In 2020, China launched a global data security initiative focused on strengthening international coordination for cross-border data flows and setting standards for the protection of personal data.

Ensuing data localization and data transfer rules affect how multinational corporations transfer personal information they collect from customers in the People’s Republic of China to other countries for storage and processing.

Complying with the new rules will no doubt impact the global data strategy of some international organizations, including hospitality chains.

How do international hotel operators collect and process personal information?

Hotel chains commonly use digital and cloud systems to perform functions like room reservation, guest check-in, group management and marketing. As a result, a large volume of guests’ personal information (PI), even sensitive PI, will be collected and processed by hotel chains, and cross-border transfers often occur, especially with global online travel agencies or affiliates under the same hotel brands on enterprise resource planning (ERP) systems.

Will hotels be legally required to store all data locally within China?

The short answer is that it is very likely. According to the Personal Information Protection Law (PIPL), a business that processes a large volume of PI must generally store the PI collected within China locally. This localization requirement may apply to international hotel brands and impose considerable costs, considering the significant number of guests they deal with in their daily operations.

What are the key legal requirements for cross-border transfer?

Transparency. It is a critical first step to disclose to the data subjects upon collection about the proposed cross-border transfer, including why it is required, when PI is transferred, what types of PI are involved, who will receive the PI, and how PI is protected upon transfer. These details are usually included in the relevant privacy policy and notices.

Lawful basis. It is recommended to rely on the lawful basis available under the PIPL instead of solely relying upon the individuals’ consent, which may be withdrawn at any time. Typical examples of lawful basis available to hotel brands may include:

  • Checking ID during check-in for public security purposes, as required by law
  • Executing contracts (electronic or written) with guests (such as providing membership services or accommodation)
  • Protecting the vital interests of individuals in emergencies

If PI is collected or transferred for marketing needs (e.g., user profiling, preference analysis, pushing ads), informed prior consent must be obtained separately.

What cross-border transfer mechanisms are available?

The PIPL allows the cross-border transfer of PI in the following three scenarios: (i) security assessment by the Chinese regulator; (ii) the Chinese version of standard contract clauses (China SCC); and (iii) security certification (similar to the GDPR’s “binding corporate rules”). The China SCC and security certification are still pending finalization and more clarification is expected.

The diagram below illustrates how to determine the appropriate cross-border data transfer mechanism applicable in different scenarios: