Read time: 3 minutes
In 2020, China launched a global data security initiative focused on strengthening international coordination for cross-border data flows and setting standards for the protection of personal data.
Ensuing data localization and data transfer rules affect how multinational corporations transfer personal information they collect from customers in the People’s Republic of China to other countries for storage and processing.
Complying with the new rules will no doubt impact the global data strategy of some international organizations, including hospitality chains.
How do international hotel operators collect and process personal information?
Hotel chains commonly use digital and cloud systems to perform functions like room reservation, guest check-in, group management and marketing. As a result, a large volume of guests’ personal information (PI), even sensitive PI, will be collected and processed by hotel chains, and cross-border transfers often occur, especially with global online travel agencies or affiliates under the same hotel brands on enterprise resource planning (ERP) systems.
Will hotels be legally required to store all data locally within China?
The short answer is that it is very likely. According to the Personal Information Protection Law (PIPL), a business that processes a large volume of PI must generally store the PI collected within China locally. This localization requirement may apply to international hotel brands and impose considerable costs, considering the significant number of guests they deal with in their daily operations.
- Data collected in China likely will have to be stored in China.
- Disclosure and consent must be performed when collecting personal data.
- Some cross-border transfer rules might be similar to those in the GDPR.