Data PrivacyData Privacy Concerns in The Hospitality Sector

INTRODUCTION

Ensuring data privacy in the present socio-legal sector has come to be of primacy in an increasingly online business ecosystem. Information has become a high-priced commodity, which is being transferred without the knowledge or consent of the concerned parties.

The hospitality sector is one of the most plagued in this regard, with data breaches and malpractices being committed in broad daylight. It is an observed trend that most customers and guests, ignorant of its far-reaching implications, readily give up sensitive, private information without a second thought.

In this blog we explore the major data breaches in the hospitality sector and the practices concerned individuals and industry members can employ to mitigate such instances in the future.

PRIVACY INVASION- POTENTIALITIES

Although there can be umpteen possible ways in which data can be breached, these are few examples of the most commonly encountered privacy invasion:

1. Lack of Awareness and Unintended Errors

“To err is human” is a common phrase used to justify careless mistakes. However when it comes to mistakes that lead to breach of privacy, this phrase cannot be accepted as a shield to deflect responsibility. Employees tend to keep their systems logged in, using personal devices like data banks and laptops for official tasks without any security, giving away credentials and losing data storage devices. Safeguarding private data has almost become a myth in the hospitality sector not only in India, but the world.

2. Complex management structures:

In the hospitality sector, there is a multi-dimensional management structure with separate entities working under the same umbrella who have access to, and handle personal data of guests. Due to the complicated business structure of the modern Hotel Industry, these separate entities, having individual responsibilities, work as a team to function. This substantially increases the risk of a data breach at any level in the structure, which acts as a threat to the privacy concerns of individuals.

3. Transient staff:

A risk that is particularly associated with the hospitality sector is the high staff turnover and seasonal nature of work resulting in the involvement of temporary staff. These factors make it difficult for hotel chains to maintain adequately trained staff who are well-versed with the protocols for gathering and storing personal data.

4. Insider threat:

The information collected and stored at hotels is often exploited by staff members themselves. This may occur in many ways, like selling data to unreliable individuals/ organizations, forming alliances with them to threaten/ blackmail guests or using the data to siphon cash from vulnerable customers.

RIGHTS OF DATA PRINCIPALS

In layman language, data principals are the people whose data is being processed by data fiduciaries which are organizations that collects and processes the data. In India, the relevant laws that regulate privacy concerns, are the recently enacted Digital Personal Data Protection Act, 2023 (herein after referred to as “DPDP Act, 2023”), the Information Technology Act, 2000 (hereinafter referred to as “IT Act, 2000”)  and Article 21 of The Indian Constitution, 1949. The law grants data principals certain rights that data fiduciaries must follow in order to avoid penalties. The data principles have the following rights:

1. Right to access data:

Data principals have the right to access the information stored by data fiduciaries including the source of data, purpose for which they are processed and categories of data recipients. Data fiduciaries hence are duty bound to inform about how they got access to the data, for what reason they are holding the data and with whom the data is being shared.

2. Right to correction of data:

Data principals have the right to make corrections to their personal data if they spot any errors or if the given information about the data principal has subsequently changed.

3. Right to erasure:

Every data principal has the right to have their data removed or erased. Under section 14 of the DPDP Act, 2023, the concept of “Right to be Forgotten” exists which gives users the right to remove any content that is publically available, so that it cannot be accessible by the public at large.

4. Right to restrict processing data:

Data principals are in total control of how and why their personal data is used and processed. Hence, they have the right to restrict the usage of their data in certain circumstances. Data fiduciaries have to comply with any such restrictions imposed by the data principal.

5. Right to data portability:

Data principals have the right to obtain a copy of their data in a machine-readable format which is properly structured and commonly used. This right enables data principals to transmit data to other data fiduciaries as per their requirements.

6. Right to Object/ Opt-Out:

Every data principal can object to the processing of their personal data by data fiduciaries. For example, objection to process data for direct marketing or automated decision-making.

7. Right to withdrawal of consent:

This right enables data principals to withdraw their consent to process their personal data at any time. Consent managers provide preference centers where data principals can exercise this right.

HOW ARE THESE RIGHTS EXERCISED?

In order to exercise the above-mentioned rights, the following steps have to be followed by a data fiduciary-

1. Filing of request:

The data principal must first submit a written request to the data fiduciary mentioning clearly and specifically which right is being exercised in which context.

2. Response timeframe:

There is a pre-determined timeframe within which the data fiduciary must process the request, however, it may vary depending on the circumstances/complexity of the issue. The response to a request must generally be made within 30 days.

3. Honoring the request:

The data fiduciary is legally bound to process the request and honor it unless there exists a lawful reason of refusal.

4. Refusal to comply:

If the data fiduciary refuses to comply with the request of the data principal, a written explanation must be provided to the data principal as to why the request was not processed.

5. Filing of complaint:

Incase if a data principal is dissatisfied with the conduct or response of the data fiduciary, a complaint can be filed with the Data Protection Board of India (hereinafter referred to as “DPBI”). The DPBI shall assess the situation and decide if any violation of law has taken place. Depending upon the nature of violation, a penalty of up to 50 Crores can be imposed.

MODUS OPERANDI OF CYBER FRAUD IN HOTEL BOOKING

The criminal mind devises creative ways to exploit the vulnerability of uninformed data principals. The following instances are real life examples of how such data breaches happen and how to avoid them:

i. UPI scam in popular online hotel booking apps– There have been many instances where customers booking rooms through hotel booking apps have been scammed by a network of criminals conspiring with insiders holding private data. This typically happens in the following ways:

ii. A call is received by the victim asking them about their expected check-in time. The caller then informs the victim that if they do not check in before a certain time, their booking will stand cancelled unless an advance is paid online or in cases where an advance is already paid, the remainder is to be paid.

iii. The caller then appeals to the good nature of the victim and influences them by giving seemingly valid reasons such as how the hotel suffers financial loss due to customers paying through the booking app and not direct payment to the hotel.

iv. The victim is now in a state of suspicion and has their guard up, insisting upon paying at the hotel when they reach.

v. To ease the victim of their suspicion and to bring their guard down, the caller then tries to reassure them of their supposed genuine intentions by asking them to verify the booking ID and exact amount as shown in the booking application. This data breach is done in conspiracy with the hotel.

vi. The victim is now reassured that since the caller has their private data, they must be genuine hotel employees. A payment is then made to a fake UPI ID which will have a convincing name such as “hotelabc@bank”.

vii. Once the payment is made, there is no way to contact the fraudster after the fraud is executed.

In order to avoid the above situation, the following steps must be taken as preventive measures:

a. If the preferred mode of payment is online (through UPI applications/net-banking), properly verify each and every aspect before going through with the payment. It is advised to pay via the booking website/application which authenticates the veracity of the payee.

b. If any unknown caller requests any sum, it is advised that no payment is made without verifying with the actual hotel directly.

c. If in any eventuality, a payment is made, make sure to confirm with the hotel authorities if the payment was received by them. If the response is negative, it is advised to immediately file a cyber-crime report online and submit the documents as required. A parallel complaint can be filed with the booking website or application informing them of the issue.

DATA BREACH INCIDENTS IN HOTELS

A. Data Breach in 2023

A threat actor named “DNA cookies” asked $5,000 for the entire dataset from one of the top hotel chains spread throughout India, which contains membership IDs, addresses, phone numbers, and other Personally Identifiable Information (hereinafter referred to as “PII”) of around 15 Lakhs users.

B. Incidents in 2014 and 2020

The attack compromised the credit card details, passport numbers, and birthdates of more than 300 million guests stored in the brand’s global guest reservation database. It discovered in late February that the network of an unspecified hotel chain had been hacked, and hackers who obtained the login credentials of two Marriott employees may have accessed the guest details.

MASKED AADHAR- A MUST

Masked Aadhar is an essential preventive measure that is not yet known to many people. Masking of Aadhar refers to the display of only the last four digits of the Aadhar number, thus making it safe and secured from any potential misuse.

The UIDAI advises the following measures to be taken regarding Aadhar IDs-

1. Use masked Aadhar ID (which is a valid ID proof)
2. Avoid using public networks or computers to download e-Aadhar. If already done, take measures to permanently delete any downloaded copies of it.
3. Only those organizations/private entities that have a valid User License from UIDAI can use Aadhar to establish the identity of a person.
4. Any hotels/movie halls asking for Aadhar ID for a photocopy, must have a license for the same, failing which there may be a violation of the Aadhar Act.

In 2018, the Supreme Court of India struck down section 57 of the Aadhar which essentially allowed private entities to collect Aadhar details.

MEASURES TO BE TAKEN BY ORGANIZATIONS

A private entity in the hospitality sector must follow certain best practices and rules to abide by the data privacy laws.

1. Review and update data privacy policies and procedures
2. Obtain explicit consent from guests
3. Implement robust security measures
4. Provide data principals the opportunity to exercise their rights
5. Data mapping and audits
6. Facilitate cross border data transfer (data portability)
7. Implementing data protection training and awareness programs.

AMLEGALS REMARKS

The hospitality sector stands at a crossroads. Balancing personalized service with guest privacy has never been more demanding. While data-driven technologies promise unparalleled convenience and targeted marketing, they also raise concerns about intrusive surveillance, discriminatory practices, and potential data breaches. Ignoring these concerns is a recipe for reputational disaster and eroded trust.

Moving forward requires a paradigm shift. Hospitality businesses must prioritize transparency and control, giving guests clear and concise information about how their data is collected, used, and protected. Clear opt-in and opt-out mechanisms are crucial, allowing guests to choose the level of data-driven personalization they are comfortable with.

Robust cybersecurity measures are paramount, preventing unauthorized access and safeguarding sensitive information. Collaboration with regulators and tech developers is essential, ensuring ethical usage of data and implementing responsible AI practices.

Ultimately, building a strong foundation, trust is based upon open communication, respect for individual autonomy, and a commitment to ethical data practices. Only then can the hospitality sector leverage the power of data without compromising the very essence of its industry: creating a safe, comfortable, and ultimately, a truly welcoming experience for every guest with assurance of safeguarding their privacy.

– Team AMLEGALS assisted by Mr. Sashwat Banerjee

For any queries or feedback feel free to reach out to mridusha.guha@amlegals.com or jason.james@amlegals.com