China’s Privacy and Promise for Hospitality

Published on November 17, 2020

The COVID-19 pandemic has undoubtedly wreaked economic havoc on the travel and tourism industry. Hospitality has been hit especially hard, resulting in catastrophic revenue loss, unparalleled hotel shutdowns, and employee furloughs and layoffs. Remarkably, China appears to be the industry’s proverbial light at the end of the tunnel. For instance, hotelier behemoth Marriott International Inc.’s third quarter profits have been buoyed by quickly recovering occupancy levels in China. Marriott’s third-quarter 2020 results released on November 9, 2020, indicate that Marriott’s Greater China region operations reached 61% room occupancy, just a 10-percentage point decline from a year ago. The all-important metric of Revenue Per Available Room rebounded to $63.05, down just 26% from last year.[1]

Notably, the hospitality industry anticipated China’s economic value well before the pandemic and invested heavily in the market. For instance, in 2017, Hilton Worldwide embarked on an ambitious plan to increase their presence to 1,000 operating hotels in China by 2025.[2] Since the U.S. continues to struggle with containing the virus, China’s economic promise is even more critical to the hospitality industry’s survival.

However, with opportunity comes risk. China, like the rest of the globe, is increasingly focused on the security and privacy of its citizens’ personal information. This is evidenced by the Chinese government’s rapidly evolving cyber security and data privacy legislation. For instance, in November 2016, the National People’s Congress passed China’s Cyber Security Law (CSL). Ostensibly, the CSL was designed to enhance network security requiring “critical information infrastructure operators” to store their data within mainland China and to allow for government agencies to conduct security checks.[3]

This past summer, the Chinese government issued its Draft Data Security Law (DSL), which further emphasizes the importance of safeguarding data security.[4] More specifically, the DSL requires entities collecting personal information on Chinese citizens to have sufficient technical and legal security measures in place to protect personal information from unauthorized access.

Most recently, China released its Draft Personal Data Protection Law (PDPL). The PDPL largely echoes the EU’s General Data Protection Regulation. Like the GDPR, the PDPL emphasizes core data protection principles like individual rights, data classifications such as “sensitive personal information,” and data minimization. The individual rights granted to Chinese citizens by the PDPL are almost identical to those of the GDPR, including the right to know, access, copy, correct, and delete one’s personal information. Also similar, personal information handlers are required to appoint data overseers responsible for safeguarding personal information.[5]

The PDPL does, however, vary from the GDPR in both minor and significant ways. For instance, the PDPL uses “handlers” to refer to data controllers or processors and “data handling” instead of data processing.[6] Similar to the GDPR, handlers must notify individuals and provide the handler’s identity and contact method, the purpose of handling, categories of personal information, the retention period, and the methods available for individuals to exercise their individual rights.[7]

Another variance between the PDPL and the GDPR is that the former does not differentiate between a data “controller” and a data “processor.” Instead, “where two or more personal information handlers jointly decide on a personal information handling purpose and handling method, they shall agree on the rights and obligations of each” and all bear joint liability for the compromise of such personal information.[8]

Notably absent from the PDPL is the GDPR’s Article 45 concept of third country “adequacy.” Instead, under the PDPL a data handler must meet one of the four following requirements before conducting a lawful cross-border data transfer: (1) pass a security assessment, (2) undergo a PI certification, (3) conclude an agreement with the foreign receiving party on the rights and obligations provided by the PDPL, or (4) meet some other condition required by law.[9] Furthermore, prior to any transfer of personal data outside mainland China’s borders, the data handler must notify affected individuals of such transfer and obtain their specific consent before doing so.[10]

While the PDPL and DSL still require finalization to become law, global companies operating within China’s borders and collecting personal information on its citizens must be cognizant of the above. Those hoteliers with mature GDPR compliance programs are already well ahead of their competition. However, even those that do have a high-functioning privacy program are likely under extreme pressure due to the financial impact of the COVID crisis on the industry.


ADVISORI can help.

Our experts have hands-on experience building and maintaining data protection programs in China. We have the people, processes, and technology to assist our clients with building a robust and cost-effective compliance and data governance program. We also have a tried and true playbook.

[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]

Foundational to any data protection office is the knowledge of where organizational data resides and the categories of such data.

To achieve this fundamental goal, we use’s advanced technology to scan our clients’ networks for personally identifiable information in both and unstructured data sources contained in either on-premises or cloud environments.

[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]

We then can categorize our clients’ data as required by the PDPL.

This allows us to precisely catalog our clients’ data thereby creating a data “library.”

[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]
[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]

From here, we can perform critical data mapping necessary to assess the legality of cross-border data transfers.

Just as critical, we can trace each and every data element back to a specific data subject to ensure that our clients are able to fulfil all data subject access requests quickly, efficiently and thoroughly.  

[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]

Please visit us at to learn more.

[3] See Article 37 of China’s Cybersecurity Law
[4] See Article 12 of the Data Security Law of the People’s Republic of China (Draft)
[5] See Articles 51 and 52 of the Personal Data Protection Law (Draft)
[6] See Article 3 of the Personal Data Protection Law (Draft)
[7] See Article 18 of the Personal Data Protection Law (Draft)
[8] See Article 21 of the Personal Data Protection Law (Draft)
[9] See Article 38 of the Personal Data Protection Law (Draft)
[10] See Article 39 of the Personal Data Protection Law (Draft)