Strategies for Global Brands in Navigating Data Localization Requirements
By Wendy Hansen Counsel, Eversheds Sutherland | December 2023
Co-authored by Michael Bahar, Partner, Rhys McWhirter, Partner, Andrew Garbett, Principal Associate, Jamie Leung, Associate, & Lucrezia Berto, Legal Officer, Eversheds Sutherland
It is a well-known fact that hotels collect tremendous amounts of data and the value of that data is only increasing.
Guest data ranges from basic contact information to fulfill a room reservation to sensitive information related to age, gender and food allergies.
Beyond the front desk, data is collected and processed in managing hotel staff and contracting with service providers.
Increasingly, however, governments are implementing data localization requirements that present substantial challenges to a global, "one brand" approach to hotel operations. If guest histories and preferences cannot be transferred cross-border, it may be difficult to deliver on a brand promise of personalized service. It can also be challenging for the human resources department to manage career progressions or implement diversity, equity and inclusion initiatives if employee data cannot be transferred cross-border. Implementing advanced technologies like facial recognition and other uses of Artificial Intelligence and biometrics may also face obstacles with the restriction on the free-flow of data. Service providers may also be unwilling or unable to offer localized solutions due to these requirements.
How can global brands best manage these requirements from a practical perspective? This article will give an overview of data localization, including summaries of key data transfer requirements in the European Union and the United Kingdom, Mainland China and the Middle East, and it will conclude with three strategies for global brands to address such requirements - (1) map it, tag it and track it; (2) aim for a globalized, risk-based approach; and (3) increase the use of clear, affirmative consents. The strategies can also help as other countries move to adopt their own data sovereignty laws.