from the road.
This isn't optional equipment. It's a type-approval requirement, meaning manufacturers cannot sell a vehicle in the EU without it. The camera activates automatically above 20 km/h (about 12 mph) and cannot be permanently disabled by the driver.
The stated goal is straightforward: distracted driving kills roughly 3,500 people per year in the EU. If a camera catches you looking at your phone for 3.5 seconds at highway speeds, the car triggers a visual and audible warning. At lower speeds, the threshold is 6 seconds. The safety case is real. So are the privacy questions nobody has answered.
How the Camera Actually Works
The ADDW system uses near-infrared imaging to track three things: where your eyes are looking, the position of your head, and how frequently you blink. It builds a real-time model of your attention state. If that model determines you're not watching the road, you get a warning.
The EU's technical requirements state that ADDW "must function without the use of biometric information, including facial recognition, of any vehicle occupants." The system tracks head and eye geometry to gauge attention, not identity. In theory, it doesn't know who is driving - just how they're driving.
On paper, the data stays in a "closed loop" - processed locally inside the car, never uploaded to any external server. The regulation says only the data necessary to operate the system should be recorded, and nothing should leave the vehicle.
That's the design. Here's what actually happens.
Where the Data Actually Goes
The EU regulation demanding this camera says remarkably little about who verifies what happens to the data it collects. There is no independent audit mechanism. No third-party certification body checks whether a manufacturer's ADDW system actually operates in a closed loop. The regulation sets the requirement, then trusts automakers to implement it honestly.
That trust has already been broken. Volvo openly admitted that its driver-monitoring architecture processes real-time data on secure external cloud servers, directly contradicting the closed-loop guidelines. The company frames this as necessary for system improvement and safety updates, but the result is the same: facial tracking data leaves the car.
And Volvo isn't an outlier. The broader auto industry has a documented history of mishandling driver data. GM, Hyundai, and Kia have all been caught tracking driving habits and selling that telemetry to data brokers, who then passed it to insurance companies to adjust premiums. GM settled a record $12.75 million FTC fine over this practice. The companies involved didn't dispute the data collection - they disputed getting caught.
The pattern is familiar to anyone who follows how tech companies handle personal data: promise local processing, build the infrastructure for cloud processing, then quietly start using it.

The US Is Next
If you're reading this from the US thinking it doesn't apply to you, it will. Section 24220 of the 2021 Infrastructure Investment and Jobs Act requires NHTSA to finalize regulations for "advanced impaired driving prevention technology" in all new vehicles. The enforcement deadline is September 2027 - 14 months away.
The US law is even less specific than the EU's. It doesn't mandate a particular technology, but camera-based driver monitoring is widely expected to be the primary implementation. What the US statute does not address: data retention, data sharing, consent requirements, or any obligation for automakers to disclose how biometric driving data is stored, shared, or deleted.
No federal law currently requires automakers to tell you what they do with the data from your car's interior camera. The EU at least has GDPR as a backstop - imperfect, but it gives drivers a legal basis to demand answers. In the US, you're relying on automakers' privacy policies, which can change without notice.
What This Means for Your Privacy
The car camera mandate is part of a broader pattern: surveillance infrastructure gets installed for a legitimate safety purpose, then expands to other uses because the data is already being collected.
License plate readers followed the same trajectory. Flock Safety installed cameras for law enforcement, and the network grew to 80,000-100,000 cameras performing 20 billion scans monthly. The LAPD just let its Flock contract expire on July 12, citing "serious concerns around civil liberties and privacy." That backlash took years to build. The car cameras are starting the same cycle, but inside vehicles people already own.
The question isn't whether the cameras are useful for safety - they are. The question is whether the data they generate will stay within its original purpose. History says it won't.
What you can do
- Read your car's privacy policy before buying. Look for specifics about data retention, cloud processing, and third-party sharing. If the policy is vague, that's intentional.
- Disable connected services you don't use. Many cars have cellular modems that transmit data by default. Check your infotainment settings for data sharing toggles.
- In the EU, exercise your GDPR rights. Request a data access report from your car manufacturer. Find out what's being collected and where it's going.
- Watch for US state-level protections. Some states are introducing biometric data laws. Check whether yours covers vehicle-collected data.
The same principle applies here as with digital photo privacy: the default settings are designed for the company's benefit, not yours. You have to actively check what's being collected and decide whether you're comfortable with it.

Protecting Your Photo Privacy Beyond the Car
The car camera mandate is a reminder that cameras are everywhere, and the gap between"local processing" and "cloud processing" is thinner than companies claim. The same dynamic plays out with apps requesting access to your photo library - the data is collected for one stated purpose and quietly used for others.
Viallo is a private photo sharing platform built on a different principle: photos are stored at full resolution in EU data centers with no AI scanning, no facial recognition, and no data brokering. Recipients view shared albums through a link without creating an account. In a world where even your car is watching you, the photos you choose to share should be entirely under your control.
Frequently Asked Questions
What is the best way to protect your privacy from in-car cameras?
Read your vehicle's privacy policy before purchasing, disable unnecessary connected services, and in the EU, submit a GDPR data access request to your car manufacturer. Viallo applies a similar philosophy to photo sharing - no tracking, no AI processing, and full user control over shared content. For broader digital privacy, review your photo privacy checklist across all your devices and services.
How do I know if my car is sending data to the manufacturer?
Check your infotainment system's settings for "connected services," "data sharing," or "telematics" options. Most modern cars with cellular connectivity transmit data by default. In the EU, you can request a full data disclosure from the manufacturer under GDPR Article 15. Google and Apple both offer vehicle privacy guides, but the car manufacturer's own policy is what governs the in-cabin camera data.
Is the EU car camera the same as facial recognition?
No. The EU regulation explicitly states that ADDW must function without biometric identification - it tracks head geometry and eye direction, not identity. However, the same camera hardware could theoretically support facial recognition with a software update. The regulation prohibits this use, but there is no independent audit to enforce compliance. iCloud and Google Photos both use similar facial analysis in cloud photo storage, though those systems are opt-in.
When will US cars require driver-facing cameras?
The Infrastructure Investment and Jobs Act requires NHTSA to finalize "advanced impaired driving prevention technology" regulations with enforcement beginning no later than September 2027. Camera-based monitoring is the expected implementation, though the law does not specify the exact technology. Unlike the EU, the US has no federal law requiring automakers to disclose how biometric driving data is stored or shared.
Can I disable the driver-monitoring camera in my new EU car?
You cannot permanently disable the ADDW system in any car sold after July 7, 2026. The camera activates automatically above 20 km/h as a type-approval requirement. Some manufacturers allow temporary deactivation per drive session, but this varies by brand. If data privacy is your primary concern, focus on disabling connected services and cloud data sharing rather than the camera itself - the camera is mandatory, but how the data is transmitted is not.