On 6 October 2015 the European Court of Justice delivered its spectacular Safe-Harbor verdict by which it annulled the Safe-Harbor agreement between the EU and the U.S. This agreement was the basis for the transfer of personal data from any country of the EU to the U.S. The ECJ concluded that under US laws, personal data was not sufficiently protected.
In the aftermath of this decision, the European Commission negotiated a new agreement with the U.S. – known as the EU-US Privacy Shield – that should overcome the deficits of the Safe-Harbor regime and enable an exchange of personal data again. Numerous personal data protection experts are, however, of the opinion that the EU-US Privacy Shield suffers from the same weaknesses as the Safe-Harbor regime and will hence suffer the same fate.
Now, what does that has to do with the hotel industry?
Hotels rely on their guests – and their personal data. The hotel industry has recognized this value of customer data with the increasing success of the various loyalty programs installed by hotel operators. In nowadays time of “big data” and IT-based data processing schemes, hotel operators seek to explore the vast amount of guest data they have stored in order to exploit it to optimize their business models and opportunities. In this gold-rush it easily gets forgotten, that there are restrictions imposed by legislators and regulators on how much personal data can be exploited for commercial purposes.
In the EU, a large number of hotels are franchised or operate on the basis of hotel management agreements, many of which have a US based franchisor or hotel manager with headquarters outside the EU and predominantly based in the U.S. Typically it is agreed in the respective agreements that the guest data shall be transferred to the central customer databases centrally managed by the franchisor or hotel manager in their data-centres outside the EU. Sometimes the agreements may even contain an obligation to transfer any ownership-rights in the guest data to the franchisor or the hotel manager.
From an economic perspective such a central guest database has undoubtedly great benefits: Apart from efficient and low-cost operating IT-system all hotels that are connected to such a centralized data system profit from common data collection, its analysis and the exchange of guest data. They can participate in tailor-made marketing campaigns as well as offer a targeted range of services to each hotel guest.
The problem is that the parties involved in such an exchange of guest data – franchisors and franchisees, franchisees within a franchise system as well as hotel owners and hotel operators – from a legal perspective are classified in their relations to each other as third parties in terms of data protection. The relevant data protection laws do not recognize any corporate group privileges when it comes to the exchange and use of personal data. Hence, the storage and processing of personal data in central IT-systems routinely raise numerous questions on data protection. If the servers with the stored personal data is located abroad, which is often the case in the view of the dominance of international hotel chains and in particular those from the US, we find ourselves very quickly in a situation that has been declared by the European Court of Justice as insufficient in terms of personal data protection in its Safe-Harbor verdict.
But even if the personal date never crosses the borders of the EU, there are numerous situations that result in infringements of data protection rules. In most cases the relevant players are not even aware of these infringements that they commit. For example, when the hotel operator is changes during ongoing hotel operations, the existing reservations including all relevant guest data are regularly sold to the new hotel operator. In the view of the competent authorities, such a sale and transfer of personal data require the approval of the hotel guests concerned prior to the sale and transfer. Obviously – for practical reasons – this is usually not undertaken, not to say that in most cases, this problem is not even known to the former and the new hotel operator.
Violation of data protection legislation should not be frivolously disregarded. Illegally acquired personal data may not be used and must be deleted. Costs incurred in this respect, e.g. any consideration paid in the transfer of an ongoing business for reservations and guest data, would have been made in vain. And the regulators are starting to give this issue more and more attention: in Germany, ten supervisory authorities have recently announced to investigate the data transfer of about 500 randomly chosen German companies. And in May 2018, when the EU General Data Protection Regulation will enter into force, the situation will even aggravate: then violations of data protection rules may be fined with a penalty in the amount equalling 4 percent of the tortfeasor’s worldwide (!) annual turnover.