Introduction
The Royal Decree 933/2021 (hereinafter referred to as the "Decree") that establishes specific requirements for the registration of travelers in tourist accommodation including the collection, conservation and communication of data to appropriate authorities has become actionable on December 2, 2024. The Decree established by the Spanish Government obligates people and companies that offer lodging and/or rental car services to ensure documentary registration and information of natural or legal persons. To be precise, this Spanish Law regulates the registration of guests in lodging establishments which strongly opposed by the industry rather accepted.
Why is the Royal Decree 933/2021 enacted?
As reported, the goal is to enhance public security by enabling authorities to track and identify individuals staying in the country. As reported, a major reason for enactment of the Decree can be attributed to the past incidents of terrorism and to contain criminal activities in the country. It must be noted that the as per the provisions of the Decree, the travel agencies, tourist accommodation and car rental companies will be required to provide the Ministry of the Interior with more than forty (40) fields of information for accommodation bookings and more than sixty (60) fields of information for car rental bookings which is said to be sensitive personal data.1
Who are obligated to comply with the Decree and what Information is to be shared?
Any business (entities) providing overnight accommodation in exchange of consideration, including:2
- E-commerce platforms that act as intermediaries between lodging services and consumers through electronic means (e.g. the internet) insofar they provide said services in Spain.
- Lodging activities open to the public and regulated by the corresponding sectorial laws, such as hotels, rural houses, hostels, etc.
- Camping facilities and motor-homes.
- Tourism operators that act as intermediaries between lodging companies and consumers.
- Traditional rental car companies,
Key highlights of the Decree
- Introduction of the Platform for Guest registration – HOSPEDAJES, a platform developed by the Spanish Ministry of Interior through which the entities will collect the data specified in the decree will have to be collected on the said Platform. This Platform will replace the present platforms such as the National Police and the Civil Guard.3 Entities will have register on the Platform to officially record their lodging activities.
- Increased number of fields of data to be collected
– A major change this decree has brought in is the
obligation to provide 42 details about the reservations and
travelers which includes:4
- First Name
- Last Name
- Gender
- ID Document number
- Document reference number
- Type of Document(DNI, passport TIE)
- Nationality
- Date of Birth
- Full address
- City
- Country
- Landline phone number
- Mobile number
- Email address
- Number of travelers
- Relationship between travelers (if any of them is a minor)
- Categories of Transaction data
- Communication obligations – At least 10 days prior to the commencement of the activity, the entities have to notify the competent authorities about the property details. Traveler and transaction data has to be transmitted to the competent authorities within 24 hours.5
- Retention period – The Data collected by the entities must be stored digitally for a minimum period of three years.
- Penalties– Failure to comply with the obligations set out in the Decree can result in substantial fines and penalties ranging from €601 to €30,000 depending on the severity of the violation.
Concerns
Ever since its implementation, the Decree has been criticized and subjected to opposition from the tourism industry of Spain. The European Travel Agents' and Tour Operators Associations contend that the companies under the scope of the Royal Decree will need to have in place an electronic registry in order to comply with the new obligations.6
The travel associations of Spain ECTAA and ACAVE go on to describe the Decree to be violative of the European Data Protection Laws.
In an analysis of the Decree released by the ECTAA, the following key points must be noted:7
- The number of data sought to be collected under the Decree is said to be 'enormous and invasive' with it also being applicable on minors.
- The purpose for collection of data is said to be vague, unclear and potentially far-reaching – the Preamble specifies that the purpose for such collection is to better fight against terrorism and organized crime,
- ECTAA further stated that the retention period of 3 years is 'disproportionate', especially in relation to the minors.
Other travel agencies such as The Business Federation of Territorial Associations of Spanish Travel Agencies (FETAVE), the Corporate Association of Specialised Travel Agencies (ACAVE) and the National Union of Travel Agencies (UNAV) launch, among other, list down the expected consequences of the Decree such as:8
- Impossibility to comply with the obligations within the deadlines set by the Decree given the inter-dependency of agencies on other providers such as accommodations, transport companies, etc.
- Overburdening of agencies, mostly being SMEs and micro-SMEs. These agencies will require dedicated investment beyond their reach to fulfill their compliances;
- Communicating such large volumes of personal data to the Ministry of Interior will require similar specific steps for treating and maintaining such data.
Conflict with the GDPR
- Lack of explicit consent –The GDPR forms basis on the concept of consent and creates a consent artefact for Data Controllers to exercise thereupon. Article 7 of the GDPR states specific conditions for processing of personal data of data subjects based on their explicit consent.9 In contrast, the Decree mandates collection of specified data, the standards of which are completely met under the criteria specified by GDPR.
- Excessive data collection – The Decree mandates companies to collect and store up to 43 data points from travelers, including sensitive personal information which undermines the principles such as data minimization and purpose limitation under the General Personal Data Protection Regulations (GDPR). Data minimization strictly limits the collection of data for a specific purpose.
- Rights of Data Subjects- Unlike the GDPR, the Decree does not specify that the data subjects be given the right to access, review, modify or request for erasure of their personal data. Furthermore, it is unlikely for the tourists to know how to access their rights in different jurisdictions.
- Minors – Unlike, GDPR, the Decree does not exempt minors and their personal data from collection by companies.
- Public interest – GDPR specifies that processing of personal information must meet an objective of public interest which must be specific and proportionate to the legitimate aim pursued.
- Foreseeability or reasonable expectation– GDPR imposes a legal obligation related to data protection must be foreseeable to the data subjects10 which is not the case with the travelers under the Decree.
- Threat to privacy – With the companies under the obligation of maintaining the personal information, including sensitive personal information, of travelers for three years puts such data on the radar of being misused, increased potentiality of cyberattacks and data breaches. This would make travelers primary victims of such incidents.
Travel agencies in Spain have strongly opposed the new regulations as being infringing upon the basic principles, the legal requirements and mandates highlighting the potential risks and threats that decree entail. CEHAT had announced that it will take legal action against the Decree challenging its disproportionate impact and incompatibility with the European directives.11
Data Privacy in Tourism Industry of India
India's travel and tourism is one of the largest sectors in the country with a total contribution of about US$178 billion to the Gross Domestic Product (GDP) with international tourist arrival expected to reach 30.5 million by 2028. Online travel agencies are a major reason behind the thriving tourism sector of India. While the tech-oriented growth has supported the industry with the adoption of cloud solutions and the development of Software as a Service (SaaS) technologies, it also requires a check on the data collection practices adopted here.
The Passenger Name Record Information Regulations, 2022
In 2022, the Passenger Name Record Information Regulations, 202212 (hereinafter referred to as the"Regulations") were notified to provide a definitive framework for collection of specified details of international passengers travelling through air. The Regulations were meant to enhance detection, interdiction, and investigative capabilities of Customs Authorities using non-intrusive techniques for combating offences relating to smuggling of contraband such as narcotics, psychotropic substances, gold, arms and ammunition.13The Regulations require the Airline companies to share personal data ranging from passenger name record (PNR), mobile number and payment mode to travel itinerary with the authorities 24 hours before the departure pf an international flight.14
First phase of the system developed by the with the National Customs Targeting Centre-Passnger (NCTC-Pax), to implement the Regulations will roll out in phased manner starting from January 2025. In view thereof, all air transport service providers operating flights to/from India will have to register with NCTC-Pax by January 10, 2025.15
Key components of the Regulations
- Regulation 5 of the Regulation specifies the field of information required by the airlines to be shared with the Customs Department;
- No information revealing a person's race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life;
- Passenger details shall be subjected to strict information privacy and protection in accordance with the provisions of the applicable laws in force;
- Passenger name record information to be received, stored, processed and disseminated in a secure system accessible to authorized officers;
- The passenger name record details received by the Customs Department shall be retained for a period of maximum 5 years post which the same shall be disposed of by depersonalization or anonymization trough masking out the relevant information necessary to identify an individual.
The Digital Personal Data Protection Act, 2023
Apart from the Regulations that are enacted specifically for the air transport service providers, there is no sector specific law for the tour and travel industry in India. Because of which the tourism industry is subjected to the provisions of the newly enacted Digital Personal Data Protection Act, 2023 (DPDP Act) which places obligations on the Data Fiduciaries with the responsibility to ensure safety and security of personal information of tourists. The DPDP Act has been framed on the similar lines of the GDPR unlike the Decree. Though the DPDP Act does not categorically mention the type of personal information to be sought from the individuals, it does provide for data minimization and purpose limitation.
Impact on the tourism industry – Changes and Obligations
DPDP will have a significant impact on the tour and travel industry of India. The personal data processing and handling practices are in for some major changes. Since a past years, collection of Aadhaar Card number and details had become a misnomer. An unquestioned norm rather than a compliance!
However, against the practice, the Ministry of Electronics and Information Technology (MeitY), in 2022, had issued an advisory against providing Aadhaar card number/details/photocopies to any unlicensed private entities such as hotels and films halls for not being licensed to demand any copies of Aadhaar Card. It is an offence under the Aadhaar Act, 2016.16
The travel and hospitality sector as access to a lot of customer data that could all come into scrutiny. This would mean:17
- Seeking explicit user consent – Companies will have to take explicit user consent before the user data is used. This will entail digital transformation as the entities will now have to ensure that the user data is digital and paperless. Collection of data has to be minimized and processing of data should be for the purpose for which the consent is given by the individuals.
- Data Minimizing – Tourism industry has a lot of third-party ecosystem and companies have to look at minimizing data exposure to third parties. Entities collecting critically sensitive data such as Visa agencies, will have to exercise additional measures to safeguard data.
- Data Processing Agreements – Entities that engage data processors or are joint data fiduciaries with other entities have to streamline their data sharing, processing and handling practices along with executing Data Processing Agreements.
- Additional compliances – Companies that are already GDPR compliant will have to start looking at the other touch points such as seeking multilingual consent, appointing the Data Protection Officers if they qualify as Significant Data Fiduciary in India.
- Cross-border data – If any entity is based in a territory that is blacklisted by the Government of India, then such entity will be barred from accessing the data of individuals. This implies that the entity will have to set up their physical office in India for continuity of presence.
- Rights of users over their personal data – companies will have to provide the customers the right to access, request modification, erasure of their personal data. In fact, the Companies further will have to ensure that the data is erased as soon as the contractual obligation is fulfilled and the data is no longer is required for the purpose for which it was collected, other than to fulfil any legal obligations of the entity.
Footnotes
1.a href="https://www.businesstravelnewseurope.com/Management/Travel-groups-warn-over-enforcement-of-Spain-s-new-data-rule" target="_blank">https://www.businesstravelnewseurope.com/Management/Travel-groups-warn-over-enforcement-of-Spain-s-new-data-rule
2. https://www.ectaa.org/Uploads/press-releases/DP-LED-Analysis-of-Spanish-Royal-Decree-933-2021.pdf
4. https://www.boe.es/buscar/act.php?id=BOE-A-2021-17461#ai
5. https://www.hotelinking.com/en/updates/how-can-the-new-documentary-registration-and-reporting-obligations-affect-our-hotel/
-6. https://gulfnews.com/world/visiting-spain-get-ready-to-reveal-more-about-yourself-1.1733486575059#:~:text=The%20rule%2C%20as%20promulgated%20by,over%2060%20for%20car%20rentals
7. https://www.ectaa.org/Uploads/press-releases/DP-LED-Analysis-of-Spanish-Royal-Decree-933-2021.pdf
8. https://www.acave.travel/images/Travel_Agencies_warn_of_a_risk_of_collapse.pdf
9. https://gdpr-info.eu/art-7-gdpr/
10. Recital 41 of the GDPR
12. Notification No. 67/2022- Central Board of Indirect Taxes and Customs
+9?13. https://taxguru.in/custom-duty/passenger-record-information-regulations-2022.html
14. The PassengerNameRecordInformation(FirstAmendment)Regulations,2024
For further information please contact at S.S Rana & Co. email: info@ssrana.in or call at (+91- 11 4012 3000). Our website can be accessed at www.ssrana.in
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.