Oyo Hotels' Real-Time Digital Record Database Sparks Privacy Fears

Oyo Hotels’ Real-Time Digital Record Database Sparks Privacy Fears is a BloombergQuint news report published on 16 January 2019, written by Nishant Sharma. The article covers OYO Hotels’ pilot plan to maintain a real-time digital database of guests and share it with law-enforcement agencies, which triggered a backlash over privacy and data security. Sunil Abraham and Pranesh Prakash are both quoted on the risks of data centralisation and the absence of a legal framework governing the use of such data.

Contents

  1. Article Details
  2. Full Text
  3. Context and Background

Article Details

📰 Published in:
BloombergQuint
📅 Date:
16 January 2019
👤 Author:
Nishant Sharma
📄 Type:
News report
🔗 Publication Link:
Not available (original URL no longer accessible)

Full Text

Oyo Hotels' pilot to maintain a real-time digital database of guests and plan to share it with law-enforcement agencies has triggered privacy concerns.

The digital check-in and check-out database of guests will do away with the conventional arrival and departure registers, Aditya Ghosh, chief executive India and South Asia at the hotel chain said at a CII event, according to a report in Business Standard. That will make the process efficient and transparent and the SoftBank-backed startup has received acceptance from governments of Haryana, Rajasthan and Telangana for the proposed digitisation of guest entry and departure records, the report said quoting Ghosh.

That triggered an outrage on social media, with users calling it invasion of privacy.

Oyo, in an emailed statement to BloombergQuint, said it will provide information to the law-enforcement agencies about who is staying only after an information order is issued by the police. The company said it will create "stronger data security net". Oyo, however, didn't clarify who will maintain the data centres.

Centralisation of data of any kind isn't good and will make data more fragile, Sunil Abraham, founder of research think tank the Centre for Internet and Society, told BloombergQuint. "If someone manages to break into the police data, or where the data is stored, then they will be able to have access to the data. It is always good to store data locally."

Just last year, Marriott International Inc. reported a hack in which passport numbers, emails and mailing addresses of 327 million of its 500 million Starwood guests was leaked.

To be sure, police always have access to data of customers staying at hotels, one way or another. As per existing regulations, all hotels, bed and breakfasts and guest-houses have to make an entry of guests checking in and out in a register. This can be checked by the local police when an information order is presented.

Chances of manipulating information in such a register is high, and at times police go through the data without having an information order as well, said an industry executive requesting anonymity.

Srinivas Kodali, a cybersecurity expert, said such a centralised database makes business sense for Oyo because they will get access to data not just of people who booked through them but also of others who checked in without booking online. "Because there is no law, the entities can do it."

Pranesh Prakash, a technology policy analyst and affiliated fellow at CIS, sees this as an invasion of privacy in the absence of law. Digitisation of data can be allowed only after there's a law on what happens in the case it's misused. There is no legal framework about how and where the data will be used, he said.

Back to Top ⇧

Context and Background

The article was published in January 2019, a period when India’s Personal Data Protection Bill was still in draft form and no comprehensive data protection legislation was in force. OYO’s announcement came against this regulatory vacuum, which is precisely what Pranesh Prakash’s comment addresses: digitisation of sensitive guest data was proceeding without any legal framework specifying how the data would be stored, accessed, or remedied in case of misuse.

Sunil Abraham’s concern about centralisation echoes a consistent thread in CIS’s work on data governance: distributed or local storage is inherently more resilient than a centralised database, which presents a single point of failure for a large-scale breach. The Marriott hack referenced in the article — affecting 500 million guests — provided a timely and concrete illustration of that risk.

The OYO episode was part of a broader pattern in 2018–19 in which Indian technology companies, often with government encouragement, were building large-scale data collection infrastructure in the absence of privacy law. The Personal Data Protection Bill introduced in December 2019 would have addressed some of these concerns, but it was eventually withdrawn in 2022 and replaced by the Digital Personal Data Protection Act of 2023, which came into force years after episodes like this one had already set precedents on the ground.

📄 This page was created on 11 March 2026. You can view its history on GitHub, preview the fileTip: Press Alt+Shift+G, or inspect the .