February 27, 2023

Key aspects of Chinese data residency for global hotels

Key aspects of Chinese data residency for global hotels

As China re-opens rapidly from the pandemic, global hotel chains are seeing increased business. As the world’s second largest economy, tourists and investors are again frequenting the country, increasing the demand for its hospitality services.

To meet these expectations, hotel operators are utilizing new technologies such as the Internet of Things, big data, and cloud computing. Many industry leaders are deploying artificial intelligence and machine learning to ensure efficient service delivery without human error.

With all the data required in using these innovations, hotel chains can only avoid getting caught in the wheel of data regulations to ensure real-time compliance.

In this article, you will understand the critical aspects of data residency for the hotel industry in China and how to tick all the compliance boxes as a global hotel service.

Relations between data sovereignty, residency, and privacy

Data sovereignty, residency, and privacy are similar in that they all are aspects of data protection. However, specific key differences exist between them.

  • Data sovereignty refers to the authority of the government of a country to legislate over data originating within its borders and the structures set up to regulate its management.
  • Data residency is concerned with the geographic location of data, i.e., the country or region where it resides and is being stored.
  • Data privacy refers to the procedures and legislation to keep personal information safe. It protects the individual’s rights to decide how and how much their information is shared with other persons.

These terms, especially the first two, are often used interchangeably since both relate to where data is located. Sovereignty and residency laws are all aimed at ensuring data privacy.

Data compliance in the hospitality industry

Data sovereignty for hotels in China is ensured by three major legislations: the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. There are also some other provisions in laws like the Civil and Criminal Codes, Consumer Rights Laws, Telecommunication Regulations, etc.

The PIPL is China’s supreme data law, amplifying all other provisions. It must be complied with in all stages of data management — collection, sharing, cloud storage, and transfer.

When these global hotels handle the data of persons outside China, they are subject to the laws of the country which the data originates from. Thus, they must pay attention to data residency requirements by country.

Compliance in data collection:

Hotels need to collect personal information during bookings, check-ins, payments, and check-outs.

During booking, information like name, financial details, face information, and other biometrics are collected from the hotels’ apps, websites, front desks, and even third parties such as airlines or travel agencies. On arrival, guests usually have to provide some form of identification to confirm bookings, such as IDs, physical or electronic signatures, personal details, or biometrics. Payments for hotel services are often made through Point of Sale (POS) facilities, which require credit card information. During check-out, the hotel may request reviews via phone, SMS, internet, or apps. Several hotels offer unmanned services, replacing human interaction with smart technology. 

All of these processes are powered by personal information, and all relevant laws must be fully complied with. The major requirement for collecting data under the PIPL is consent after the subject must have been duly informed about the purpose of the collection.

Compliance during data sharing:

Hotels may need to share information with other branches, partners, franchises, or affiliates on some occasions. For example, sharing is required when hotels have limited software or equipment and must outsource processing to another party.

Joint processing occurs when the hotel, as an independent processor, exchanges data with other parties, such as airlines or travel agencies, for a common business goal. If the data is to be used for a purpose other than what was originally intended, the third party must seek fresh consent from the subject.

Before a hotel entrusts processing to another party, an impact evaluation of the processors must be done. This evaluation is based on five essential parameters: purpose limitation, legality, informed consent of the subject, storage limitation, and integrity through proper security measures. Security measures may include encryptions, continuous monitoring, and access control.

The sending and receiving parties are required by the PIPL to clearly define the purpose, period, processing methods, protection measures, rights, and obligations. National standards require that this agreement should be written in the form of a contract and signed by both.

Compliance during cloud usage:

Currently, the cloud is used by about 51% of Chinese hotel chains to enhance processing and storage. Because the private cloud is costly, most hotels rely on third-party cloud infrastructure. In such cases, the cloud service provider ensures the security and compliance of the cloud itself, while the hotel is responsible for compliance with data inside the cloud.

Securing the cloud includes protecting all equipment used in running cloud services, including hardware, software, network, and equipment. The provider is responsible for safe storage, encryption, remote replication, and other safety measures, while the hotel is responsible for ensuring data compliance.

Where a hotel contracts a cloud service provider to provide data storage, it is defined by law as entrusted processing. The parties must agree in writing on the purpose, method, period of the entrusted processing, storage location, type, sensitivity, and volume of the personal information. All activities must comply with the agreed purpose and methods.

To simplify compliance, hotels that store large volumes of personal information on the cloud should anonymize it as much as possible. Anonymization makes it difficult to link the information to any specific natural person. Thus, it becomes ordinary information, not subject to any rules. Other compliance practices include proper deleting after use or at the end of the stipulated storage period and entrusting data to only compliant service providers.

Compliance during the cross-border transfer on the cloud:

Global hotels may need to transfer information from China to partners in a foreign country for business purposes. Data residency for hotels requires that applicable rules be obeyed when doing so.

Cloud is not location-specific, so infrastructure located within China can be accessed remotely by foreign branches within the same hotel chain. That amounts to a cross-border transfer of personal information. Also, where the cloud system is located outside China and the hotel, being part of a global franchise, collects the personal information of individuals in China and uploads it to the cloud, that is a case of cross-border transfer. Global hotels must be aware of relevant laws and comply with them.

Organizations, like hotels, that deal with bulk amounts of sensitive personal information fall within a class called critical information infrastructure operators (CIIOs). They are subject to stricter requirements during cross-border transfers. We have listed these requirements in the next section.

Under Article 3(2), foreign outfits are subject to the PIPL when handling and transferring the data of Chinese residents.

PIPL data localization and transfer requirements for hotels 

Since 2020, China data residency and data localization for hotels has been covered by the PIPL.

As leading Chinese hotels now use digital technology to handle reservations, check-in, marketing, and payments, more sensitive personal information is required. These may include identification numbers, passport numbers, health information, and credit card details. The PIPL requires any business that collects large amounts of personal information to store them locally. This includes large hotel chains that provide services to a large number of prominent guests regularly.

The PIPL rules for transfers to branches, partners, global travel agencies, or affiliates outside China in the course of business are based on principles of transparency and lawfulness, among others.

Transparency requires that the subjects need to be aware of the transfer, the purpose, the recipient, protective measures by the receiving party, and the duration of the arrangement. Usually, companies spell these out in notices and privacy policies. Lawfulness means the transfer must be for a lawful purpose duly recognized under the PIPL. For hotels, these may typically include ID information requested during check-in, biometric and card details for electronic payments, etc.

The PIPL provides steps that CIIOs must follow during transfer. They are:

  • External security assessment by the Cyberspace Administration Commission,
  • Standard contracts drafted by the committee binding both transferring and receiving parties, and
  • Data protection certification. 

Apart from the general rules of notice and consent of subjects, these requirements apply in all cases.

Compliance with the PIPL requires that multinational hotels constantly review their IT structure, operations, and privacy policies. It is important to keep pace with China’s cyber protection and security programs at all stages of data management, including localization and transfers.

How InCountry can help hotels comply with Chinese data regulations

The hospitality industry has been the third most affected by data breaches after the retail and finance industries. Each discovered breach comes with enormous financial penalties. So, while hotels advance in new technologies like biometric-operated (face, voiceprints, fingerprints) technology, smart assistants, and internet-connected rooms, compliance should not be relegated.

Complying with data residency for hotels is indeed a very expensive and rigorous process. Many hotel parties are strained by the cost of reviewing data processes time after time.

InCountry has an immediate and total solution for data compliance, no matter the region your business operates in. With data residency-as-a-service available worldwide, you get instant compliance with all protection laws wherever you are.

This is why InCountry can help you achieve real-time data compliance:

  • InCountry is always in step with residency and localization requirements in countries with strict data regulations. We operate a certified cloud infrastructure, with which data can be localized in top-tier data centers within the given country.
  • InCountry uses and provides only the best security and protection measures by global standards. Talk about high-level encryption (SHA-256 and AES-256), firewalling, network isolation, and intrusion detection; no one offers information security like InCountry.
  • We partner with only the best and most trusted security-compliant cloud service providers so that all stages in your data lifecycle are tightly secured. For example, InCountry works with Alibaba Cloud to provide full compliance with Chinese data regulations. Hotels in China can trust Alibaba Cloud InCountry Service.

Have a look at our products page to access a full array of our compliance and security offerings.

Feel free to consult with one of our experts or schedule a demo to discuss what opportunities you can get by selecting InCountry as your data residency partner.