Privacy check-in – POPIA pitfalls in the hospitality industry
Submitted by: Teresa SettasBy Prineil Padayachy, Senior Associate at Webber Wentzel
South Africa's hospitality industry is seeing a shift from traditional leisure-based tourism to experience-based tourism, focused on providing tourists with unique, authentic life-enriching experiences.
This shift has necessitated the rapid adoption of technological advancements such as digital contactless booking and reservations, digital tourism platforms, smart room technology that allows the automation of various Internet of Things devices (thermostats, lighting, entertainment systems, and cooling systems), AI-powered customer support, chatbots and service robots, virtual and augmented reality tours and experiences as well as enhanced biometric security and surveillance systems.
While these technological advancements may enable South Africa's hospitality industry to meet evolving customer expectations, one should not lose sight of the increasing invasiveness of these technologies and the impact that this will have on customers' privacy and personal information.
The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's primary data protection regulation that governs the processing of personal information. Businesses, particularly in the hospitality industry, may face various POPIA challenges as digitisation and innovation increase, as discussed below.
Inadequate data security measures
In terms of POPIA, responsible parties, or those who determine the means and purposes of the processing, are required to protect any personal information in their possession or control. Responsible parties must implement appropriate, reasonable technical and organisational measures to prevent loss, damage, or unauthorised destruction and unlawful access to processing personal information. While POPIA does not specify or require specific security safeguards, it states that responsible parties must adhere to generally accepted information security practices and procedures that may apply to them or be required by specific industry or professional rules and regulations.
While introducing advanced digital technologies and their interoperability has accelerated technological development in the industry, the technologies also increase a business' attack surface and bring additional vulnerabilities. Hospitality businesses should ensure that they implement robust security measures to protect all personal information in their possession or control and that these measures are regularly tested and updated to address any potential reasonably foreseeable risk to the personal information. Practically, these measures should at least be as secure as those security measures used by the average business in the hospitality industry and related sectors.
Processing of biometric information
Regardless of functionality, industry stakeholders who have implemented biometric systems must demonstrate a legal basis for processing such biometric information (which may include information based on a guest's physical, physiological or behavioural characteristics, such as fingerprinting, retinal scanning, and voice or gait recognition). Consent is one such legal basis, but it is not the only one available. Furthermore, industry players should be cautious when transferring biometric information to third parties, particularly if the information is shared with entities outside of South Africa, as this may require prior notification to the Information Regulator if the third party or foreign country does not provide for an adequate level of protection as required by POPIA.
Third-party data sharing
Given the shift to experience-based tourism, hospitality businesses have been collaborating to develop holistic tourism portals, allowing guests to not only book accommodation but also other interconnected services such as car rental or transportation, guided tours or other leisure experiences. These platforms have become common within the industry and involve the sharing and transferring of guests' personal information across various businesses and service providers.
When personal information is shared within South Africa, the entities that share the personal information (and special personal information as the case may be) must demonstrate an appropriate legal basis to process and share such information. Consent, where the processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party, or where the processing protects a legitimate interest of the data subject or the responsible party itself are examples of legal bases for sharing personal information.
POPIA, however, places additional requirements on responsible parties when transferring personal information outside of South Africa. POPIA, with limited exceptions, prohibits the transfer of personal information outside of South Africa, subject to certain exceptions. These exceptions include circumstances in which:
- a data subject has consented to the transfer; or
- the recipient of the personal information is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection and terms materially similar to those contained in POPIA for the lawful processing of personal information.
If a responsible party is unable to establish an exception under Section 72 of the POPIA, that party must obtain prior authorisation from the Information Regulator before transferring any special personal information, (including biometric information).
There is no one-stop shop for POPIA compliance, particularly in a constantly growing business such as the hospitality industry. However, the above pitfalls attempt to demonstrate some of the common issues that should be considered when implementing new and advanced digital technology. Industry players must adopt a privacy-by-design approach to POPIA compliance in their various businesses, especially given the current digital and technological rat race in which the hospitality industry finds itself.