[ifjimelse]

If they are making a Subject Access Request under the GDPR (which they should be), then yes, Tesla should be providing:

* what personal information the organisation holds about them;

* how they are using it;

* who they are sharing it with; and

* where they got their data from.

https://ico.org.uk/your-data-matters/your-right-to-get-copie...

[PeterisP]

It's not a person requesting data about themselves under GDPR, it's the dutch prosecutors and courts requesting data from Tesla for a criminal investigation. "they" is not the driver but the dutch authorities; GDPR simply is not relevant at all for this case (e.g. GDPR article 2.d explicitly states that GDPR does not apply to activities like these), general rules of criminal process and court orders apply.

[ifjimelse]

Yes, that’s true. I was more thinking about the general research they were doing into establishing what data various Tesla models record. i.e. purchase a vehicle, drive it around (perhaps crash it if the research grant can stretch to that), submit a SAR. Any discrepancy between what personal data Tesla provide and what they found when they decrypted it themselves feels like the main story here to me.

[cnorthwood]

would driving data/telemetry be categorised as personal data under GDPR? I assume cars could have multiple drivers so unless there's a clear way of deriving the person from the data itself it might be classed as anonymous and therefore not in scope

[ifjimelse]

Yes it likely would be, if it’s timestamped log data. Even if there are multiple drivers, the data recorded still relates “to an identified or identifiable individual”. Simply knowing who was driving the car when, which shouldn’t be difficult if it’s your car, makes the specific individual identifiable.

Not having individuals’ names / email addresses etc. in a dataset of multiple people, doesn’t mean that the data is anonymous. See for example https://www.nytimes.com/interactive/2019/12/19/opinion/locat...