On October 6, 2015, the European courts ruled that the 15-year-old Safe Harbor Act is immediately invalid, citing it clearly violates privacy rights. This has a direct impact on how hotels operate overseas or, for readers without hotels in Europe, how they treat information about guests who live in Europe and travel to your hotel. Whether you know about Safe Harbor or not, you should understand why this is so important. 

Hotel groups based in the United States all transfer guest data from a guest who resides Europe and books online or at the call center taking this data overseas and into the hotel group’s CRS and the property’s PMS which typically are hosted in the U.S. Many hoteliers know the EU’s stiff and complex rules on data protection have for years made it illegal to transfer personal details to any country that does not meet the bloc’s privacy standards. 

In fact, the EU views the U.S. as UNSAFE and in all fairness has viewed it that way for years, long before Snowden or the Target/Home Depot/Wyndham/Neiman Marcus/OPM/insert breach name here.


Simple: there is no U.S. federal legislation on data protection or privacy in general. Hospitality does not fall under the framework of legislation the way the healthcare industry does (i.e., HIPPA) thus privacy laws have created few if any obstacles for North American hospitality companies over the years. Many hoteliers reading this may not even be aware they are violating laws because the city or state their company is incorporated in does not address the issue, yet they are housing guests from places that do, including Massachusetts and Canada as well as Europe and Asia.

Until last week, our industry had a great “workaround.”  Under “Safe Harbor” Rules, U.S. firms were allowed to transfer personal data of European citizens back to the U.S. provided they “followed one set of rules on how data they store and collect within the European Union is protected.”  Safe Harbor’s rules governed what companies can do with information they gather, about the kinds of personal data garnered from users’ posts on social media, when searching the Web, when buying items online (including travel) and other activities. In other words, given the U.S. does not have broad reaching federal privacy laws to comply with, American firms received a pass as long as they depended on the framework of Safe Harbor as the basis for handling data of guests from the European community. 

The stunning and recent invalidation of the workaround has huge implications for the hotel industry. Some larger American-based hotel groups have gone very public with their promise to follow EU data privacy rules by signing up to self-certify under Safe Harbor; whereby they committed to apply the same stringent privacy laws that European companies are following. With the Safe Harbor rules in place since 2000 effectively done away with, each country in the European Union could potentially set its’ own privacy rules and regulations, creating a difficult situation for U.S. hotel groups who welcome guests from all the EU member countries.

CRM, ecommerce and outsourcing as well as the wonderful world of cloud-based service technology now combine to make a perfect environment for increased revenues, but in reality, this convergence makes for the perfect storm.

That fusion of the aforementioned technologies and our love affair with data mining means the massive data sharing we do is what we want to do, and often what we need to do, and in fact what are doing ALL THE TIME is now a problem. Hotels could be breaking the law (no, really they are) every time they transfer guest data if the guest is European. Even if they stay in a hotel you own in Europe, if the data is then sent to the United States for the loyalty program or post departure stay survey emailer, it is illegal! 

While the immediate concerns have IT and legal teams scrambling, it’s important to recognize that this is not just an IT and legal issue. The executive team needs to take ownership and use a top-down approach to help prepare the company for the future. To stay ahead of the curve as data sovereignty evolves, consider adding a chief privacy officer and a chief information security officer to the executive team. They are not one in the same and are vital to the survival of your firm. Addressing the issues of data privacy and data protection will require specialized knowledge and full-time attention to handle future regulations that will inevitably be put in place across the globe as other regions follow the EU’s lead.

Many may know that without Safe Harbor, alternatives for protection at the moment include EU model contract clauses and binding corporate rules (BCRs), although the latter involve a sometimes lengthy approval process by European regulators. Many businesses, anticipating the legal issues with Safe Harbor, have already been using model clauses as a method for carrying out international data transfers. Ask your counsel.

At a minimum, begin to make an assessment of other options. Look at data flows. Assess scale and sensitivity of information that needs to be shared.

Look at existing contracts with cloud vendors – they might already include the use of model clauses. If they do not, try to find one that does, or modify your existing agreements. As part of your assessment, call your data privacy lawyer to make sure you have covered every angle. Stay tuned for more as the dust settles.