We are now over a year on from the major changes made to the European data protection regime by the GDPR so it is time to revisit what the changes mean now for the hospitality sector and investment in it, given increased enforcement activity by regulators, increasing technological complexities and compliance issues continuing up corporate agendas.
The General Data Protection Regulation (“GDPR”) created a considerable stir in 2018, with much being written about its burdensome requirements and high fines. For the hotel and hospitality sector, respecting the privacy of guests is nothing new, though some of the ways in which services are evolving will need some careful consideration in order to maintain this culture and meet the current stringent legal requirements.
Issues arise as digital channels of guest engagement continue to emerge, and new technology-based offerings are developed. Maintaining a focus on privacy becomes more challenging, and a natural tension exists between the principle of data minimisation (a key facet of the GDPR) and the technical innovation which hotel operators are looking to implement.
Now that the GDPR has been in force more than a year, we are starting to see enforcement action by data protection regulators, including in the UK, France, Germany, Greece and others. This applies across all sectors, and is not just an issue for organisations that hold large volumes of personal data.
As well as regulators, investors are increasingly concerned to probe the compliance efforts of potential targets, and assess risk posed by any deficiencies identified in the due diligence process. This blog examines four topical areas that will be of particular interest to companies operating in the hotel industry.
One of the most significant changes brought about by the GDPR is that it explicitly extends EU data protection rules and rights beyond the territory of the EU in some circumstances. This is to ensure comprehensive protection of EU individuals’ rights and to create a level playing field for companies active in the EU market.
Although compliance with the GDPR has been mandatory since May 2018, at the time of writing the European Data Protection Board (the “EDPB”) has not yet adopted its finalised guidelines on the territorial scope of the GDPR. This means that the precise reach of the GDPR’s so-called “long arm” is not yet fully understood. A draft of the guidelines, released for public consultation in 2018, indicates that EDPB will take a robust approach to matters of jurisdiction, even finding the activities of non-EU entities to be subject to the GDPR in surprising circumstances.
Companies in the hotel industry should carefully consider the processing activities they carry out, and whether they may fall within the scope of the GDPR. Where a company belongs to a group that is “established” in the EU, or otherwise targets individuals in the EU as future customers, it may become difficult to escape the conclusion that certain activities are regulated under the GDPR. This will have consequences for risk exposure, and also for the steps that a company is required to take in order to comply.
It is a common legal misconception that personal data is an asset that is capable of being “owned” and shared freely to “buyers”. The reality is more complicated. The GDPR provides individuals with a range of rights, including the right to have their data erased in certain circumstances. Personal data also has a finite “life” – the GDPR requires organisations to delete data that is no longer necessary for the purpose for which it was collected.
It is important for the parties to any arrangement involving personal data to have clarity over their respective roles, as this will have day-to-day compliance consequences and can become particularly important in the event that an agreement is terminated, e.g. which party can retain the data and for what purposes?
Despite regulatory guidance being issued by the EDPB and other regulators including the UK Information Commissioner’s Office (the “ICO”), it is often difficult to discern whether a party is acting as a “controller” or a “processor” of personal data. This distinction has significant consequences. When a controller engages a processor to provide services, the GDPR requires specific processing terms to be set out within a contract, and failure to do so would amount to a breach of the legislation. Where two parties share data as controllers, a situation which is likely to be prevalent in the hotel industry, the contractual requirement is less rigid. Even here, regulators are likely to expect some form of data sharing agreement is in place in such situations (and if there is “joint controllership” then there should be an arrangement ). In the UK there is a draft data sharing code under consultation; this indicates that the ICO (and likely regulators in other EU member states) will expect formal, documented agreements.
As market positions continue to evolve, companies in the hotel industry should approach the negotiation of data processing provisions carefully. Miscategorising a party’s role could lead to significant issues in the future, such as an inability to access personal data following a corporate event or contract termination, or just an increase in legal complexity and associated costs of a deal. It may also have a bearing on how enforcement is meted out by a regulator. Note that controllers must comply fully with the GDPR. Processors only need to comply with parts of it.
Cyber security incidents can cause significant disruption for businesses and, in the worst cases, bring day-to-day operations to a halt. For hotels, there have been reports of vulnerabilities in keycard systems which has the potential for considerable disruption to operations and physical safety fears. Not all cyber security incidents involve personal data. Where an incident amounts to a “personal data breach” for the purposes of the GDPR, organisations are required to file notifications with applicable regulatory authorities in all but the most anodyne of situations; where the breach is likely to lead to a “high risk” for affected individuals, it will also be necessary to notify them directly. Companies should consider the following issues as part of developing an incident management framework:
Recent press coverage of automatic facial recognition technology deployments around the world demonstrates the reputational impact that can result when affected individuals become aware that their data has been used in unexpected ways. Companies should consider the adequacy of any internal decision-making processes that take place before a new technology is deployed. These processes should incorporate a consideration of:
This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.