Centre for Internet & Society

Oyo Hotels’ pilot to maintain a real-time digital database of guests and plan to share it with law-enforcement agencies has triggered privacy concerns.

The article by Nishant Sharma was published by Bloomberg Quint on January 16, 2019. Pranesh Prakash was quoted.

The digital check-in and check-out database of guests will do away with the conventional arrival and departure registers, Aditya Ghosh, chief executive India and South Asia at the hotel chain said at a CII event, according to a report in Business Standard. That will make the process efficient and transparent and the SoftBank-backed startup has received acceptance from governments of Haryana, Rajasthan and Telangana for the proposed digitisation of guest entry and departure records, the report said quoting Ghosh.

That triggered an outrage on social media, with users calling it invasion of privacy.

Oyo, in an emailed statement to BloombergQuint, said it will provide information to the law-enforcement agencies about who is staying only after an information order is issued by the police. The company said it will create “stronger data security net”. Oyo, however, didn't clarify who will maintain the data centres.

Centralisation of data of any kind isn't good and will make data more fragile, Sunil Abraham, founder of research think tank Center for Internet and Society, told BloombergQuint. “If someone manages to break into the police data, or where the data is stored then they will be able to have the access to the data. It is always good to store data locally.”

Just last year, Marriott International Inc. reported a hack in which passport numbers, emails and mailing addresses of 327 million of its 500 million Starwood guests was leaked.

To be sure, police always have access to data of customers staying at hotels, one way or the another. As per existing regulations, all hotels, bed and breakfasts and guest-houses have to make an entry of guests checking in and out in a register. This can be checked by the local police when an information order is presented.

Chances of manipulating information in such a register is high, and at times police go through the data without having an information order as well, said an industry executive requesting anonymity.

Srinivas Kodali, a cybersecurity expert, said such a centralised database makes business sense for Oyo because they will get access to data not just of people who booked through them but also of others who checked in without booking online. “Because there is no law, the entities can do it.”

Pranesh Prakash, a technology policy analyst and affiliated fellow at CIS, sees this as an invasion of privacy in the absence of law. Digitisation of data can be allowed only after there’s a law on what happens in the case it’s misused. There is no legal framework about how and where the data will be used, he said.