Sooho Choi, Managing Director at Alvarez & Marsal outlines how rigid data protection laws could impact the pursuit of ‘smart destinations’.
When it comes to luxury travel, service providers rely on technology to store and act upon personal data to provide the outstanding experience their customers expect. A challenge for the industry in the Middle East lies in offering the high-level of service guests are used to elsewhere in the world while complying with laws that can prevent data crossing borders and require it to be localized.
As Saudi Arabia works to build an economy based on technology and knowledge as laid out in its Vision 2030, managed services such as cloud computing, data centers and IoT will be central to these efforts. Private cloud facilities will also be required for mega projects with tourism and leisure elements such as Neom, Qiddiya, the Red Sea Project and Amaala. Certainly for Neom there are already plans to build three hyperscale data centers.
Whether exemptions will be made for these projects to help tourism providers get around data laws remains to be seen. A precedent exists in the UAE where free zones with specific data legislation operate, such as the Dubai International Financial Centre.
Earlier this year Saudi Arabia’s Ministry of Communications and Information Technology launched a multi-billion dollar plan to build a network of large-scale data centers with an aim to become the main data center hub for the Middle East, and localize content and services. Despite concerns from digital rights groups, Google will be joining the likes of Chinese firms Huawei and Alibaba in building a self-contained “Cloud-Region” in the Kingdom as part of that network.
According to the Oxford Business Group, Saudi Arabia is also pushing for user data to be kept and stored in the country to increase security and ensure data ownership. However there are also concerns about the ability to transfer customer data outside of the country.
Data Localization Challenges
In the Middle East, new data laws mean that travel and hospitality service providers will have to adapt their processes when they operate in certain countries.
This includes Saudi Arabia whose Personal Data Protection Law regulates the collection, processing and use of data. While the law is in line with wider international practices which protect the privacy of individuals and personal data, like the European Union’s General Data Protection Regulation (GDPR), it differs in one key way – restrictions on transferring data across borders. The law provides for tight controls on cross-border data transfer outside of the country. If exceptions are not made, providers must consider local storage options to fulfill data localization requirements. Even so, the practical challenge for global organizations of marrying in-country and centrally managed customer data still needs to be overcome.
Both the Saudi Arabian and UAE data protection laws also have extra-territorial reach, similar to GDPR. The UAE law applies to any organization established in the Emirates that processes personal data of subjects inside or outside the UAE, as well as any organization established outside the country that processes data inside it. As a well-known international tourism destination the UAE’s data laws are better understood than those of Saudi Arabia. Providers should look to get advice as part of building and scaling operations in the geography.
It could be worse. Anything in the Middle East pales in comparison to China’s Personal Information Protection Law which priorities national security over individual rights. The law states that if personal information being handled by a data handler reaches a certain threshold, a data localization requirement may be triggered. Companies in possession of a large volume of personal data must also complete a mandatory security review led by the Cyberspace Administration of China before transmitting it overseas.
Preparation is Key
There is optimism that service providers who don’t process government data in Saudi Arabia will be immune to data localization requirements. However, this is a grey area.
Those looking to establish themselves in Vision 2030 projects will be processing government data as many of the major developments operate under the government’s oversight – already brands under Marriott, InterContinental and Hyatt banners are setting up hotels at the Red Sea Project while American theme park Six Flags is establishing a park at Qiddiya. As there may be a need to localize their data, these brands should be prepared to navigate the complex requirements.
In fact, all international tourism and leisure providers with significant amounts of global customer data should consider how they set up in the Middle East. They are used to existing in a world where data passes relatively freely between borders, so each one will have to adapt their standards and ask questions. What suppliers should process their data? What deployment and storage approaches are compliant? What systems and processes need customization to comply? Even the common scenario of a central reservations system synchronizing with an in-market property management system at a hotel raises basic questions that need to be addressed, especially if more sensitive personal data crosses borders.
As the use cases extend to address differentiated customer experiences, the question of speed bubbles up to the top of the list. Large amounts of data associated with a customer must be matched and activated, in many cases in real time, to deliver a unique experience for the traveler. If different data sets are stored in different locations in order to comply with data storage and transfer regulations, how does a supplier deliver real-time customized experiences?
Weighing Up the Options
To avoid problems, providers looking to operate in the Kingdom should seek advice to plan out their technology architecture. In a situation where things are not black and white, how does an organization interpret and decide what level of compliance is sufficient? And to what extend is a modest amount of risk appropriate to sufficiently allow for incremental increases to capabilities as data protection regulations evolve? Getting expert advice will help providers answer these questions while they establish a brand presence and assess their options.
While there are difficult obstacles to navigate, there is reason to be positive. If Middle Eastern nations want to diversify their economies away from oil to become leading tourism destinations then they will need to find a compromise. So, despite Saudi Arabia’s Public Investment Fund recently denying reports that Neom will be treated as a “country within a country” with special privileges and regulations, nothing is 100% and how the government treats data may change to become more consistent with international standards.
