Hotels seek contract rewrites to cut DPDP data risk
New Delhi: Several hotel owners are rushing to renegotiate longstanding agreements with international operators and booking platforms to clarify data protection responsibilities under the new Digital Personal Data Protection (DPDP) Act and strengthen measures to prevent any breach of guest data.
The move reflects the growing concern among hoteliers about the liability exposure in an industry where guest information is exposed to several stakeholders including hotel management firms and travel companies, legal experts said.
They said the sector is more vulnerable than others, citing given prior instances of hacking and credit card theft and widespread sharing of guest data across property systems, brand platforms, online travel agencies (OTAs) and technology providers, creating multiple access points and higher dependency risk.
"Owners are waking up to the fact that they could be on the hook for violations they have no control over," said Sujjain Talwar, partner at Economic Laws Practice (ELP).
Several existing industry contracts stretch over decades. They were signed long before data privacy emerged as a regulatory priority and contain little guidance on who controls guest data or bears responsibility for breaches. "These are typically 20- to 30-year management agreements that never contemplated privacy law," Talwar said.
The DPDP Act, which came into force last year, imposes significant penalties for mishandling personal information and grants consumers new rights over their data.
Experts said many travel and hospitality companies are grappling with multiple challenges in understanding and implementing the rules in view of the complexities involved.
"As they deal with heavy volumes of PII (personally identifiable information) data that they receive directly from individuals and corporates under different arrangements, they are finding it difficult to envisage their responsibilities in all such arrangements where they may be treated both as a data fiduciary and a processor in some arrangements," said Rahul Garg, managing partner at tax and regulatory consultant Asire Consulting.
Considering big hotel chains operate through management models, companies are discussing the responsibility matrix between property owners and the international chains, which is critical to decide the identification of who classifies as a fiduciary, he said.
Industry sources said international hotel chains, which typically operate properties under management or franchising agreements rather than owning them, have begun receiving queries and amendment requests from property owners seeking to limit their exposure. These concerns are becoming critical factors during negotiations on brand selection and signings, said Deepak Jain, founder of Mayfair Consultants.
"For instance, the large American chains are governed by US-bound laws on data protection. There is a lack of clarity from the brands and owners' side on what they sign off on during the contract and upon its termination," he said. "Also, if a contract gets terminated, who is responsible for the customer data."
The move reflects the growing concern among hoteliers about the liability exposure in an industry where guest information is exposed to several stakeholders including hotel management firms and travel companies, legal experts said.
Hotel owners look to renegotiate long-standing deals amid concerns over liability exposure; the sector more vulnerable than others: Experts
They said the sector is more vulnerable than others, citing given prior instances of hacking and credit card theft and widespread sharing of guest data across property systems, brand platforms, online travel agencies (OTAs) and technology providers, creating multiple access points and higher dependency risk.
"Owners are waking up to the fact that they could be on the hook for violations they have no control over," said Sujjain Talwar, partner at Economic Laws Practice (ELP).
Several existing industry contracts stretch over decades. They were signed long before data privacy emerged as a regulatory priority and contain little guidance on who controls guest data or bears responsibility for breaches. "These are typically 20- to 30-year management agreements that never contemplated privacy law," Talwar said.
The DPDP Act, which came into force last year, imposes significant penalties for mishandling personal information and grants consumers new rights over their data.
Experts said many travel and hospitality companies are grappling with multiple challenges in understanding and implementing the rules in view of the complexities involved.
"As they deal with heavy volumes of PII (personally identifiable information) data that they receive directly from individuals and corporates under different arrangements, they are finding it difficult to envisage their responsibilities in all such arrangements where they may be treated both as a data fiduciary and a processor in some arrangements," said Rahul Garg, managing partner at tax and regulatory consultant Asire Consulting.
Considering big hotel chains operate through management models, companies are discussing the responsibility matrix between property owners and the international chains, which is critical to decide the identification of who classifies as a fiduciary, he said.
Industry sources said international hotel chains, which typically operate properties under management or franchising agreements rather than owning them, have begun receiving queries and amendment requests from property owners seeking to limit their exposure. These concerns are becoming critical factors during negotiations on brand selection and signings, said Deepak Jain, founder of Mayfair Consultants.
"For instance, the large American chains are governed by US-bound laws on data protection. There is a lack of clarity from the brands and owners' side on what they sign off on during the contract and upon its termination," he said. "Also, if a contract gets terminated, who is responsible for the customer data."