The COVID-19 pandemic has undoubtedly wreaked economic havoc on the travel and tourism industry. Hospitality has been hit especially hard, resulting in catastrophic revenue loss, unparalleled hotel shutdowns, and employee furloughs and layoffs. Remarkably, China appears to be the industry’s proverbial light at the end of the tunnel. For instance, hotelier behemoth Marriott International Inc.’s third-quarter profits have been buoyed by quickly recovering occupancy levels in China. Marriott’s third-quarter 2020 results released on November 9, 2020, indicate that Marriott’s Greater China region operations reached 61% room occupancy, just a 10-percentage point decline from a year ago. The all-important metric of Revenue Per Available Room rebounded to $63.05, down just 26% from last year.
Notably, the hospitality industry anticipated China’s economic value well before the pandemic and invested heavily in the market. For instance, in 2017, Hilton Worldwide embarked on an ambitious plan to increase its presence to 1,000 operating hotels in China by 2025. Since the U.S. continues to struggle with containing the virus, China’s economic promise is even more critical to the hospitality industry’s survival.
However, with opportunity comes risk. Like the rest of the globe, China is increasingly focused on the security and privacy of its citizens’ personal information. This is evidenced by the Chinese government’s rapidly evolving cyber security and data privacy legislation. For instance, in November 2016, the National People’s Congress passed China’s Cyber Security Law (CSL). Ostensibly, the CSL was designed to enhance network security requiring “critical information infrastructure operators” to store their data within mainland China and to allow for government agencies to conduct security checks.
This past summer, the Chinese government issued its Draft Data Security Law (DSL), which further emphasizes the importance of safeguarding data security. More specifically, the DSL requires entities collecting personal information on Chinese citizens to have sufficient technical and legal security measures in place to protect personal information from unauthorized access.
Most recently, China released its Draft Personal Data Protection Law (PDPL). The PDPL largely echoes the EU’s General Data Protection Regulation. Like the GDPR, the PDPL emphasizes core data protection principles like individual rights, data classifications such as “sensitive personal information,” and data minimization. The individual rights granted to Chinese citizens by the PDPL are almost identical to those of the GDPR, including the right to know, access, copy, correct, and delete one’s personal information. Also, personal information handlers are required to appoint data overseers responsible for safeguarding personal information.
The PDPL does, however, vary from the GDPR in both minor and significant ways. For instance, the PDPL uses “handlers” to refer to data controllers or processors and “data handling” instead of data processing. Similar to the GDPR, handlers must notify individuals and provide the handler’s identity and contact method, the purpose of handling, categories of personal information, the retention period, and the methods available for individuals to exercise their individual rights.
Another variance between the PDPL and the GDPR is that the former does not differentiate between a data “controller” and a data “processor.” Instead, “where two or more personal information handlers jointly decide on a personal information handling purpose and handling method, they shall agree on the rights and obligations of each” and all bear joint liability for the compromise of such personal information.
Notably absent from the PDPL is the GDPR’s Article 45 concept of third country “adequacy.” Instead, under the PDPL a data handler must meet one of the four following requirements before conducting a lawful cross-border data transfer: (1) pass a security assessment, (2) undergo a PI certification, (3) conclude an agreement with the foreign receiving party on the rights and obligations provided by the PDPL, or (4) meet some other condition required by law. Furthermore, prior to any transfer of personal data outside mainland China’s borders, the data handler must notify affected individuals of such transfer and obtain their specific consent before doing so.
While the PDPL and DSL still require finalization to become law, global companies operating within China’s borders and collecting personal information on its citizens must be cognizant of the above. Those hoteliers with mature GDPR compliance programs are already well ahead of their competition. However, even those that do have a high-functioning privacy program are likely under extreme pressure due to the financial impact of the COVID crisis on the industry.
Comments