The EU Artificial Intelligence Act brings both a challenge and an opportunity for the tourism and hospitality industry. Companies that understand and adopt these new legal obligations correctly will both avoid legal and economic risks and position themselves as leaders, as well as differentiating themselves to consumers with growing concerns about privacy and the ethics of technology.

Not long ago the New European Artificial Intelligence Regulation (known as the AI Act) came into force, bringing with it one of the regulatory milestones with the greatest impact in recent years across all economic sectors.

Besides seeking to ensure that artificial intelligence applications respect fundamental rights, this legislation also places clear limits and controls over the development and use of this technology. For the tourism industry, in the midst of a full digital transformation, understanding the legal and practical implications of this regulation is crucial.

What does the AI Act regulate exactly?

The AI Act contains a risk-based regulatory framework and divides AI applications into categories according to their potential impact on fundamental rights and freedoms:

  • Prohibited practices: the AI Act establishes a number of practices for which it is forbidden to use AI because it implies an unacceptable risk (systems distorting behavior using subliminal techniques).
  • High risk: applications requiring strict compliance evaluations before they are implemented, such as those affecting the management of human resources or personal safety.
  • Limited or minimum risk: applications with fewer regulatory requirements, confined mainly to transparency obligations.

What are the roles regarding the use of AI systems?

The AI Act assigns certain obligations to entities using artificial intelligence systems according to the role they have in relation to that use. It identifies two main positions: developer, which is the entity creating and building the system, and deployer, the entity implementing and using the AI system in its activity. Other intermediate positions also exist such as distributor or exporter.

Practical application in the tourism and hospitality industry

There are multiple uses for AI in the tourism industry: ranging from customer service virtual assistants to dynamic pricing algorithms or advanced facial recognition systems used in automatic check-in systems. Under the AI Act, companies will have to evaluate these applications carefully, classify them according to the risk defined in the legislation and comply with the related obligations arising from the Act according to their position with respect to the system.

Below we look at a few specific examples of the implications:

  • Virtual assistants and chatbots: Virtual assistants for customer service and support during the booking process or a stay are a popular AI application. These applications are usually classified as limited or minimum risk systems. Nevertheless, they will still have to be compliant with transparency principles, and users must be notified clearly that they are interacting with an AI system, as well as being informed of the collection and processing of their personal data.
  • Information generators: The use of generative artificial intelligence systems or models is also regulated in the AI Act. Companies will also need to comply with a number of formal analysis and transparency obligations in the deployment of tools of this type.
  • Facial recognition at hotels: Many hotel establishments in European have already started using biometric technology, especially for facial recognition, to speed up guest entry and exit processes. This type of technology poses risks under the personal data legislation as well as under the AI Act. The analyses and assessments that have to be made in these cases are even greater, and in a few cases, entities will have to choose other alternative technology to follow the course mapped out by the supervisory authority’s decisions.

Legal liability and governance

One of the notable new features of the AI Act is the requirement for robust governance and internal control systems. Tourism companies will have to document adequately the development, use and supervision of their AI systems. This includes the obligation to designate specific officers in charge of monitoring legal compliance and handling potential AI related claims or incidents.

Additionally, the legal liability has been toughened in the event of non-compliance. The regulation lays down severe fines that could go up to 6% of total worldwide annual turnover, which increases the need for careful and proactive management.

Recommendations for companies in the industry

In view these new legal requirements companies in the tourism and hospitality industry would be well-advised to adopt the following measures:

  • Carry out internal audits: to identify clearly which AI systems are currently in use and assess their classification under the AI Act in addition to the measures needed for their compliance.
  • Specialized training: to equip technical and legal teams with knowledge of the essential elements of the regulation.
  • Transparency with users: to communicate clearly to customers how AI is used and how their rights are protected.
  • Proactive legal advice: to have access to specialized legal advice on technology and privacy law to ensure that deployment is safe and compliant.

 All in all, preparing for this new regulation is an essential strategic decision for the European tourism industry, on the path towards a safe and sustainable digital future.

Alejandro Padín 

Head of the Data Economy, Privacy and Cybersecurity practice