Tech Talk

Recent posts

COVID-19 has caused many to reflect upon the fundamental operations of our global society and our day-to-day lives, including the way we travel. In hospitality, many are wondering how an industry that is so reliant on personal interactions can recover from the crisis and earn back guest confidence.

Lessons from The Last Dance
Posted: 08/10/2020

I don’t know about you, but I loved watching The Last Dance, the story of Michael Jordan & The Chicago Bulls' last season together and their journey to their 6th championship, and second triple win (3 years back to back, twice).

With the news cycle laser-focused on the looming threat of a COVID-19 second wave happening in nearly every territory, it is up to each and every hotel to ensure we are all fully compliant with virus safety guidelines in order to restore group booking confidence. And the only way to ensure compliance with these safety guidelines is through contactless and compliance technologies to give guests a strong guarantee of proper sanitization as well as peace of mind.

A great deal has been written over the years about the viability of moving a hotel’s property-management system (PMS) to the cloud to take advantage of the latest technologies, but hoteliers need to realize that it’s not the only viable option. All platforms have advantages, including self-hosted, private cloud and on-premise solutions that leverage the latest mobile, contact free and web-based technologies. Independent operators can still enhance the digital guest experience, support personalized and mobile check-in, deploy contact free technologies, and secure hotel/guest data even if their PMS does not reside in the cloud. It should not be a question of “Cloud or On Premise?” but rather “Does the PMS solve your business objectives in both technology and service?”

Much has been written in the mainstream hospitality press about the challenges COVID-19 has presented to the industry. Hotels are in more pain than at any time in our memories. Because of the extensive media coverage, I won’t dwell on this topic further in what is primarily a technology column. But it’s the background for this week’s column, and so merits acknowledgement.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.


There Is No Safe Harbor In This Perfect Storm

by Marion Roger

On October 6, 2015, the European courts ruled that the 15-year-old Safe Harbor Act is immediately invalid, citing it clearly violates privacy rights. This has a direct impact on how hotels operate overseas or, for readers without hotels in Europe, how they treat information about guests who live in Europe and travel to your hotel. Whether you know about Safe Harbor or not, you should understand why this is so important. 

Hotel groups based in the United States all transfer guest data from a guest who resides Europe and books online or at the call center taking this data overseas and into the hotel group’s CRS and the property’s PMS which typically are hosted in the U.S. Many hoteliers know the EU’s stiff and complex rules on data protection have for years made it illegal to transfer personal details to any country that does not meet the bloc’s privacy standards. 

In fact, the EU views the U.S. as UNSAFE and in all fairness has viewed it that way for years, long before Snowden or the Target/Home Depot/Wyndham/Neiman Marcus/OPM/insert breach name here.


Simple: there is no U.S. federal legislation on data protection or privacy in general. Hospitality does not fall under the framework of legislation the way the healthcare industry does (i.e., HIPPA) thus privacy laws have created few if any obstacles for North American hospitality companies over the years. Many hoteliers reading this may not even be aware they are violating laws because the city or state their company is incorporated in does not address the issue, yet they are housing guests from places that do, including Massachusetts and Canada as well as Europe and Asia.

Until last week, our industry had a great “workaround.”  Under “Safe Harbor” Rules, U.S. firms were allowed to transfer personal data of European citizens back to the U.S. provided they “followed one set of rules on how data they store and collect within the European Union is protected.”  Safe Harbor’s rules governed what companies can do with information they gather, about the kinds of personal data garnered from users’ posts on social media, when searching the Web, when buying items online (including travel) and other activities. In other words, given the U.S. does not have broad reaching federal privacy laws to comply with, American firms received a pass as long as they depended on the framework of Safe Harbor as the basis for handling data of guests from the European community. 

The stunning and recent invalidation of the workaround has huge implications for the hotel industry. Some larger American-based hotel groups have gone very public with their promise to follow EU data privacy rules by signing up to self-certify under Safe Harbor; whereby they committed to apply the same stringent privacy laws that European companies are following. With the Safe Harbor rules in place since 2000 effectively done away with, each country in the European Union could potentially set its’ own privacy rules and regulations, creating a difficult situation for U.S. hotel groups who welcome guests from all the EU member countries.

CRM, ecommerce and outsourcing as well as the wonderful world of cloud-based service technology now combine to make a perfect environment for increased revenues, but in reality, this convergence makes for the perfect storm.

That fusion of the aforementioned technologies and our love affair with data mining means the massive data sharing we do is what we want to do, and often what we need to do, and in fact what are doing ALL THE TIME is now a problem. Hotels could be breaking the law (no, really they are) every time they transfer guest data if the guest is European. Even if they stay in a hotel you own in Europe, if the data is then sent to the United States for the loyalty program or post departure stay survey emailer, it is illegal! 

While the immediate concerns have IT and legal teams scrambling, it’s important to recognize that this is not just an IT and legal issue. The executive team needs to take ownership and use a top-down approach to help prepare the company for the future. To stay ahead of the curve as data sovereignty evolves, consider adding a chief privacy officer and a chief information security officer to the executive team. They are not one in the same and are vital to the survival of your firm. Addressing the issues of data privacy and data protection will require specialized knowledge and full-time attention to handle future regulations that will inevitably be put in place across the globe as other regions follow the EU’s lead.

Many may know that without Safe Harbor, alternatives for protection at the moment include EU model contract clauses and binding corporate rules (BCRs), although the latter involve a sometimes lengthy approval process by European regulators. Many businesses, anticipating the legal issues with Safe Harbor, have already been using model clauses as a method for carrying out international data transfers. Ask your counsel.

At a minimum, begin to make an assessment of other options. Look at data flows. Assess scale and sensitivity of information that needs to be shared.

Look at existing contracts with cloud vendors – they might already include the use of model clauses. If they do not, try to find one that does, or modify your existing agreements. As part of your assessment, call your data privacy lawyer to make sure you have covered every angle. Stay tuned for more as the dust settles.
About The Author
Marion Roger
HRH Services LLC

Marion Roger is a specialist in the hospitality supply chain landscape who has led an industry initiative to support guest data security and has developed a hotel-focused training curriculum on PII protection. With a specialty focus on electronic reservation systems, payment technology protection and data security, Marion is a regular on the speaker circuit and contributor to Hospitality Upgrade on these key topics.

Blog post currently doesn't have any comments.
Leave comment

 Security code