点击阅读本文的中文版《数智化转型——酒店行业数据合规风险管理》
The hospitality industry is becoming digitalized.
Hotel operators are increasingly relying on the Internet of Things, big data and cloud computing to deliver more convenience and bespoke offerings to their guests. Often the data collected is then combined with artificial intelligence technologies to deliver intelligent perception, intelligent decision-making and adaptive learning. Dealing with all this data also brings greater responsibility and obligations in relation to personal information compliance.
These greater compliance requirements are typically reflected in four aspects: collection of personal information, personal information interaction, building cloud platforms and cross-border transfer of personal information.
I. Collection of Personal Information in the Hospitality Industry
1. Scenarios when personal information is collected
An easy way to improve a hotel guest’s experience is to provide a seamless check in. These include “mobile check-in”, “smart front desk” and “door access with facial recognition”. Hotel group companies and hotel management companies (“Hotel Party” or “Hotel Parties”) are constantly seeking to improve the efficiency of the check-in and thereby provide a better overall guest experience. Providing efficient and high-quality service requires analysis of guest data which is typically collected at every stage from the booking until check-out. Data will be processed and analyzed by the Hotel Parties’ Property Management System (PMS).
(1) Booking
During booking, Hotel Parties collect guests’ personal information both directly and indirectly. They may directly collect guests’ personal information through self-operated Apps, applets, official websites and hotel front desks. In addition, Hotel Parties may indirectly collect personal information from third parties such as Online Travel Agencies (OTA), airlines or travel agencies.
Upon arrival, Hotel Parties typically offer guests self-service check-in or staff assisted check-in. At this point, guests will confirm bookings/requests, scan IDs (which may be collected by both Hotel PMS and the public security information system) and sign a check-in consent form (paperless hotels will collect guests’ electronic signatures). This personal information from the guests may not be collected only for providing basic services such as booking and check-in, but also for improving service quality. Examples include:
(2) Check-in
During check-in, Hotel Parties will collect personal information relating to services to be provided. For room service, Hotel Parties will collect guests’ personal information in order to provide Internet connected devices such as smart TV and smart assistants. In addition, for non-room services, relevant guests’ personal information can be collected by Point-of-Sale (POS) systems so as to allow guests to enjoy the hotel’s amenities such as food and beverage or other services (e.g. spa, fitness center, conference center, etc.).
POS may collect guests’ personal information based on different membership levels and scenarios, for example:
Hotel Parties may also collect guests’ personal information during the check-in stage by other means, such as cameras in public areas or body cameras worn by security staff.
(3) Check-out
After guests check out, Hotel Parties will often collect guests’ ratings and reviews through telephone enquiries, SMS enquiries, push notification on their own website, Apps or on third party OTAs.
In practice, some hotels have implemented an unmanned hotel operation mode. That is having a full hotel check-in with facial recognition and all processes from check-in to check-out operated without human interaction. In this mode, guests will reach their floor by using facial recognition when taking an elevator. During the Covid-19 panic this operation mode had the advantage of avoiding cross-contamination (i.e. no direct finger contact with the elevator) and also improve security.
2. Compliance obligations for the collection of personal information
The Notification of Apps Infringing User’ Rights and Interests issued by the Ministry of Industry and Information Technology sets out conduct which is considered to infringe upon guests' rights and interests by Apps of hospitality industry and OTA. Infringing behavior includes “compulsory, frequent and excessive requests for permission by Apps”, “illegal collection of personal information”, “collection of personal information beyond scope”, “forcing users to use the function of a targeted push”, etc.[1]
When collecting personal information, Hotel Parties are not only required to comply with requirements such as informed consent, only collecting minimum necessary data, etc. but also need to pay special attention to enhanced compliance obligations for:
(1) Collection of sensitive personal information
In the process of providing services, Hotel Parties inevitably collect sensitive personal information from guests (ID card/passport details during check in; financial details when a guest makes a transaction; facial information and other biometric information collected for door access; and the personal information of minors under the age of 14 may be collected when providing hotel nursing or babysitting services).
When collecting sensitive personal information from guests, Hotel Parties need to obtain the guests’ separate consent and notify guests of the purposes and methods of personal information processing, types of personal information to be processed, and storage periods, as well as the necessity of the processing of sensitive personal information and the impact on their individual rights and interests.[2]
In addition, hotels seeking to adopt an unmanned hotel operation mode, will need to ensure alternatives are available to obtaining door access with facial recognition. Shanghai and Shenzhen expressly require that image collection and personal identification technology shall not be used as the sole method of verification for access to public places (this extends to hotels).[3]
(2) App’s collection of personal information
Apps are commonly used by Hotel Parties to collect guests' personal information. The Information Security Technology - Basic Requirements for the Collection of Personal Information by Mobile Internet Applications (Apps) (GB/T 41391-2022) (hereinafter referred to as “Basic Requirements”) provides guidelines in such regard.
According to the Basic Requirements, an App’s business functions are divided into basic and extended business functions. The basic business functions are those needed to fulfill the users' main purpose for using the App (i.e. guest registration, identity verification, hotel booking, check-in). The Basic Requirements specifies the scope of necessary personal information in travel and hospitality industries:[4]
(3) Collection of employees’ personal information
Hotel Parties do not collect personal information only from guests but also from their employees. The collection of employees’ personal information and requirements of notification and consent are not described in detail. Please refer to the article The Conflict and Balance between Human Resource Management and Protection of Employee Information《不执一端求其圆——人力资源管理与员工信息保护的冲突与平衡》
II. Personal Information Interaction between Hotel Parties and Third Parties
1. Sharing and transfer of personal information
Personal information sharing is when the personal information processor provides personal information to another processor and both have independent control over the personal information.[5] Personal information transfer is when relevant personal information rights and interests are transferred from one personal information processor to another.[6] Both sharing and transfer fall within the provision of personal information.[7] Many digital operations are not able to be performed by the Hotel Parties themselves and therefore the Hotel Parties will need to share personal information. In addition, personal information as a new type of valuable asset will raise issues when there is a merger, reorganization or transfer of hotel assets.
(1) Hotel Parties share personal information with cooperative partners
Personal information can flow between Hotel Parties and their cooperative partners in both directions (Hotel Parties can either provide or receive data).
Typical scenarios include:
(2) Hotel Party shares personal information with owner and franchisee
Hotels are often operated by an entrusted or franchise operation.
These different operational modes add complexity as to how the Hotel Parties may act. In most cases, Hotel Parties obtain guests’ personal information through hotel’s official website, applets, Apps and front desk, etc. and share the personal information with owners and franchisees. Owners and franchisees have limited rights to use certain personal information (or must obtain separate consent of the personal information subject if the agreed limits are exceeded). Under franchise operation, the franchisee is entitled to act as an independent processor of accommodation information (i.e. guest names, contact information, travel routes, etc.) as shared by the Hotel Party. Under entrusted operation, owners may process guests’ names, accommodation information, etc. shared by the Hotel Parties to fulfil their compliance obligations under the law.
2. Entrusted processing of personal information
Hotel Parties often have technology or hardware limitations and therefore entrust third parties to process guests’ personal information (e.g. terminal information, network information, guest behavior information, etc.). Typical scenarios include:
3. Joint processing of personal information
Joint processing of personal information is less common in the hospitality industry than sharing. Reference can be made to the Guidelines 07/2020 on the concepts of controller and processor in the GDPR adopted by the European Data Protection Board (EDPB) where hotel A, airline B and travel agency C jointly set up network company D. The agreement between A, B and C stipulates that personal information of guests who book hotels, buy flight tickets or purchase travel products through the network platform of D will be collected by D and then jointly used by A, B and C to carry out joint marketing practices and accordingly push relevant advertisements to guests for each company.[8] In this case, the processing conduct may be considered to be joint if the hotel is an independent processor of personal information and shares a common purpose with third-party partners.
4. Compliance advice for personal information interaction
(1) Conduct personal information protection impact assessment
Entrusted processing, sharing or transferring personal information to other personal information processors explicitly requires a personal information protection impact assessment to be carried out in advance.[9] The assessment has five key points: purpose of processing and the legality, notification and consent of personal information subject, details as to the entire life cycle assessment of personal information, response to individual rights and interests and security guarantee measures.[10] Security measures may include encrypted transmissions, continuous monitoring and access control in combination of both assessment results and risk level of the personal information processing activities, so as to safeguard the security of the personal information.[11]
(2) Enter into data processing agreements
In an entrusted processing relationship, the law clearly requires the parties to agree on the purpose, period, processing methods, type of personal information, protection measures and rights and obligations of both parties.[12] In joint processing relationships, both parties need to agree on their respective rights and obligations.[13] Although there is no explicit requirement under PRC law as to whether a contract is required on the sharing or transfer of personal information, relevant national standard clearly states that the responsibilities and obligations of the recipient shall be stipulated in the contract.[14]
To differentiate between the above three types of data processing agreements, please refer to the article Data Processing Agreements in the Flow of Personal Information, Are you Prepared?《个人信息流动中的数据处理协议,你准备好了吗?》
III. Hotel Digital Cloud Platform
1. Current situation of hotel digital cloud platform construction
Cloud computing is a crucial part of the hotel industry’s digital infrastructure. It allows for sophisticated data analysis and personalized guest services. At present, about 51% of hotel systems rely on the cloud - most importantly for PMS, central reservation system, POS and other front-end hotel operation management and business systems account as well as back-end systems such as human resource management system and supply chain management systems.[15] Most hotels use third party cloud systems as the cost of a private cloud is prohibitive.
2. Allocation of responsibilities between Hotel Party and cloud service provider
If a public cloud is being used then part of the operating system is controlled by the Hotel Party and the ownership of data deployed on the public cloud will belong to the Hotel Party. On the other hand, the infrastructure is provided by the cloud service provider. The general view on data security responsibility is “shared responsibility”. That is the cloud service provider is responsible for the “security of the cloud itself” while the Hotel Party is responsible for “security inside the cloud”.
(1) Security of the cloud itself
Cloud service provider is responsible for protecting the infrastructure for running all cloud services, including hardware, software, network and equipment for running cloud services.
(2) Security inside the cloud
Responsibility of Hotel Party is determined by the cloud service selected. For example, (a) for guest data, Hotel Party bears most of the security responsibility. The cloud service provider only provides storage, access control, encryption, and remote replication. Hotel Party is responsible for implementation of security measures and bears corresponding costs and responsibilities; (b) for Hotel Party’ system, such as PMS, POS operated based on cloud service, Hotel Party can choose and use functions as provided by the cloud service provider, but the operation result and security responsibility will be borne by Hotel Party. (c) In respect of Identity & Access Management (IAM) the cloud service provider only provides the system whereas the Hotel Party is responsible for the maintenance and operation of the information.
3. Personal information compliance advice on hotel cloud platforms
When a hotel uses cloud services, Hotel Party usually has the right to determine the purpose and method of processing personal information and is deemed as a personal information processor. However, the cloud service provider that provides the storage function of personal information may also fall within the scope of personal information processor. Currently, the legal situation in China on this point is unclear.
(1) Hotel Party and cloud service provider enter into personal information processing agreements
When a Hotel Party requests a cloud service provider to provide personal information storage service, such request should be interpreted as entrusted processing. The parties shall enter into a written agreement to agree on the purpose, method, scope and period of the entrusted processing and the storage location, type, sensitivity and volume of the personal information, and the cloud service provider should process the personal information in accordance with the agreement. Processing activities shall not exceed the agreed processing purpose and method.
(2) Anonymization and deletion of personal information
Unlike de-identification[16], personal information after anonymization[17] is when a specific natural persons cannot be identified, nor the identity recovered. This no longer falls within the scope of personal information. Hotel Parties storing a large amount of personal information (including sensitive personal information) on the cloud should anonymize (or highly de-identify) information to the maximum extent possible. In addition, it is important to delete relevant personal information after the minimum storage period is reached. The minimum storage period depends on the minimum time necessary to achieve the purpose authorized by the personal information subject (tenant/guest).[18]
(3) Compliance of cross-border transfer of personal information on the cloud
Cloud service has the characteristic of “location-independent”, meaning that the cloud system may be located within China or outside China. If the cloud system is within the China, the Hotel Party will not be involved in cross-border transfer of personal information. However, if the overseas group headquarters of the Hotel Parties remotely accesses the domestic cloud platform in China, the cross-border transfer of personal information is involved. If the cloud system is located outside China and the Hotel Parties collect personal information within China, uploading such personal information to the cloud is considered as cross-border transfer of personal information.
Cross-border transfer of personal information has a relatively simple compliance path – in that the Hotel Party and a cloud service provider need to enter into a PRC version standard contract; however, if the personal information processed by a Hotel Party reaches 1 million persons or the personal information of 100,000 persons or sensitive personal information of 10,000 persons has been provided overseas since January 1 of the previous year, such Hotel Party shall apply for data cross-border transfer security assessment to the Cyberspace Administration of China (CAC).
(4) Establish cybersecurity protection graded systems and channels for receiving information on product security vulnerabilities
Cloud service providers should establish cybersecurity protection graded systems, take technical measures to monitor and record network operation status and cybersecurity events, and retain relevant cyber logs for no longer than 6 months.[19] In addition, cloud service providers as cyber product providers need to establish channels for receiving information on security vulnerabilities of cyber products, and retain information related to security vulnerabilities for not less than 6 months. Upon discovering or being informed of a security vulnerability in a cyber product, then the cyber product provider should immediately take measures and organize the verification of security vulnerabilities, assess certain harm and impact. Relevant vulnerability information shall be submitted to the Cybersecurity Threat and Vulnerability Information Sharing Platform of the Ministry of Industry and Information Technology within two days and any security vulnerabilities need to timely repaired.[20]
IV. Cross-border Transfer of Personal Information
International Hotel Parties often transfer personal information collected and generated during their operations in China overseas in order to provide services on a global level.
Cross-border transfer of personal information by Hotel Parties mainly involves the following circumstances:
- A domestic entity of an international hotel group transfers guests’ personal information collected within China to another hotel entity (or headquarters) located overseas; and
- An overseas hotel entity remotely accesses guests’ personal information stored in China.
When transferring personal information overseas, Hotel Parties need to conduct a data cross-border transfer security self-assessment. If the conditions are met, the Hotel Parties will need to apply for data cross-border transfer security assessment to the CAC through the local cyberspace administration at the provincial level.
Due to the large amount of personal information, including sensitive personal information, collected by a Hotel Party in the course of their business operations there is a risk that major hotel chains may be identified as being critical information infrastructure operator (CIIO). If a Hotel Party is identified as a CIIO, then it shall also be subject to reporting obligations for data cross-border transfers and need to pass a security assessment. CIIOs and personal information processors handling personal information up to the amount prescribed by the CAC are required to store personal information domestically before transfer overseas.
Many domestic guests in China directly visit the websites of overseas hotels to book overseas hotels and in doing so provide personal information. This should also be compliant with Article 3(2) of the Personal Information Protection Law, which provides for “extraterritorial effect”. Although there is no definitive conclusion as to whether an overseas Hotel Party collecting personal information from domestic guests is required to conduct a data cross-border transfer security assessment under the “extraterritorial effect” scenario, we recommend parties should be prepared to fulfill their data cross-border transfer security assessment obligations as required under PRC law.
Conclusion
The hospitality industry is embracing digital tools to transform the way it does business. Hotel Parties use digital tools to market, interact better with guests and improve better member engagement through online channels. However, this greater employment of digital tools also means Hotel Parties have greater obligations in safeguarding personal information.
Thanks to intern Hongyu Xu for his contribution to this article.
Scan the code to download the article
Notification of Apps Infringing Users’ Rights and Interest (batch 4, 2022) https://www.miit.gov.cn/xwdt/gxdt/sjdt/art/2022/art_78d83cde658f461c96ad9ccc5764409f.html
Articles 17, 28, 29 and 30 of the Personal Information Protection Law
Article 23 of the Shanghai Data Regulations, Article 19 of the Shenzhen Special Economic Zone Data Regulations
Information Security Technology - Basic Requirements for the Collection of Personal Information by Mobile Internet Applications (Apps) (GB/T 41391-2022) Appendix A: Scope of Necessary Personal Information and its Use Requirements for Common Service Apps
Article 3.13 of Information Security Technology - Personal Information Security Specification (GB/T 35273-2020)
Article 3.12 of Information Security Technology - Personal Information Security Specification (GB/T 35273-2020)
Article 23 of the Personal Information Protection Law
See Guidelines 07/2020 on the concepts of controller and processor in the GDPR No. 68 https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf
Article 55 of the Personal Information Protection Law
See Article 56 of the Personal Information Protection Law
See article: “Opportunities and Challenges - Data Compliance in the New Retail Industry” https://mp.weixin.qq.com/s/gvFWSxHUtVLKAx4rTJ03jA
Article 21 of the Personal Information Protection Law
Article 20 of the Personal Information Protection Law
Article 9.2 d) of Information Security Technology - Personal Information Security Specification (GB/T 35273-2020)
See Shiji Information Survey Report on the Status of China's Hospitality Industry Systems on the Cloud in 2021
Article 73 of the Personal Information Protection Law: De-identification refers to the process in which personal information is handled so that it is impossible to identify certain natural persons without the aid of additional information.
Article 73 of the Personal Information Protection Law: Anonymization refers to the process in which personal information is handled so that it is impossible to identify certain natural persons and that it cannot be recovered.
Article 6.1 of Information Security Technology - Personal Information Security Specification (GB/T 35273-2020)
Article 21 of the Cybersecurity Law
Articles 5 and 7 of the Administrative Provisions on Security Vulnerabilities of Cyber Products