International Journal of Information Systems and Tourism (IJIST)

This paper aims to put forward a reflection about personalization and profiling within framework of Smart Tourism Destinations (STD) and analyzing their risks to privacy and data protection given the applicability of the new General Data Protection Regulation of the EU (GDPR), as well as those coming from the ePrivacy Directive regarding mobile devices. Our main result provides a roadmap for compliance of STD design and management with the core principles embodied in the GDPR, offering guidelines both for Public and Private Sectors and for other stakeholders, namely for travellers as citizens.

Anuar, F.; Gretzel, U. (2011). Privacy concerns in the context of location-based services for tourism. In ENTER 2011 Conference. Innsbruck, Austria.

Boztas, S. (2017). Automated holidays: how AI is affecting the travel industry. The guardian, sustainable business. (https://www.theguardian.com/sustainable-business/2017/feb/17/holidays-travel-automated-lastminute-expedia-skyscanner)

Buhalis, D.; Amaranggana, A. (2013). Smart tourism destinations. In Information and communication technologies in tourism 2014 (pp. 553-564). Springer, Cham.

Bulanov, A. (n.d.). Benefits of the Use of Machine Learning and AI in the Travel Industry. Djangostars. (https://djangostars.com/blog/benefits-of-the-use-of-machine-learning-and-ai-in-the-travel-industry/)

COE (2017). Council of Europe Guidelines on the Protection of individuals with regard to the processing of personal data in a world of Big Data, T-PD. (https://rm.coe.int/16806ebe7a)

Davenport, T. H. (2013). At the Big Data Crossroads: turning towards a smarter travel experience. Amadeus IT Group, 17.

Directive 2002/58/EC, of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (‘Citizens Directive’). (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058)

EDPB (2019). Statement 3/2019 on an ePrivacy regulation, of the new EDPB – European Data Protection Board. (https://edpb.europa.eu/sites/edpb/files/files/file1/201903_edpb_statement_eprivacyregulation_en.pdf)

EDPS Opinion 3/2015. Europe’s big opportunity, EDPS Recommendations on the EU’s options for data protection reform. (https://edps.europa.eu/sites/edp/files/publication/15-10-09_gdpr_with_addendum_en.pdf)

EDPS Opinion 7/2015, on Meeting the challenges of big data. (https://edps.europa.eu/sites/edp/files/publication/15-11-19_big_data_en.pdf)

ENISA (2014). Privacy and Data Protection by Design – from policy to engineering. ENISA 2015 Report. (https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design/at_download/fullReport)

ENISA (2017). Recommendations on European Data Protection Certification. (https://www.enisa.europa.eu/publications/recommendations-on-european-data-protection-certification/at_download/fullRepor)

Executive Office of the President - USA (2014). President’s Council of Advisors on Science and Technology, Big Data and Privacy: a Technological Perspective. (https://bigdatawg.nist.gov/pdf/pcast_big_data_and_privacy_-_may_2014.pdf)

Femenia-Serra, F.; García Hernández, M.; Valle Tuero, E. A. D.; Perles Ribes, J. F. (2018). Profiling tourists and their ICTs perception and use across Spanish destinations. In XII International Conference of Tourism and Information & Communication Technologies (Turitec) (pp. 27–46). Málaga.

Gretzel, U.; Sigala, M.; Xiang, Z.; Koo, C. (2015). Smart tourism: foundations and developments. Electronic Markets, 25(3), 179-188.

ICO (Information Commissioner's Office, of the United Kingdom) (2017). Guide on Big data, artificial intelligence, machine learning and data protection. (https://ico.org.uk/media/for-organisations/documents/2013559/big-data-ai-ml-and-data-protection.pdf)

Ivanov, S. (2019). Ultimate transformation: How will automation technologies disrupt the travel, tourism and hospitality industries?. Zeitschrift für Tourismuswissenschaft, 11(1), 25-43.

Masseno, M. D.; Santos, C. T. (2018a). Assuring Privacy and Data Protection within the Framework of Smart Tourism Destinations. MediaLaws - Rivista di Diritto dei Media, (2), 251-266.

Masseno, M. D.; Santos, C. T. (2018b). Between Footprints: Balancing Environmental Sustainability and Privacy in Smart Tourism Destinations. Revista Eletrônica do Curso de Direito da UFSM, 13(1), 411-435.

Regulation 2016/679. Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679. (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053)

Regulation 2016/679. ART 29 WP 243. Guidelines on Data Protection Officers ('DPOs'). (http://ec.europa.eu/newsroom/document.cfm?doc_id=44100)

Regulation 2016/679. ART 29 WP 248. Guidelines on Data Protection Impact Assessment (DPIA). (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236)

Regulation 2016/679. ART 29 WP 250. Guidelines on Personal data breach notification under Regulation 2016/679. (https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=49827)

Regulation 2016/679. ART 29 WP 259. Data Protection Working Party. Guidelines on Consent under Regulation 2016/679. (http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48849)

Regulation 2016/679. ART 29 WP 260. Guidelines on transparency under Regulation 2016/679. (http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48850)

Regulation 2016/679. ART 29 WP Opinion 345 of the European Economic and Social Committee on the ‘Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)’ (COM(2017) 10 final — 2017/0003. (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52017AE0655)

Regulation 2016/679. ART 29 WP Opinion 7/2000 on the European Commission Proposal for a Directive of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector of 12 July 2000. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2000/wp36_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 8/2006 on the review of the regulatory Framework for Electronic Communications and Services, with focus on the ePrivacy Directive. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2006/wp126_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 7/2003, on the re-use of public sector information. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2003/wp83_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 5/2005 on the use of location data with a view to providing value-added services. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp115_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 4/2007, on the concept of personal data. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 2/2008 on the review of the Directive 2002/58/EC on privacy and electronic communications (ePrivacy Directive). (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2008/wp150_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 1/2009 on the proposals amending Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive). (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2009/wp159_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 13/2011 on Geolocation services on smart mobile devices. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp185_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 15/2011, on the definition of consent. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 02/2013 on apps on smart devices. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp202_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 3/2013, on purpose limitation. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 6/2013, on open data and public-sector information (PSI) reuse. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp207_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 05/2014, on anonymization techniques. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 06/2014, on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC. European Commission. (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 8/2014, Recent Developments on the Internet of Things. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 03/2016 on the evaluation and review of the ePrivacy Directive. (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2016/wp240_en.pdf)

Regulation 2016/679. ART 29 WP Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC), following Opinion 03/2016 on the evaluation and review of the ePrivacy Directive (2002/58/EC). (http://ec.europa.eu/newsroom/document.cfm?doc_id=44103)

Regulation 2016/679. ART 29 WP Opinion 6/2017 of the European Data Protection Supervisor on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation). (https://edps.europa.eu/sites/edp/files/publication/17-04-24_eprivacy_en.pdf)

Regulation (EU) 2016/679, of the EP and of the Council of 27/04/2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG)