Data Processing and Legal Protection in Contracts in the Technologically Innovative Tourism Sector

The literature on tourism marketing and tourism innovation has already explored the connection between tourism and information and communications technology (ICT), on the basis of which a new relationship between customers and tourism providers is built (Law et al., 2019; Rasoolimanesh et al., 2019). The interconnection aims at a comprehensive service and full engagement not only pre- and during, but also postpurchase, to keep customers satisfied and loyal (Neuhofer et al., 2015), so that they will want to repeat the experience. Furthermore, tourists as customers need real-time information in situ (Amorim et al., 2018), so they might use connected smart wearable devices, especially smartphones, to interoperate not only with potential providers of goods and services, but even with each other, exchanging experiences and critical opinions for ratings (Figueredo et al., 2018). Travel providers aim at empowering the self-experience result, in that they allow travellers to cocreate the experience (Prahaland & Ramaswamy, 2004) through personalisation and real-time interaction (Buhalis & Amaranganna, 2015). Local authorities and communities gain added value and anticipate profit in travel potential for their tourism destinations (Buhalis & Amaranganna, 2014). Also, travellers themselves expect to gain optimum quality in services and products as well as in their travel experience. Both local authorities and communities in tourism destinations and travellers themselves overlook the challenge of personal data protection and privacy; they are at risk because of the nontransparent, high-tech processing methods and the correlation of data, but also because of the interaction between individuals. Protecting travellers’ rights vis-à-vis the processing of personal data is a basic element of the smart tourist destination framework, offering added value to the destination (Masseno & Santos, 2018a) except for fulfilling the duty of complying with the law by protecting users’ legal rights.

Tourists can use smart application services for a host of reasons: to estimate the waiting time for entry to parks or restaurants (Buhalis & Amaranganna, 2014); to order a special meal according to their dietary needs, medical conditions, or religious restrictions; or to change and adapt their plans according to real-time weather information (Jorro-Aragoneses et al., 2017) at their destination or on the traffic situation or flow (Hardy et al., 2017). The same use is provided and the same scope is aimed at when, for example, buying tickets to board a driverless bus (Tussyadiah et al., 2017), which has proven a great success in Trikala, the author's home city in Greece, outshining a similar scheme by Google (Kassimi, 2016);

Between September 2015, when it began to circulate on the streets of Trikala, and March 2016, the bus covered a total of 1,490 routes across 3,580 km and carried 12,138 passengers.

The inescapable point of this scheme is that the sole purpose is to make the consumers participate actively and enhance their enjoyable experiences so as to encourage them to visit social networks and sites, use mobile apps, and read reviews, comments, and critiques. Without this, travellers cannot become part of this interconnected ‘smart’ experience (Smirnov et al., 2019) and will not experience the destination in an empowered way (Tussyadiah & Fesenmaier, 2009), and thus will not use all these smart technical alternatives that allow them to be active on social media, creating social profiles, writing reviews, giving ratings, and commenting or recommending (Figueredo et al., 2018). The so-called mobiquity (mobility and ubiquity) via WiFi access and interaction via online websites, search engines, and social media not only before and during but also after travel is the ‘new paradigm’ for experiences in tourism destinations: As a result of all such active participation and cocreation on the part of tourists (Buhalis & Leung, 2018), destinations are provided with suggestions after all the data are matched according to the criteria and are compiled according to preferences.

The implementation of smart ICT to promote tourism destinations geared to enhance consumers’ experience through better and high-level customized and personalised products and services, reflecting guests’ needs, wishes, and future desires, is crucial for the attractiveness of destinations. Following this marketing path, tourist service providers stop only when the highest level of customer satisfaction has been attained (Law et al., 2009), while seeing off the competitors (Peceny et al., 2019). At the same time, though, this implementation leads to the processing and collection not of data on tourism or on destinations, but of tourist-related information through personalisation and profiling, which can be reused for autonomous commercial purposes, regardless of whether these data are sourced and stored with the consent of the data subjects: It might well be provided by the subjects unwittingly during the time they are enjoying the tourism experience (Edwards, 2016).

These data have commercial value and provide a competitive advantage (Buhalis & Foerste, 2015), as they refer to the execution of contracts between tourists and the tourist service providers, such as transportation or hospitality contracts. These activities show aspects of how tourists experience the destinations, their preferences, their spending capacities, and their consumer behaviors. The data are, of course, derived from concluding contracts, answering queries or searches, purchases and other exchanges, or geographical location data (Masseno & Santos, 2018a, 2018b). By collecting, processing, compiling, and managing such large amounts of data (Masseno, 2016a; Vecchio et al. 2018), tourism operators and local tourism authorities and enterprises can evaluate important information regarding how tourists experience and enjoy the destination, so that the former can improve the way they interact with customers and exploit their competitive advantage over other tourism destinations (Buhalis, 2020).

However, collecting and processing personal and sensitive information facilitates the building of tourist profiles (e.g., individual preferences) with the concomitant implications for privacy and data protection (Kemp, 2014). This occurs especially when the collected data are connected and matched with data from other sources of publicly available information, such as Facebook or Twitter postings, blog entries, and so on (Masseno & Santos, 2018c; Menk et al., 2017), resulting in the analysis revealing users’ social interactions and activities, as in the case of smart tourism travel cards (Romanou, 2018). So there is a contradiction in that ICT (IoT, big data, blockchain, artificial intelligence, virtual reality, and augmented reality), by establishing a multilateral system involving inhabitants, local authorities, service providers, and tourists (Jovicic, 2019), to cocreate an enriched tourism experience (physical and digital), is actually creating not a shift toward a consumer-centric view, although consumers are becoming central actors, but a shift from a tourist-centric to a tourism-centric view (Neuhofer et al., 2015), and it is also shaping the destination tourism culture (Hunter et al., 2015).

In this technically complex and rather opaque aspect of tourism contracts, at least from the point of view of the data subjects (the tourists), the useful purposes of collecting data prevail and privacy concerns might be ignored (González-Reverté et al., 2018), especially when the traveller is serviced for a short time by contracts with unknown local providers abroad, and thus the privacy risk is underestimated or thought to be minimal (Gretzel, Sigala, et al., 2015). The concept of tourist destinations exploiting modern information technology, presenting themselves as smart tourism destinations (Boletsis & Chasanid, 2018; Jasrotia & Gangotia 2018; Tripathy et al., 2018) and offering clients enhanced touristic experiences presupposes all kinds of technology infrastructures, such as wireless networks and communication systems, interconnectivity for all mobile devices and, most important of all, data mining algorithms and big data technology with data warehouses (Höjer & Wangel, 2015; Russom, 2013).

Information gathering and data analysis in the form of automation and controlling is unavoidable if tourists, as data subjects, are going to ‘live the experience’, because their location needs to be tracked and their consumer behavior needs to be analysed. Thus, for instance, to provide assistance on the road or send out the relevant advertisements, diverse data from a massive number of tourists are processed in a centralised manner, without having installed any application on any mobile device (Masseno & Santos, 2018a, 2018b, 2018c). What is crucial is the need for tourism providers and tourism destination managers to predict tourists’ future behavior and trends as consumers (Pantano et al., 2017).

All these data are personal and sometimes sensitive, including physical appearance, health data and location data, and are collected and processed often without the data subjects being aware of it.

Compare the facts in the case Richard Lloyd v. Google LLC (2018) EWHC 2599 (QB), to which the British Court of Appeal allowed an appeal (Richard Lloyd v. Google LLC [2019], EWCA Civ 1599): Cookies on a device, without the user's knowledge or consent, enabled Google, whenever the user visited a website, to ascertain the date and time users spent on any given website, what pages were visited and for how long, and which advertisements were viewed. The search machine was also able to collect data on the geographical location of the user, known as “browser generated information” (BGI). Of course, the class is based on pre-GDPR rules (section 13(1) DPA 1998), but the Court of Appeal alluded to the GDPR (Article 82 of the GDPR, section 168 of the Data Protection Act 2018). However, the case is more interesting from the point of view of procedural law, as the High Court held that members of the English general representative action did not share the “same interest” required by the Civil Procedure Rules 1998 (CPR 19.6(1)). On the contrary, the Court of Appeal held that the members of Lloyd's represented class had all had their BGI taken without their consent.

The use of large numbers of algorithms and data mining techniques has huge and negative implications for privacy and compliance with data protection rules: Algorithms execute correlations and inferences among data, so that the correlations found, as identified in the algorithms, can specify similar new cases.

Art. 29 WP Opinion 03/2013 On purpose limitation. Adopted April the 3rd, 2013, p. 14. Retrieved from https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/index_en.htm.

Profiling

See Article 4 of GDPR (lit. 4) on profiling. Compare Article 22(1) and (4) and Recitals 24, 60, 63, 70–73, 91 of the GDPR.

Tourism destinations in particular work almost exclusively with the tool of profiling, as they aim through the personalisation process to offer tailor-made services and maximise the tourist experience (Gavalas et al., 2014). An enriched profile of the consumer based on huge amounts of data, appropriately compiled and parameterised, is the best way for tourism service operators to ‘bombard’ the customer with several segments of advertisements

ENISA (2015) Report. Privacy and data protection by design—From policy to engineering, pp. 11–13. Compare Article 25 of the GDPR.

Another danger for contractual freedom and the exercise of basic constitutional rights is that the situation can even lead to denying essential utilities for those unwilling to share personal data (Schwartz & Solove, 2011), whereby many tourists are either not familiar with new smart technology, especially the elderly (Berg, 2015; Vojvodic, 2015), or are very reluctant to disclose their data and avoid visiting tourist destinations and using the smart tourist possibilities (Ardito et al., 2019; Law et al., 2014). At the same time, through this method of data processing and the creation of profiles, only specific alternatives are offered to the tourists (data subjects) to choose as products and services; that is, only those that match the chosen preferences and patterns, according to the profiling procedure. Therefore, they are, according to specific data, excluded from other alternatives, which they might have already examined and chosen on their own, the so-called ‘filter bubbles’ effect (Pariser, 2011).

An obvious example of the danger of exclusion is the case of price differentiation after profiling of consumer behavior according to job, wealth, purchasing, and so on. In such a case, the tourism providers offer a consumer only a very high price for some products and services, which the tourist refuses to accept, without being able to ask for an alternative. Furthermore, the data subject is not able to contest the automated individually made decision to exercise their rights (i.e., to restrict or to reject the processing, Art. 18 and 21 GDPR), especially when data are collected from the user's smartphone, implying that there is no user interaction (Kontogianni et al., 2018). Thus, this automation and lack of transparency in making algorithmic decisions according to filtering data and profiling based on needs, preferences, values, and so on promotes—either in a direct or indirect way—discrimination against tourists by excluding them from specific categories of tourist goods or services, such as sales or insurance (Weaver & Moyle, 2019, on tourists’ potential response to smart tourism). This discrimination, which leads to the denial of the freedom to conclude contracts and participate in the market, could be dangerous as such decisions might reflect, among other things, health or creditworthiness.

In business-to-consumer contracts between consumers and tourism businesses, the counterparty, which is protected by the law because of an asymmetry at all critical levels (e.g., knowledge and information, negotiation and economic power, etc.), consists in tourists generally and not only the elderly or the vulnerable (Koutsouradis, 2020; Luzak, 2016). The contractual imbalance in favor of the consumer's counterparty is further sharpened in the case of the technological and data processing issues of a contract because of the lack of know-how and understanding and also the time factor, whereby short-term contracts are executed before, during, or at least by the end of the trip (Masseno, 2016a). Thus, consumers do not invest time or dedicate all their powers of negotiation or demand pre-contractual information to learn about or exercise their legal rights.

In the case of a hospitality contract, hotel guests use a very attractive e-platform accessible via smartphones or touch screens in the hotel by means of a code (e.g., the room number) or the room card to enrich the company's database with personal data and at the same time to interact with the hotel personnel: The employees and the guest cocreate in real time the experience and the service level (Buhalis & Sinarta, 2019). Similarly, hotel guests use diverse types of wearable devices (Atembe, 2015) or guest and traveller (discount) cards; for example, smart watches for notifications and comments or check-in and access to different rooms or levels of the hotel (bar, swimming pool), and so on. Thus, during their stay at the hotel, guests receive, either as hospitality clients or as travel package consumers, announcements, alerts, and even flight information and timetable changes for each individual or for the members of the travel group as a single entity. Further, medical bracelets that the hotel guest wears while sleeping or during the day, monitor his or her health parameters and process health data.

Guest cards can also record data about the films that guests choose to view in their hotel room and the price they pay for them. The same applies to ‘charge cards’, which hoteliers give guests as a ‘gift’ to ensure that during their stay various attractions at the tourism destination can be visited without additional costs. Such guest cards offer the guest at the respective tourist destination the opportunity to take advantage of various services at a discount or free of charge. After an attempt to apply to the scope of services offered by such guest cards the legal definitions and basic principles of package travel and linked travel arrangements, it follows that all guest cards that contain only services belonging in the category in point (d) (any other tourist service that is not intrinsically part of a travel service within the meaning of points [a], [b] or [c]), present neither package holidays nor related travel services within the meaning of Article 3(1) of Directive (EU) 2015/2302.

Directive (EU) 2015/2302 of the European Parliament and of the Council of 25 November 2015 on package travel and linked travel arrangements, amending Regulation (EC) No 2006/2004 and Directive 2011/83/EU of the European Parliament and of the Council and repealing Council Directive 90/314/EEC, OJ L 326/11.12.2015.

The same can be said of cards that only grant discounts. This also applies to purchase tickets or discount vouchers, which apart from free services in only one category of travel services, provide exclusive discounts on other types of travel services. The opposite is true of ‘purchase cards’ with free services for different types of travel services: The guest pays a travel price and receives in return different categories of travel services for the purpose of the same journey. According to the wording of the law, there is no clearly appropriate exception relating to why such cards should not represent package holidays in the sense envisaged by the new travel law. Therefore, a purchase card with at least two different categories of included travel services could constitute a package.

It should be pointed out that the processing of personal data must be authorised on legal grounds. It seems to be very difficult to find legal grounds for data processing when it comes to purchase cards without the consent of the data subject. The following cases are considered for possible legal grounds.

Even in newsletter services, the counterparties of the consumers remind them that more data, apart from those necessary for data processing, are optional but will be used to personalise information and adapt commercial offers to the best interests of the client. However, data protection law prohibits a so-called coupling or correlation in cases where the conclusion or performance of the contract is made dependent on consenting to the processing of data that are not required for this purpose. It is therefore necessary to obtain the data subject's consent for the specific type of use. An example is the sending of a newsletter customer satisfaction survey, stored in a customer database for later advertising and other purposes. Therefore, if a later newsletter or customer survey is carried out, the declaration of consent must cover precisely these purposes.

Tourism organisations, perhaps under the supervision of local tourism authorities (e.g., municipality bureaus, etc.), have to ensure that the processing of personal data is fair, lawful, and transparent (Art. 5[1][a] of the GDPR). Concerning the privacy and confidentiality of personal data and information, especially when these are stored electronically, tourists and visitors should enjoy the same rights as the citizens of the host country.

See Article 8(3) of the Global Code of Ethics for Tourism, retrieved from https://www.unwto.org/global-code-of-ethics-for-tourism.

It is very unlikely that tourists as data subjects give their prior consent to the previously described data collection (Art. 6[1][a] of the GDPR), even if this was in many cases part of the purpose of data processing (Art. 25 of the GDPR on privacy by design). Of course, we must also consider the so-called smart tourists (Femenia-Serra et al., 2019): These tourists accept the sharing of personal information as usual practice because they realise the benefits therein and assume that their privacy and security will be protected. Smart tourists are therefore willing to share their personal and preferences-related data in exchange for information and proposals, although they are conscious of the value of their data and the need to protect them. Nevertheless, the fact that information notices appear and disappear instantly on the consumer devices’ screens and that consent is not consciously given undermines the duty of the data collectors to comply with the law.

Article 29 Working Party, Guidelines on Consent under Regulation 2016/679 (wp259rev.01), Revised and Adopted on 10 April 2018, pp. 13, 18, 20, 23, 30, retrieved from https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051.

Indeed, devices used by tourists are often, in terms of design, small or screenless (e.g., buying a ticket, using guest or discount cards, Global Positioning System [GPS] devices), without a keyboard or monitor.

Article 29 WP, Opinion 8/2014, Recent developments on the Internet of Things. Adopted on 16 September 2014, pp. 5–8, retrieved from https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf.

In tourism contracts between consumers and tourism service providers, it seems unlikely that the so-called public interest could be invoked as a legal ground for the processing of personal data without obtaining consent.

European Parliament Study (2015), Big Data and Smart Devices and their Impact on Privacy (pp. 6, 24, 26, 30).

The crucial task of balancing, on the one hand, the commercial interests of the provider or the tourism destination providing the optimum experience and, on the other, the data subjects’ fundamental rights to privacy and protecting their own personal data

Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocol Nos. 11 and 14, of 4 November 1950, recognized the right to privacy, and this objective was given effect in Article 23 of the Data Protection Directive 95/46/EC (the “Directive”). See also Article 8 of the EU Charter of Fundamental Rights. Compare European Data Protection Supervisor, Opinion 7/2015, Meeting the challenges of big data, retrieved from https://edps.europa.eu/sites/edp/files/publication/15-11-19_big_data_en.pdf.

To suspend the strict prerequisite of obtaining the consent of the data subject, it is possible that the controller might invoke the so-called contractual condition, according to which the execution and performance of a contractual obligation provides the justification to process, collect, and use data without consent. Thus, by users simply visiting a website and being active (comments, news, etc.), the provider begins data processing, claiming the legal ground of Article 6(1)(b) of the GDPR. At this point, the opinion of the judge becomes crucial; the court is called on to finally decide whether the processing was necessary for the performance of the contract or the processing went beyond what was required for the execution of the contract, whether that be selling a product or delivering a service. For example, websites often warn users that providing more data than is necessary for performing the contract is an option and does not influence the use of the site, but they do not assure consumers that the data will not be reused.

According to Article 5(1)(b) of the GDPR, the purpose for which the data are collected must be specified and have been considered as lawful (data minimalism or purpose limitation). Consequently, every reuse of that data is to be prevented after an assessment of the new use according to the purpose principle (informed consent for specific and well-defined purposes).

See Article 29 WP Opinion 03/2013 On purpose limitation. Adopted on 3 April 2013, pp. 12, 21. Compare Article 7 and Article 35 of GDPR (on DPIA - data protection impact assessment).

According to this principle, organisations should minimise the amount of data they collect and process and also reduce the length of time they keep the data (Art. 5[1][c], Recital 39 and Art. 18 of the GDPR). However, technology permits, if not enhances and favours, the collection, aggregation, and analysis of huge amounts of data, using algorithms and intelligent tools not only to categorise for the purposes of profiling, but also to analyse, interconnect, and correlate. At the same time, the legal obligation to delete data and not to archive and store them for longer than the purpose of collection requires serves the principle of minimisation and necessity (Art. 5[1][e] of the GDPR, on the storage limitation principle).

Article 17 of the GDPR stipulates the right of the data subject to be forgotten, that is to say, the right to have his or her personal data erased when its data are no longer necessary for the purpose for which they were collected or in the case of inaccurate data (Article 16; compare Recital 71 of GDPR). Furthermore, pursuant to Article 5(1) (d) of the GDPR, data always have to be representative or accurate (accuracy principle). Although it could prove to be extremely difficult for the controller to find and erase the tourist's data (Bartolini & Siry, 2016), the inaccuracy of data violates the preceding principle and constitutes a legal ground for strict liability in favor of the data subjects if restitution is to be made for the damage (Hoeren, 2018).

Apart from the clear cases of contract performance and fulfillment, pursuant to Article 6(1)(b) of the GDPR, determining ‘necessity’ is not always easy. For example, is access to data required in the case where a free application allows users to simulate or repeat an experience on the display of their smartphone by means of a graphic visualisation, when the ‘app’ does not have any other functions, and when for users to use this app they must grant access to their location and address book data? In this case, transparent general contract terms and conditions could make the difference, so that it is no longer surprising that the user receives the service of the app only in ‘exchange’ for location and address book data. Here, the crucial question is how necessary is the respective option for the carrying out (performance) of the principal part of the contract? The specific content of the contract lays out a different perspective in determining the necessity of the so-called specific obligation or the principal part of the contract to be performed. In the case where at the time of the conclusion of the contract, sufficiently transparent information is given to the data subjects about what they ‘exchange’ and what they pay for (e.g., data vs. services), then a free decision by the individual is a sufficient legal ground as consent.