Data Protection · ADDW & GSR
Road Safety Just Created Biometric Data. Who Governs It?

From 7 July 2026, every new car registered in the European Union must carry ADDW: a system that, while you drive, monitors the direction of your gaze — in the typical implementation, through a small infrared camera. It is a road-safety measure. But beneath the safety lies a new and quiet fact: millions of European cabins have just started capturing and analysing the driver's face and gaze. A datum that looks like biometric data — though, as we'll see, the legal classification is subtler than that. And on how it should be governed, the rule says far less than it should.
Let's set a fixed point straight away: this is not an article against road safety. ADDW sits inside a regulatory package — the General Safety Regulation — designed to save over 25,000 lives by 2038, and the aim is unimpeachable. Our thesis is another, and it is the same one we repeat on every dossier: a good safety law has created, as a side effect, a new surface for processing personal data — data captured from the driver's face and gaze — and left the data-governance layer largely unspecified. Where the law is silent, carmakers' implementation decides. And on driver data, the automotive industry has a track record that does not invite blind trust.
What kicks in on 7 July 2026
ADDW stands for Advanced Driver Distraction Warning. It is governed by Commission Delegated Regulation (EU) 2023/2590, published in the Official Journal on 22 November 2023, which implements the General Safety Regulation — Regulation (EU) 2019/2144. The obligation arrives in two steps: from 7 July 2024 for new vehicle types under approval, and from 7 July 2026 for all new registrations in categories M and N (cars and commercial vehicles).
Technically, the rule sets a functional requirement — detect the direction of the gaze — and is technology-neutral; the typical implementation adopted by carmakers is an infrared camera near the steering column or dashboard. If the gaze stays in the area deemed "distracted" for more than 3.5 seconds above 50 km/h (or more than 6 seconds between 20 and 50 km/h), it triggers a warning — visual, acoustic or haptic. It activates automatically above roughly 20 km/h and cannot be permanently disabled. The obligation concerns new cars, not the existing fleet. Field tests on some models report plenty of false positives (a glance at the scenery, changing a song), but the friction with the driving experience is not our point here.
- 27 November 2019Regulation (EU) 2019/2144 is adopted — the new General Safety Regulation redesigning vehicle safety requirements.
- July 2022The GSR becomes applicable: the phased introduction of mandatory assistance systems begins.
- 22 November 2023Commission Delegated Regulation (EU) 2023/2590 is published, with technical requirements and test procedures for ADDW.
- 7 July 2024ADDW becomes mandatory for the type-approval of new vehicle types.
- 7 July 2026ADDW becomes mandatory on all new registrations (categories M and N): every new car sold in the EU carries the camera that watches the driver.
The "closed loop": what the rule promises
The European legislator was not blind to privacy. The Delegated Regulation and the GSR impose a precise principle: the data used to determine whether the driver is distracted must not leave the vehicle, must not be transmitted to the carmaker or to third parties, and the system must not record or retain data beyond what is necessary for the function. This is the closed loop: processing happens locally, the frame serves the decision and then, in principle, disappears. On paper, it is privacy by design.
The data used to determine whether a driver is "distracted" must not leave the vehicle nor be transmitted to third parties.
Closed-loop principle — Delegated Regulation (EU) 2023/2590
It is a good principle. The problem is not the principle: it is everything the rule does not say around it.
Where the law is silent
A privacy-by-design principle is worth as much as its verifiability and the sharpness of its edges. On both fronts, ADDW leaves three gaps that no detailed rule fills.
The three governance gaps
The closed loop is imposed as an outcome, but without all the tools that make it verifiable and bounded over time:
- No independent, continuous privacy audit. Type-approval verifies the system's safety performance through technical services, but no independent, recurring mechanism verifies over time the integrity of the closed loop on the data-protection side. On that front one largely relies on the carmaker's own design.
- "Necessary" undefined. Article 6 of the GSR does not specify what is "necessary" for ADDW. It is an elastic perimeter each carmaker fills in its own way.
- Retention without durations. The minimisation principle requires not keeping data beyond what is necessary, but the rule sets no specific retention periods, nor clarifies what happens to the frame after the "distracted" decision: how long it stays in memory, even transiently, and on what legal basis if one day it were wanted after a crash.
Why "it stays in the vehicle" is not enough
The closed loop is a design promise, not a verified guarantee. And trust must be calibrated on the historical behaviour of those who must keep it. The connected car is already one of the most aggressive data-collection platforms around: according to the Mozilla Foundation's Privacy Not Included research, 84% of the car brands reviewed reserve, in their privacy policies, the right to share driver data, and 76% the right to sell it. It is the right they claim for themselves, more than proof they always do it — but it says a lot about the sector's appetite. And these are not conference hypotheticals: there are concrete, recent cases.
The automotive data track record
The point is not that ADDW will certainly be abused. It is that the rule entrusts the integrity of the closed loop to each carmaker's correctness and implementation, without the layer of independent verification we consider indispensable in every other high-risk domain. "The data stays in the vehicle" is a claim someone must be able to prove, not just declare.
The GDPR is there, but it does not self-apply
Do not read the closed loop as an exemption — but do not inflate the data's classification either. ADDW processes the personal data of an identifiable person — the driver — so the processing falls within the scope of the GDPR, whether the data stays on board or not. One point must be clarified, because it is often oversimplified: ADDW detects gaze direction and head pose to infer a state (distracted or attentive), not to uniquely identify the person. For that reason, in standard use, it does not process "biometric data" within the meaning of Article 9 GDPR — a special category that triggers only when processing aims at unique identification. It remains processing of "ordinary" personal data (Article 6), with the safeguards that entails.
The biometric classification would become live only in case of function creep: if one day the same camera were used to recognise the driver, authenticate or profile them. And it is precisely this subtlety that makes the ground delicate — biometric-grade hardware serving, for now, a purpose that is not biometric. The GDPR, after all, is a framework of principles: minimisation, purpose limitation, storage limitation, accountability (Articles 5, 25, 35). It does not translate itself into configurations, logs, impact assessments and evidence. Between "the GDPR applies" and "I am compliant and can prove it" lies a governance effort someone has to do. The special ADDW rule did not do it in the companies' place: it left it to them.
The Tomato Blue point
This case is a textbook example of the thesis we bring to every dossier: formal compliance does not coincide with effective control. A rule can impose a correct principle — "the data stays in the vehicle" — and still leave uncovered the layer that makes it verifiable and bounded over time. For a carmaker, an ADDW-module supplier or a fleet operator, the right question is not "am I compliant on paper?" but "can I prove, with evidence, that the processing is minimised, the loop truly closed, the retention respected?".
- 01Map the processing. Identify exactly what data ADDW captures and processes, where, and how long it keeps it in memory — even transiently.
- 02Assess the DPIA. Check whether an Article 35 GDPR impact assessment is triggered — likely, given the systematic monitoring of the driver — and in any case classify the data precisely (ordinary today, potentially special in case of function creep) and the purposes, before deploying the processing.
- 03Document the closed loop. Make it verifiable — through architecture, logs and tests — that the data does not leave the vehicle, rather than merely declaring it at type-approval.
- 04Define retention and deletion. Explicit policies on what happens to the data after the decision, with defensible timelines consistent with the safety purpose.
- 05Govern the supply chain. The ADDW-module supplier is often a third party: a link in the accountability chain, to be governed with contracts, defined privacy roles and technical evidence.
These are the facts
ADDW is good news for road safety. But every time a rule mandates a new data-collection capability "for our own good", it also creates a mirror duty: to govern that data. On 7 July 2026, millions of European cars started watching us. The question the law left open — who governs that data, and who verifies the promises are kept — remains open. And, as always, it is not solved with a policy in a drawer: it is solved with evidence.
Is a new safety obligation also a new data processing?
Tomato Blue supports carmakers, tech suppliers and fleet operators with DPIAs, processing mapping and the construction of verifiable compliance evidence — from principle to proof.
Talk to us →Sources
Regulation (EU) 2019/2144 (General Safety Regulation), Art. 6; Commission Delegated Regulation (EU) 2023/2590 (ADDW), published in the OJEU on 22 November 2023 — applicable from 7 July 2024 (new types) and 7 July 2026 (new registrations, categories M and N); Regulation (EU) 2016/679 (GDPR), Arts. 5, 9, 25, 35; Mozilla Foundation, "*Privacy Not Included — Cars*" (2023); GM/LexisNexis-Verisk (2024) and Tesla (2019-2022) cases as reported by the press; allaboutcookies.org, "EU Mandatory Distracted Driver System".
This article is for informational purposes only and does not constitute legal advice nor replace professional counsel tailored to the specific case. The positions expressed reflect the analysis of Tomato Blue RegTech.