The Data Protection Act 1998 (being the main legislation in the UK governing the protection and use of personal information in the UK) dictates that an 'adequate' level of protection must be provided where personal data is transferred outside the EU.

The Wave of the Future    

We are seeing an interesting trend with our hotel clients that is worthy of note. More and more retailers, nail bars and local restaurant concessions are popping up in hotel lobbies and people are asking why?

Hotels have long outsourced their health and beauty offering to third parties. But, what is new is the introduction of product retailers and service providers one would normally find in a shopping centre within hotel lobbies, and it's not just the big hotel chains either — boutique hotels are getting in on the act as well. It seems clear that the trend is moving towards offering a holistic lifestyle experience all within a hotel environment so guests can have all their needs under one roof.

For many years, the more upscale the hotel, the more selective it was about such partnerships, in order to fully control the guest experience.

But times have changed. Not only millennials, but discriminating, time-limited travellers generally are ever more determined to make their own brand choices.

There is no universal way of contracting between hotels and occupiers. It can be a simple landlord/tenant relationship with a fixed rent like any other landlord/tenant relationship or it can be any one of the number of complex contractual relationships we discuss below. From the operators' perspective, they are looking to increase their brand presence and the built-in customer traffic hotels offer is attractive together with the opportunity to take space in prime locations with little fit out cost (the walls and floors are already there as are the utilities and luxury elements typical of hotel lobbies — the brands just need to add their branded fit out and design to the mix).

Hotels, especially in option rich environments such as major urban centres and destination resorts, have come to realise that guests expect leading edge dining, shopping, personal care, fitness, private film screening rooms and other experiences along with their lodging experience.

And similarly hotels have come to appreciate they cannot hope to replicate on their own the offerings of celebrity chefs, haute couture designers, Bond Street jewellers and the like who are just around the corner from their hotel.

These branding partnerships can be legally complex. Firstly, many hotel owners will often decide to directly control major sub-lettings rather than delegate this to their hotel operator. This is especially true where the hotel is part of a large mixed — use complex with significant retail, entertainment, residential and other components. The result is often a tangled network of overlapping traders, leases, management agreements, licences, shared utilities agreements, common access agreements with a variety of parties and timelines that are constantly changing.

We are seeing more varieties of contractual relationships in this sphere than ever before.

For example, profit-sharing arrangements have also become popular with a focus on turnover rent from third party operators where both the hotel and the operator are motivated to make a success of the business generated by the operator.

In the restaurant arena, some hotels have opted for franchise arrangements where the hotel pays a franchise fee and employs staff itself, using the name of a celebrity chef or recognised high-end restaurant chain for its in-hotel restaurant offering.

On the other hand, some hotels have opted for expanding their retail, restaurant and service offering under their own brand. These branded concepts are intended to encourage guests to stay in the hotel for their meals, treatments and shopping, opting for the own-brand leisure options rather than high street chains. The obvious benefit to the hotel is expansion of its brand with full control and exclusive benefit of the income stream. The risk may be greater but so is the potential reward.

Whichever direction hotels are choosing to take, it is clear that focusing only on overnight stays may have less and less relevance and the line between hotel operators and landlords is becoming more blurred , even as we write. As complex as some of these arrangements may be, they are clearly the wave of the future!

This article first appeared in Retail & International Leisure.

The U.S. is not considered to have adequate protections in place and the 'Safe Harbor' program was previously implemented as a way of providing adequate protection. Under that program, U.S. organisations (save for those in certain sectors) that signed up to and complied with it were automatically authorised to accept personal data from the EU without the need for individual approval or compliance with other legal or regulatory requirements. However, in October 2015 the EU Court of Justice ruled that the Safe Harbour framework was invalid, rendering data transfers from the EU to the U.S. unlawful under that arrangement, leaving many EU and U.S. organisations in breach of EU data rules and in doubt about how they could legally transfer data.

After much anticipation, details were announced in February of a new political agreement on a new framework for transatlantic exchanges of personal data for commercial purposes. The EU-U.S. Privacy Shield is set to replace the now redundant Safe Harbor and ensure that there is a mechanism in place that provides a level of protection in the U.S. that is essentially equivalent to that in the EU. It is intended that the Shield will impose stronger obligations on U.S. companies to protect personal data received from Europe and stronger monitoring and enforcement obligations on the relevant U.S. authorities.

However, in April a group of the EU's natural data protection authorities known as the Article 29 Working Party, while acknowledging that the Privacy Shield is an improvement on the Safe Harbour, stated that they will not support it in its current form, although their views are non-binding and the Commission could choose to disregard them. It is seeking clarification from the European Commission on a number of points. The next stage in the process will be the opinion of the EU member states' representatives, after which the Commission will formally vote on whether to adopt the Shield.

In the meantime, the Information Commissioner's Office has clarified that organisations may continue to use alternative methods of transfer such as standard contractual clauses and binding corporate rules for data transfers to the U.S.

For more information on this topic, read our client alert Privacy Shield Released — How Employers Can Take Advantage of the New European Data Transfer Framework.