Few regulators have been as happy to take on corporate interests as the European Union in recent years.

What has been most remarkable is the willingness of European Commissioner for Competition Margrethe Vestager to tackle companies from across the Atlantic with the likes of Apple and Google all on the receiving end of heavy fines.

The EU’s inclination to act as the world’s corporate enforcer is likely to be expanded into the realms of privacy and data protection through a new law coming into effect early next year. Experts say that law could have big ramifications for the travel industry.

The new General Data Protection Regulation was approved in April 2016 and will become enforceable across the 28 member states on May 25, 2018.

“The basic principles of data protection law remain the same – the key ones perhaps being that people’s personal information should be treated fairly and securely; it should be kept up-to-date and accurate; it shouldn’t be used for different purposes to those for which it was collected; it should only be transferred to countries outside the European Economic Area which offer an adequate level of protection,” said Jon Baines, Chair of the UK’s National Association of Data Protection Officers.

While the update may keep some things the same, one of the big differences over the previous incarnation is the increased territorial scope.

Any company found flouting these new data protection laws will be punished regardless of where it is based — and the fines could be pretty heavy. A breach of the rules could see fines of up to 4% of annual global turnover or $23.8 million (€20 million), whichever is greatest.

“If you look at the field of competition law, for example, you can honestly say the only level at which the Gooogles, Facebooks and Microsofts have been held back is at the level of the EU. So there is some hope that EU-level legislation on this [data protection] would actually have a serious effect on these internet giants,” said Eerke Boiten, a professor in cyber security at De Montfort University.

Power to The People

What the EU is doing is handing greater control to the individual, something it has been keen to do in many other areas.

The balance is being tipped toward the consumer especially when it comes to consent. Companies will need to be clearer in their requests for information.

“The new law makes it clearer that if organizations are relying on someone’s consent to process their personal information, the consent should be valid – i.e. it should have been given unambiguously,” said Baines. “People should never feel ‘tricked’ into giving their consent.”

Consumers will be able to freely request information held on them and also ask for it to be deleted – also known as the right to be forgotten.

“The new regulations are here to protect consumer rights,” said Geoff Milton, director of sales at cloud security service ShieldQ. “This will force a shift in power from companies to consumers.”

Travel’s Data Problem

It is not difficult to understand why this update to the law should be of interest to travel and hospitality firms. Every day the sector handles and processes vast amounts of data, some of which is sensitive.

“The travel industry is considered one of the most vulnerable sectors to data threats, because they process such high volumes of personal data, passports and credit card information on behalf of their clients,” said Milton.

Each corporate and leisure travel transaction can see information passed between multiple firms, creating plenty of opportunity for leakage or breaches.

“I think it will have a big effect on the travel industry,” said Jonathan Armstrong, a lawyer  at Cordery, which provides legal and compliance advice to businesses.

“Firstly the industry shares a lot of data — for example, if my employer books me a hotel, maybe about seven different entities share my data, e.g. the hotel booking agency, the hotel, the brand owner, the affiliate card provider, etc.,” he said. “Secondly, companies tend to outsource a lot of travel management. They are likely to be much more aggressive on compliance because of the greater fines and this means upgraded compliance will spread throughout the industry.”

In recent years, there have been plenty of instances of hotel breaches. InterContinental Hotels Group, Trump Hotels, and Hilton Hotels have all been targeted, and the fact that the attacks didn’t happen in the EU is irrelevant given that they are all likely to either hold or process data from some citizens.

“In the hospitality industry, the challenges are huge given that almost every hotel property is likely to be held responsible for private information and card data of European citizens,” said Milton.

Photo Credit: A range of credit and debit cards. The European Union has brought in a new regulation covering privacy and data protection. Sean MacEntee / Flickr