New Delhi | Mumbai: Several hotel owners are rushing to renegotiate longstanding agreements with international operators and booking platforms to clarify data protection responsibilities under the new Digital Personal Data Protection (DPDP) Act and strengthen measures to prevent any breach of guest data.
The move reflects the growing concern among hoteliers about the liability exposure in an industry where guest information is exposed to several stakeholders including hotel management firms and travel companies, legal experts said.
They said the sector is more vulnerable than others, citing given prior instances of hacking and credit card theft and widespread sharing of guest data across property systems, brand platforms, online travel agencies (OTAs) and technology providers, creating multiple access points and higher dependency risk.
“Owners are waking up to the fact that they could be on the hook for violations they have no control over,” said Sujjain Talwar, partner at Economic Laws Practice (ELP).
Several existing industry contracts stretch over decades. They were signed long before data privacy emerged as a regulatory priority and contain little guidance on who controls guest data or bears responsibility for breaches. “These are typically 20- to 30-year management agreements that never contemplated privacy law,” Talwar said.
The DPDP Act, which came into force last year, imposes significant penalties for mishandling personal information and grants consumers new rights over their data.
Experts said many travel and hospitality companies are grappling with multiple challenges in understanding and implementing the rules in view of the complexities involved.
“As they deal with heavy volumes of PII (personally identifiable information) data that they receive directly from individuals and corporates under different arrangements, they are finding it difficult to envisage their responsibilities in all such arrangements where they may be treated both as a data fiduciary and a processor in some arrangements,” said Rahul Garg, managing partner at tax and regulatory consultant Asire Consulting.
Considering big hotel chains operate through management models, companies are discussing the responsibility matrix between property owners and the international chains, which is critical to decide the identification of who classifies as a fiduciary, he said.
Industry sources said international hotel chains, which typically operate properties under management or franchising agreements rather than owning them, have begun receiving queries and amendment requests from property owners seeking to limit their exposure.
These concerns are becoming critical factors during negotiations on brand selection and signings, said Deepak Jain, founder of Mayfair Consultants.
“For instance, the large American chains are governed by US-bound laws on data protection. There is a lack of clarity from the brands and owners’ side on what they sign off on during the contract and upon its termination,” he said. “Also, if a contract gets terminated, who is responsible for the customer data.”
Megha Agarwal, partner at law firm Khaitan & Co, said the focus is on identifying the data fiduciary, tightening data-sharing protocols, strengthening breach response mechanisms, and ensuring all parties are contractually aligned with the requirements of the law.
“DPDP’s emphasis on ‘reasonable security safeguards’ and breach notification makes the practical question of who controlled what system and when more consequential,” she said.
Garg said companies in such sectors would likely fall under the criteria of significant data fiduciary (once the thresholds are notified while it would likely be narrow), which would require additional measures of appointments of data protection officers, yearly impact assessment, etc.
“All this would require additional built-in systems in a timely manner. Also, certain restrictions would directly impact their businesses, such as a bar on ads targeting children up to 18 years of age, and cross-border transfer of data,” he added.
