Yesterday, July 7, 2026, a regulation took effect. Its content can be summarized in one sentence: From today, every new car sold in the EU must come from the factory with a built-in camera pointed at the driver’s face. No exceptions by brand, model, or price — Volkswagen, Mercedes, Toyota, Tesla — if it’s a new four-wheeled vehicle registered in the EU, it must have one.
The irony is baked into the premise. In 2018, the EU introduced GDPR — the General Data Protection Regulation — still the world’s toughest personal privacy law. Chinese companies have been fined under it. American tech giants have been forced to rewrite their user agreements under its pressure. The world said: Europeans are serious about privacy.
Eight years later, the same legislators are requiring every new car to carry a camera that analyzes your facial expressions in real time. The regulation says data “should not be uploaded” — but how exactly is that guaranteed? Nobody can say.
On Hacker News, this story pulled 352 points and 452 comments. Having read through the first two hundred, I can tell you: the density of outrage far exceeds the score alone.
Installation reference for a driver monitoring camera in commercial vehicles. Source: Logifie / assets.logifie.com
What the Regulation Actually Says: Three Letters and a Deadline
The regulation is called the EU General Safety Regulation (GSR), formally numbered (EU) 2019/2144. It’s not new — it was adopted in 2019 — but its provisions are rolling out in phases.
The camera-related portion involves two technical systems:
DDAW (Driver Drowsiness and Attention Warning): Detects whether you’re falling asleep. The camera tracks your blink rate, how long your eyes stay closed, and the angle of your head drooping. When the system decides you “might be about to fall asleep,” a warning pops up on the dashboard.
ADDW (Advanced Driver Distraction Warning): Detects whether you’re looking elsewhere. The camera tracks your gaze direction. If you look down at your phone for more than a few seconds, or turn your head to chat with the passenger for too long at highway speeds, the system triggers audio and visual alerts. The faster you’re going, the less time you’re allowed to take your eyes off the road.
Both systems share the same hardware foundation: an infrared camera mounted near the rearview mirror or behind the instrument panel. Infrared means it can see your face clearly even at night, with the cabin pitch black.
The rollout timeline works in two steps: from July 7, 2024, all newly designed vehicle types (those receiving new “type approval”) had to include it; from July 7, 2026 — yesterday — all newly registered vehicles, regardless of whether they’re older models, must include it. In other words, automakers can no longer stall with legacy models that already passed approval.
There’s a companion requirement too: Event Data Recorders (EDRs) — essentially automotive “black boxes.” Heavy trucks and buses have been required to carry them since January 2026, and the mandate expands to all new vehicles by 2029. EDRs record pre- and post-collision data: speed, braking status, steering wheel angle — functionally similar to an aircraft’s flight data recorder.
So this is really the beginning of an entire in-vehicle data collection ecosystem.
What the Camera Actually Captures
Many readers may wonder: is this camera actually “recording video”?
The answer depends on what you mean by “recording.” According to the regulation’s technical requirements, the camera captures gaze feature data — eye position, gaze direction, eyelid openness, and head posture. This data gets processed in real time as “feature vectors.” The camera doesn’t store a continuous color video stream.
But there’s a technical question worth pressing: determining “where you’re looking” requires a machine learning model that can precisely track ocular features. That model, during its training phase, needs real facial image data. And during actual operation, if the system faces a dispute — say you were clearly watching the road but it flagged you as distracted — and “evidence needs to be reviewed,” would the manufacturer need to preserve raw image frames?
The regulation’s language on this point: “Data should in principle not be uploaded or stored.” But the words “in principle” leave automakers a canyon-sized interpretive space.
The European in-cabin monitoring regulatory roadmap, covering GSR mandates and Euro NCAP scoring criteria. Source: Anyverse / anyverse.ai
Another easily overlooked point: the camera can “see” more than just your face. Its field of view typically covers the entire front row. The passenger beside you, your phone screen sitting on the passenger seat, reflections in the rearview mirror showing the back seat — all of these fall within the infrared camera’s field of view. Phone screens reflect clearly under infrared light, so the system can tell whether you’re looking down at a screen.
Where the Data Goes: A Question Nobody Can Answer
This is the most central controversy in the whole affair — and the most unsettling gap.
I’ve reviewed the EU’s delegated regulation on ADDW systems (Delegated Regulation C(2023) 4523) and multiple industry analyses. The language is remarkably consistent across sources: the regulation requires data to be processed locally in the vehicle and should not be uploaded to the cloud. But this is “should not” — not a technically enforced “cannot.”
Three key problems:
First, the OTA update backdoor. Virtually all modern cars support Over-The-Air updates — just as your phone silently updates its OS at night, cars can download new firmware over cellular networks. If the manufacturer can remotely modify your car’s software, then “data isn’t uploaded” holds true today — but will it still hold after an OTA update tomorrow?
Second, who’s auditing? The regulation doesn’t require independent third-party organizations to continuously audit the data flows of in-vehicle systems. When an automaker says “we don’t upload,” consumers have no choice but to trust them.
Third, the power of data combination. Viewed in isolation, the camera recording “you glanced at your phone for three seconds” seems trivial. But combine it with several other sensor data streams from the same vehicle — GPS location, speed curve, braking force, steering wheel angle — and you get a second-by-second personal behavioral profile. This is where HN users’ concerns concentrated: GPS data + facial recognition + driving speed, fused into a single package, is a perfect surveillance instrument.
As one HN user put it: “Chat Control 2.0 is not so bad because it’s ‘voluntary.’ A camera in your car is not so bad because ‘data won’t be uploaded.’ It’s all the same script.”
The HN Community’s Rage: From “Annoying Beeps” to “Big Brother”
The 452 comments on HN form three layers of reaction.
Layer one: direct driving experience complaints. User A_D_E_P_T wrote: “I find new rental cars extremely annoying these days. The worst is the cruise control that automatically slows to the speed limit — but it frequently misreads signs and drops you to 50 km/h for no reason. Adding a camera pointed at your face is just icing on the awful cake.” User peterlk shared a more specific experience: “I spent several minutes trying to figure out what my dashboard was beeping about — turns out it was warning me my ‘eyes were off the road too long.’ Of course, figuring that out required taking my eyes off the road to look at the warning light.”
An HN user named dmitrygr cited research from aviation safety: too many alerts lead to “normalization of deviance” — once you’ve been warned too many times, drivers start ignoring all warnings. This phenomenon has decades of research literature backing it in civil aviation, but nobody in the automotive industry seems to be taking it seriously.
Layer two: fundamental privacy questioning. User baggy_trough wrote: “A lot of these warnings themselves create danger, especially in an unfamiliar car. They’re incredibly annoying and frequently wrong. The end result is — to figure out how to silence the warning chime, you spend a lot of time with your eyes off the road.” User Invictus0 was more direct: “I’d rather die in a car crash than be nagged like this. Europe is the nanny state of nanny states, it’s hard to imagine anyone actually wanting to live like this.”
Layer three — the deepest — is concern about the EU’s overall trajectory. User TacticalCoder’s comment drew considerable upvotes: “It’s incredible that comments like yours criticizing this are getting downvoted. People can’t even criticize the surveillance state anymore — we’ve reached that point.” He continued: “Chat Control 2.0 is not so bad because it’s not mandatory. A camera in every car is not so bad because the footage won’t ‘necessarily’ be shared. It’s all sickening.”
User chaostheory’s comment, though brief, punctured a deeper contradiction: “This is just further evidence that GDPR was a protectionist law — protecting EU corporations, not EU citizens.”
The Bigger Picture: Three Dimensions Tightening Simultaneously
If you place the “in-car camera” within the EU’s legislative landscape of the past two years, it’s not an isolated event.
Dimension one: communications surveillance. On the same day (July 7), the European Parliament voted 331 to 304 on an urgent motion to resurrect the previously defeated Chat Control 1.0 bill. This law allows (though doesn’t require) tech companies to scan users’ private chat messages — WhatsApp, Signal, iMessage — for so-called “illegal content.” And the final vote on July 9 requires an absolute majority of all MEPs (361 votes) to block it — hard to muster with so many already gone for summer recess.
Dimension two: in-vehicle surveillance. That’s the in-car camera and EDR “black box” we’re discussing today. Together, these two mean: from 2026 onward, every EU resident’s movements while driving are legally recorded and monitored.
Dimension three: public space surveillance. The EU’s AI Act carves out exceptions for real-time biometric surveillance in public spaces — law enforcement agencies can deploy facial recognition cameras under certain conditions.
The combined effect of all three: a person stepping out their door (public cameras on the street), getting into their car (in-cabin camera), and sending a message on their phone (Chat Control scanning) — the entire journey falls within surveillance coverage. Each dimension advances independently, but their overlap is an objectively existing outcome under the current regulatory framework.
The European Parliament building in Strasbourg, France. On the same day (July 7), the Chat Control bill was revived here. Source: Shutterstock / Tero Vesalainen, via heise online
The Safety Argument Is Real
It’s only fair to present the other side: proponents of this regulation are armed with genuine safety data too.
According to European Commission road safety statistics, human error causes roughly 90% of road traffic accidents. Among them, drowsy driving and distracted driving are the two most significant preventable factors. The European Transport Safety Council (ETSC) estimates that driver monitoring systems could potentially prevent thousands of crashes and save hundreds of lives annually across the EU.
There are genuine technical advances as well. Modern infrared cameras paired with computer vision algorithms can determine whether a driver is fatigued at the 10-millisecond level — far faster than a human can recognize their own drowsiness. Systems from suppliers like Seeing Machines and Smart Eye have been operating in commercial vehicles for several years, accumulating real-world effectiveness data.
HN user gmueckl provided a well-reasoned supporting position: “How long it’s safe to take your eyes off the road is mostly determined by physics, not subjective judgment. More than 5 seconds is never okay. At highway speeds, 1 second can be too long. The issue isn’t that the road looks empty right now — it’s that the situation can change instantly. A child runs out from behind a parked car, an object falls onto the road, an animal bolts from the bushes… Forcing drivers to keep their attention is a good thing.”
This argument holds up. But the question is: must safety measures and privacy protection be an either/or proposition?
The Regulation’s “Trust Deficit”
Looking back at the controversy’s structure, a recurring pattern emerges: the regulation claims “we won’t misuse the data,” but provides no institutional safeguards ensuring it can’t.
If we break “trust” into three levels:
- Technical trust: does the system truly only do local processing with no data upload? Without independent auditing, the answer is always “the manufacturer says so.”
- Legal trust: today’s regulation says data isn’t uploaded — could tomorrow’s amendment change that rule? Laws can be amended. The cameras are already installed.
- Institutional trust: who ensures law enforcement agencies won’t access in-vehicle data under the banner of “national security” or “serious crime investigation”? The current regulatory text contains no explicit firewall.
User richwater’s comment captured this core concern: “I’m serious, I can’t believe how many commenters here are defending mandatory surveillance powers.” User aftbit added a historical perspective: “HN today is all nanny-state rhetoric. If you’ve done nothing wrong, you’ve got nothing to hide… right? As if a future government could never criminalize ‘existing as a certain ethnicity’ or ‘accessing healthcare as a certain gender.’”
This isn’t a technical discussion. It’s asking: once a surveillance infrastructure is laid down, who ensures it’s only used for the purpose it was originally claimed to serve?
What This Means for Us
If you live in the EU, from yesterday onward, any new car you buy will have an infrared camera pointed at your face. Looking down at navigation, turning your head to talk to your kid, glancing at the rearview mirror after straightening the wheel — all of these behaviors will be analyzed. The system may not upload data, but it has the capability to do so, and the only thing preventing it is a regulation that can be amended.
If you live outside the EU, this still concerns you. Cars are globalized products. If German automakers are already designing camera hardware and software into a model for the EU market, they’ll likely keep the same configuration in other markets for cost reasons — even if local laws don’t yet require it.
This reminds us of a more fundamental point: privacy is guarded by three things working together — technical architecture, institutional checks and balances, and public attention. Weaken any one of those pillars, and the other two can’t hold up the structure alone.
Reference links: