Image source: https://bit.ly/37HP0jL

This Article is written by Shruti Kulshreshtha, from Symbiosis Law School, Hyderabad. This is an exhaustive article explaining the concept of right to privacy of a guest in a hotel room and how to ensure that you are secure in the hotel.

Introduction

The modern hospitality industry is facing a new challenge: managing the obligation to protect the guest’s privacy during his/her stay in the hotel. This obligation arises the moment when the guest enters into a contract with the hotel upon checking in. Safeguarding the privacy of the guests is a quintessential part of providing the best experience and an expression of respect towards the dignity of the guests. Customers share a lot of personal information with the hotels and that is why the issues of customer privacy, transparency and data protection have come to light.   

What customer rights do hotel guests have?

Hotels have a duty of care towards the guests staying at their hotels. The paramount duty is the protection of privacy of the guests and at no cost can it be compromised. Hotel guests have numerous customer rights such as the right to remain in the hotel for a reasonable time, right to safety and security, etc. But when it comes to right to privacy of a guest, the following are the duties of the hotels for privacy protection:

Download Now
  1. Respecting room privacy: Respecting the guest room privacy is the primary obligation of the hotel in executing the right to privacy of a hotel guest. This right includes the guest’s entitlement to enjoy the room without any obstruction, unwanted visitors and hotel staff interruption. By checking-in into a hotel room, the guest turns the service provided by the hotel from a public facility to a private facility. Hotel room privacy shall be maintained by respecting the guest’s intimacy and personal time. In the landmark judgment of Donoghue vs Stevenson (1932, HL ER 562), the Court had stated that duty to respect guest room privacy implies that the guest must feel safe in the hotel and the hotel-keeper should conduct like a good neighbour towards the guest staying in his hotel. Respecting room privacy suggests that there should be no third party intrusion in the peaceful enjoyment of the hotel room by the guest.
  2. Discretion of Hotel staff: The easiest way of breach of privacy of a hotel guest is by the staff. They have access to all files, data, rooms and even personal access in hotels. Hence, regulating the possibility of disclosure of personal data of the guest by the staff is crucial. This includes the careful entrance of the staff in the guest’s room, prohibiting the disclosure of data of the guest and keeping the guest’s secrets confidential. The staff should keep all such information secret that he has heard, seen or witnessed about the guest. Hotels must pay minute attention to keeping their staff discreet for protecting the privacy of their guests. This can be done by limited access to personal information of the guests, password-protected systems, inaccessibility of data by unauthorised persons and not revealing information like name, room number, age, address, occupation etc about the guest. 
  3. Registering false name: Although it is absolutely important to furnish original information and IDs, the guests can ask the hotel management to register a fake name in the folio. This happens when famous celebrities or popular personalities visit the hotel but wish to enjoy privacy. In such a case, the guest is required to check-in with his real name and IDs but the folio is updated with a fake name. This practice is completely legal only if the guest gives his original details to the hotel. 
  4. Rights pertaining to personal data: Guests have to provide their personal information to the hotels. Hotels can give some rights to the guests pertaining to their own personal information. This includes right to access information, right to rectify information, right to erasure or right to be forgotten, right to object, right to restriction on processing etc. These are not mandatory rights but one can claim these rights if the hotels provide them.     

new legal draft

Relevance of privacy and data protection in a hotel business

In the age of growing competition, all hotels aim to provide a personalised experience to their guests. To achieve this, a detailed note on guest preferences allows them to be more precise and cater to the customer needs in a more effective manner. These guest preferences are key to the promotion and marketing of the hotels. Before diving into the topic of protection of data, it is important to know what all kinds of information is collected by a hotel. Personal information is collected either upon check-in or through loyalty programmes. This includes name, age, residential address, birth date, email address, contact information. In some cases, hotel management also collects information on marital status, anniversary date, income group, food preferences and credit card information. Hotels intend to attain as much information as they can in order to anticipate the need of the guests and for future marketing. 

Data protection laws are still evolving in India. These have a bearing on the ownership of data collected by a hotel and its protection thereof.     

Nature and ownership of guest data

Hospitality Management Agreements states that the ownership of data lies with the manager. This clause has been the reason behind conflicts between the manager and owner due to the essentiality of customer data. These conflicts are based on the fact that such data is collected by the hotel employees, who are the employees of the owner and not the manager. 

The nature of customer data is also a debatable subject. In the case of American Express Bank Limited vs Priya Puri (2006 IndLaw DEL 362), the Court held that customer data can contain trade secrets and should be protected by the hotels accordingly. However, this is not true with every kind of data so collected. Some customer data is essential for daily routine and cannot be kept to oneself. Such data cannot be termed as a trade secret, though there is no specific legislation that governs trade secrets but is subject to terms of contract. But the equitable protection of trade secrets does not require a contract to be in force, in some cases as is recognised in the case of John Richard Brady and Others vs Chemical Process Equipments Pvt Ltd and others (1987 IndLaw DEL 10356)

Further, customer data collected by a hotel can comprise literary works subject to the Copyrights Act, 1957 and should be protected by the hotel. This is a right in rem of the customer and is not dependent upon the terms of any contract. This was observed in the case of Vogueserv International Private Limited v Rajesh Gosain and others (2013 Indlaw DEL 3125). If guest data comes under the realm of copyright, then such data can be used by the hotel only after adhering to the provisions of licensing and assignment under the Copyright Act.

Data privacy laws

There is no specific legislation on data privacy in India. Right to privacy is enunciated under Article 21 of the Indian Constitution. Presently, two bills are pending in the upper house relating to data privacy, which are, Personal Data Bill, 2016 and Personal Data Protection Bill, 2014. Both these bills aim to provide a framework for collection and sharing of personal data and enabling the consent of the provider to use personal data. Personal data can be considered as such data which reveals the identification of an individual. 

Since the majority of the customer data is saved electronically by the hotels, the provisions of Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and procedures and sensitive personal data or information) Rules, 2011 are mandatory to abide by. The IT Rules protect both ‘personal data’ i.e. “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person” and ‘sensitive personal data’ that is, certain specific information, such as passwords, financial information like bank account or credit card or debit card or other payment instrument details, physical, physiological, and mental health condition, and medical information. Since all these customer information is capable of identifying an individual, the hotel has a duty to protect this data.

The IT Rules calls for framing of a privacy policy of a body corporate which should be readily available to the customer to be well informed about the type of personal data collected and the manner of usage of this data. This privacy policy should be published on the website of the hotel and should be available at a conspicuous part of the website for the disposal of the customer. Information providers are entitled to review this information and add or rectify it, if needed. If hotel management desires to forward customer data to affiliates and service providers, express consent of the customer is mandatory for sharing data. The IT Rules require certain shields if there should be an occurrence of move or transmission of the data usage of strategies as for security practices and systems by the hotel. The authorities of individual data are likewise required to build up a component for redressal of complaints inconsistency with the arrangements of the IT Rules. Violation of the provisions of the IT Act and Rules lead to penalties. 

Data breaches

Considering the increased cases of hacking and need for guest data by organizations worldwide, the information collected by the hotels are under constant threat of undergoing a data breach. Hotel Management Agreements are silent on the aspect of data breach. Although the owners should bear the damages attached to the offence of data breach, however, there are events of force majeure like third party acts, which cannot be controlled by any IT systems of the hotels. Insurance can be a solution to data breaches, but its efficiency is questionable. 

Privacy policy of hotels

Majority of the premier hotels have a privacy policy which states all the rules and regulations regarding the use of personal information of the guest. The guests are expected to go through this policy so as to ensure that their information is not going to be misused in any way. Privacy policies also help the hotels to discharge themselves from any unwanted liability in the future. Having a well-drafted privacy policy brings about clarity and trust between the hotel and the guests. 

The privacy policy is available on the website of the hotel (if any) and the guests are asked to consent to the terms of this policy when confirming a reservation in the hotel, joining the loyalty programmes, joining events or otherwise when required. 

  • Lawful basis for processing data: Hotels process information of the guests because they enter into a contract with the guest. The guest can provide express consent to carry out such services which require information. Personal data of the guests is also processed to comply with the applicable law. Sometimes, hotels collect information to know better about the choices and preferences of the guest to provide them with a personalised experience. 
  • Types of personal data collected: What type of personal information is collected totally varies from one hotel to another. Some general data usually collected are:
    • Personal Information (name, date of birth, marital status, name of spouse, address, contact information);
    • Passport and visa details;
    • Identification proof/ Address proof (PAN Card, Aadhar Card, Passport, driving license);
    • Guest Stay information (Number of times visited in the hotel, date of arrival and departure, any special requests made, services availed, goods purchased);
    • Payment details (Credit/Debit Card Information);
    • Loyalty Membership (Account details, passwords etc.);
    • Information for Special Requests (Medical condition, food allergies, preferences);
    • Information collected through CCTVs;
    • Photographs; and
    • Any other information that the guest willingly provides.
  • Situations in which personal data will be used: It is crucial to mention that when will the hotel use the information collected. It is used to allow the hotel to perform the contract and to comply with the legal obligations. Such information can be used for administration of the contract, business planning, accounting and audit, providing services, benefits, dealing with legal obligations, to prevent fraud, to ensure network and information security etc. Hotels can also use this information to conduct studies and for the purposes of public interests. 
  • Disclosure of personal data: The Privacy policy states the parties with whom personal information of the guest will be shared. Again, this varies from hotel to hotel, but the primary parties who have access to the guest’s personal data are the hotel, its limited staff members, third-party service providers, law enforcement agencies, with advisors such as lawyers, accountants, auditors etc.
  • Information of minors: It totally depends upon the parent or legal guardian of the minor, whether they wish to provide personal information about them. However, some basic information is collected which is mandatory for the hotel’s records.
  • Other Information: The Privacy Policy of hotels can include clauses as per their own wish and requirement. Some hotels mention about the overseas transfer of personal data and about how the guests can control their personal information.  

Violation of privacy through CCTV cameras

In the age of technology, security is becoming more and more crucial. Public places are thus covered with the help of CCTVs to keep an eye on the ongoing situations in that area and trace offenders. CCTVs discourage crimes as they can successfully identify wanted criminals, avoid illegal activities and also keep a check on crimes. Majority of the hotels have installed CCTVs in the public areas of the hotels to ensure the security and safety of all the guests. Hotel CCTVs restrict intruders and the possibility of trespass. CCTVs can also capture unethical practices thereby giving a competitive edge to the hotel. There should be no reasonable expectation of privacy in public areas. However, hotel rooms do not fall under this ambit. Surveillance equipment is said to be legally placed when they are limited to the public areas of the hotel. Privacy is infringed if CCTVs are placed in rooms or washrooms. Even a camera facing a room window is considered to be invading the privacy of the individual staying in that room. 

The areas that are off-limits to place a CCTV camera are those where there is a general expectation of privacy. This can include hotel rooms, locker rooms, washrooms, rented areas etc. as the guest anticipates that no one will be watching him/her in these areas. Section 66E of the Information Technology Act, 2000 can be used for seeking redressal due to invasion of privacy of a guest because of CCTVs. If a camera captures images of the private parts of a person, male or female, or transmits such images without consent, the offender can be booked under Section 66E.       

Steps hotel guests can take to improve privacy and data protection

Hotel guests should be vigilant in ensuring their own privacy. The following shall be observed to ensure data protection and privacy and improve the experience of stay in a hotel:

  1. Ensuring that the hotel has a privacy policy in place. Customers should avoid staying in hotels or giving out information to those which have not adopted a privacy policy.
  2. Reading the Privacy Policy thoroughly. The privacy policy mentions the information that will be collected from the guests and how the hotel will use this information. Reading and understanding these clauses will make the guests aware of the rules of disclosure and the rights that they have with regards to this information.
  3. Avoid giving sensitive information. The guests should provide only that information which is crucial for the hotel and should avoid giving data that is sensitive, specifically any kind of financial data.   
  4. Checking the scope of surveillance. The guests should always ensure whether the private areas of the hotel such as hotel room, washrooms etc. are not installed with CCTVs.
  5. Do not share any personal information directly with the hotel staff. Although hotel staff is trained accordingly, there can be a possibility of information leak by the hotel staff which is untraceable.  
  6. Be smart about your passwords. Do not share passwords with anyone even if they can be trusted upon. 
  7. Report a data breach, if you notice. 

Steps to be taken by Hotels to ensure Privacy and Data Protection

A customer relationship is built only when the customer trusts the hotel management. Gaining the trust of the customer is no easy task. The most vulnerable point of a guest is the protection of the data provided by him. Customer data is increasingly under the target of hackers since hotels collect important information about the customer. The success of the hotel is measured by the quality of experience provided to the customer and this can be achieved by prioritizing safety. There are certain measures and steps that can be adopted by the hotel to ensure that the data collected by them is safe and secure. Hotels can engage in the following to circumvent it:

  1. Assess the risk of the current security system. Hotels can identify the strengths and weaknesses of the current security system in place so that they can improve upon the weak areas. This evaluation can involve checking online reservation systems, third party sites, payment systems, Wi-Fi systems etc. Such inspection should be conducted at reasonable intervals.  
  2. Proper training of employees. The closest people to personal data of customers are the employees. Employees should be trained about the right and wrong of sharing private information and the importance of keeping guest data confidential. 
  3. Cybersecurity training. Educating the managers and other employees about cybersecurity can prove to be the best way to nurture a cyber-safe hotel. Hotels can also dedicate a cybersecurity team in order to elevate the business amongst competitors.
  4. Investment in high-quality cybersecurity infrastructure. A weak security infrastructure will be of no use in protecting data from hackers. Cybersecurity insurance is a great way to avoid damages of a data breach.
  5. Address statutory and regulatory issues. Respond to data breaches by conducting internal investigations.   

Liability of hotels

According to the common law doctrine of infra hospitium, the hotel is liable for any loss or damage caused to the property of the guests except when it is due to an act of god, guest’s own fault or any other irresistible force. The hotel will also be liable for the injury caused due to defective or insufficient infrastructure at the hotel. This is the general rule of liability applicable to hotels. Data, though it is also the property of the guest, being a technical aspect requires some extra care and liability. 

Infringement of the privacy of the guests amounts to the hotel’s contractual liability for non-proprietary damage to the guest. Invasion of privacy can cause various non-proprietary damage to the guests such as discomfort, anxiety, insecurity, frustration, mental pain etc. The leak of wrong personal information of the guests can also result in defamation. Hotels are liable for the breach of privacy. Hotels will be liable under the Information Technology Act and Rules when there is an electronic breach under Section 66E, Section 67 and Section 72 of the Act. Let us understand the liability of the hotels in most common breaches of the guest’s privacy:

  1. Staff Intrusion: There can be cases wherein the hotel staff intrudes into the guest room, thereby invading into the personal space of the guests. Although hotel staff is allowed direct contact with the guest and to approach their room with their consent, however, this practises should be limited. A common practice worldwide is to hang tags of ‘Do Not Disturb’ at the room entrance to make the staff clear about the need for privacy. Hotel staff should abide by the tags outside the room. Even after that, an intrusion amounts to contractual non-proprietary damage to the guest. In Rose vs Plenty (1976 CA ER 97), the UK Court held the hotel liable for losses due to unauthorized and negligent intrusion by staff members which resulted in anxiety and fall vacation. There are a few exceptions where the hotel staff can intrude into the guest room which are Maintenance, imminent danger, non-payment of dues, room service and expiry of the rental period.
  2. Release of Unauthorised person: The hotel will be held liable if they allow the entry of an unauthorised person into the room of the guest. An unauthorised person means a person who has been allowed entrance without the express permission or consent of the guest. This act violates the privacy of the guest and hence, the hotel is liable for the same.
  3. Recording and spying: The hotel will violate the privacy of the guest if they record, spy or wiretap on the guest in an unauthorised manner. The consent of the guest is mandatory while recording his activities, otherwise, is a violation. The detection of this violation is the hardest part of all and when it comes to the knowledge of the guest, they feel very uncomfortable. This offence takes place when the hotel illegally wiretaps the guest’s phone, spies on him from peepholes etc. Also, placing the CCTVs or their range at a place which tends to breach the privacy of the guests, makes the hotel liable for non-proprietary damages.
  4. Giving Customer data to third parties: Forwarding the personal information collected by the hotel about the guests to third parties is illegal and represents the violation of right to privacy of the guest. The hotel is liable for non-proprietary damages. This information includes information like, name, age, address, contact information, financial information, marital status etc. However, hotels can mention the transmission of information in their privacy policies and make the guests go through it. This will amount to consent by the guest to give information to the specific third parties that are mentioned in the privacy policy.                    

Landmark judgements

Justice K S Puttaswamy (Retd.) and Another vs Union of India and others

Justice K S Puttaswamy and Another vs Union of India and Others (2018) is a landmark judgment in the regime of privacy laws in India. The Supreme Court of India declared the right to privacy as a fundamental right under Article 14, 19 and 21 of the Indian Constitution. The nine-judge bench unanimously held that privacy is an intrinsic part of the right to life and personal liberty under Article 21 of the constitution. This judgement also paved the way in ensuring the right to privacy in a hotel room, making it a fundamental right.

American Express Bank Limited vs Priya Puri 

In the case of American Express Bank Limited vs Priya Puri, the issue before the court was regarding the confidentiality of information containing trade secrets. The defendant’s confidential information on customer records and information was to be protected by the employee. The defendant left the employment of the hotel to join a competitor hotel along with all the customer data and information attained from the plaintiff. The defendant contended that information such as name, phone number and address do not fall under the ambit of confidential information or trade secrets since it can be accessed easily on any public domain. The Court held the defendant liable for breach of confidentiality.    

Conclusion

Protection of data and privacy of a guest are the two challenges and achievements of the tourism industry. It is the hotel’s duty to respect the integrity and safety of the guest staying in his hotel. The hotel management cannot escape their obligation to safeguard the privacy of the guest. At the same time, the guests should also be aware and vigilant with their personal information and should take all necessary steps in order to ensure that their personal data is safe. There is a need for regulations on privacy in a hotel room so that hotels are mandated to ensure privacy by order of the government itself. Both cyber privacy and physical privacy are indispensable in the present era but they require sufficient legal backing and supportive infrastructure.   

References

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here