Insight: Should Data Protection be part of Hotel Licensing Regime?
Background: The Marriott’s 2018 Data Breach Incident
On 9 July 2019, the Information Commissioner’s Office (“ICO”) issued a notice of its intention to fine Marriott International (“Marriott”) GBP 99,200,396 (approx. HKD 1 billion) for infringements of the EU’s General Data Protection Regulation (“GDPR”) related to a data breach incident occurred in November 2018.
Marriott became aware that the IT system of one of their acquired group companies, Starwood, was compromised in 2014, but only able to discover in November 2018 where a security tool detected an unusual database query. After investigation, it was made clear that the hackers had used Remote Access Trojan (RAT) and MimiKatz to control the administrator account. The incident caused more than 339 million guest records globally were exposed due to the incident, of which 30 million Marriott’s guest records, related to more than 31 countries in the EU, exposed and compromised.
Although Marriott has quickly responded to the breach by making the necessary improvements to its security arrangements, Marriott still faces a possible fine of GBP 99 million fine under the GDPR provisions. 
Hospitality Sector and Data Protection in Hong Kong
Operations of hotels/guesthouses and bedspace apartments in Hong Kong are governed and regulated by the Hotel and Guesthouse Accommodation Ordinance (Cap. 349) (“HGAO”) and the Bedspace Apartments Ordinance (Cap. 447) (“BAO”) respectively.
HGAO and BAO established a licensing regime to ensure premises of hotels/guesthouses and bedspace apartments are in compliance of the building and fire safety standards specified in the Buildings Ordinance (Cap. 123) (“BO”) and the Fire Services Ordinance (Cap. 95) (“FSO”).
The Office is responsible for administering the licensing matters in accordance with the provisions under the BO and FSO.
The Office’s present Standard Licensing Requirements for Hotel/Guesthouse (General)/ Guesthouse (Holiday Flat)/ Bedspace Apartment Licence) (the “Standard Licensing Requirements”) only focus and concern about premises’ safety, and do not prescribe requirements for sound data protection and data governance as part of their licensing regime.
Should data protection be part of the hotel licensing assessment criteria?
There have been discussions regarding whether the Office should take a better stance in safeguarding personal data in hospitality sector after the Marriott’s 2018 data breach incident and the GDPR coming into force in May 2018 by amending their hotel licensing assessment criteria, guides and codes of practice of hotel licensees.
As a firm dedicated to the cause of advocating better awareness of data protection and data governance issues in Hong Kong, our in-house research team at ADG has the following suggestions for the Office to consider:
(1) issuing an Information Security and Privacy Protection Policy and Guidelines (the “ISPPPG”) for licensed hotels and guesthouses to follow, and to issue guidelines or circulars on data protection and governance;
(2) adding extra criterion on data protection and governance to the Standard Licensing Requirements so to make sure the applicant is in compliance with the Personal Data (Privacy) Ordinance (PDPO) (Cap.486) and market standards;
(3) performing random inspections and checks to licensee to ensure that the PDPO and relevant privacy and data protection standards are met. In particular, since the EU’s General Data Protection Regulation (GDPR) is now in force with extra-territorial applicability in terms of its enforcement powers, hotel and guesthouse industry in Hong Kong could be seriously affected as many of the visitors staying in Hong Kong are coming from EU domains;
(4) as many of the hotels and guesthouses, may also depend their daily operations with third-parties, and that visitors’ personal or sensitive data may also be transferred to them, it is crucial that extra care is needed to make sure third-party will not misuse or commit data breach. The Office should consider addressing this issue by adding an extra criterion in their license assessment to make sure hotels and guesthouses do have in place an effective Data Breach Reporting Mechanism and that they have contractual means to protect transferral of data to third-parties;
(5) in the event that an ISPPPG is adopted, to encourage licensees to implement Privacy Management Programmes (PMP) in their business operation, so that the necessary requirements in the data life cycle are comprehensively covered by them;
(6) amending licensee’s codes and guidelines so to include requirements on PCPD’s Code of Practice on the Identity Card Number and other Personal Identifiers (Apr 2016) (the “HKID Code”) and Guidance on CCTV Surveillance and Use of Drones (Jul 2010) (the “CCTV Guidelines”); and
(7) hosting relevant training courses for licensees to make sure the managers and senior staff of the licensees are familiar with the PDPO, data protection codes and guidelines and more specifically, the HKID Code and CCTV Guideline requirements.
Our research team believes that the above suggestions will help protecting data subjects and hotel/guesthouse licensees from cyberattacks and data breaches, and we hope that the Office would consider our suggestions.
For more information regarding APEC CBPR system and section 33 of the PDPO advisory works, please contact ADG at firstname.lastname@example.org or Tel: +852 3725 4806.