1. Introduction: AI Transformation in European Tourism and Hospitality

The European tourism and hospitality sector increasingly uses Artificial Intelligence (AI) for:

• hotel booking recommendations,
• dynamic pricing,
• chatbots and virtual assistants,
• automated check-in,
• facial recognition,
• customer profiling,
• fraud detection,
• personalised marketing,
• workforce scheduling,
• travel route optimisation.

The EU approach is based on “trustworthy AI”, requiring AI systems to respect safety, transparency, fundamental rights, and accountability. The EU AI Act (Regulation (EU) 2024/1689) introduces a risk-based framework applying to providers and deployers of AI systems used in the EU.

Tourism AI liability mainly arises from:

• wrong automated decisions,
• discrimination,
• privacy violations,
• misleading recommendations,
• unsafe automated services,
• defective AI products,
• lack of human oversight.

2. Types of AI Used in Tourism and Hospitality

A. AI Booking and Recommendation Systems

Examples:

• suggesting hotels,
• ranking destinations,
• personalised offers.

Legal risks:

• hidden discrimination,
• unfair ranking,
• manipulation of consumer choices.

Example:

An AI system consistently recommends expensive hotels to certain customer groups based on personal data.

B. Dynamic Pricing AI

Hotels and airlines use AI to adjust prices.

Benefits:

• demand forecasting,
• revenue optimisation.

Risks:

• unfair price differences,
• exploitation of vulnerable consumers,
• lack of transparency.

C. AI Chatbots and Virtual Assistants

Used for:

• reservations,
• customer complaints,
• travel information.

Liability questions:

If a chatbot gives incorrect information about:

• cancellation rights,
• visas,
• hotel conditions,

who is responsible?

Possible responsible parties:

• hotel operator,
• AI provider,
• platform provider.

D. Facial Recognition and Automated Check-in

Used for:

• hotel entry,
• identity verification.

Risks:

• biometric data misuse,
• unlawful processing,
• security breaches.

3. European AI Liability Framework

AI liability in Europe comes from several legal layers:

1. EU AI Act

The AI Act regulates AI providers and users through risk categories:

• prohibited AI,
• high-risk AI,
• limited-risk AI,
• minimal-risk AI.

It requires obligations such as:

• transparency,
• risk management,
• human oversight,
• documentation.

2. GDPR

Hospitality businesses process:

• names,
• passport details,
• payment information,
• preferences,
• location data.

AI processing must satisfy:

• lawful basis,
• data minimisation,
• purpose limitation,
• security.

3. Product Liability Rules

Where AI causes damage due to a defective product or service, liability may arise against:

• manufacturer,
• software provider,
• supplier,
• operator.

4. Main Liability Issues in Hospitality AI

A. Wrong AI Decisions

Example:

AI booking system incorrectly cancels reservations.

Question:

Is the hotel responsible if the decision was automated?

European law increasingly focuses on human accountability.

B. AI Discrimination

Example:

AI pricing system charges different prices based on:

• nationality,
• location,
• behavioural profile.

Potential violation:

• equality principles,
• consumer protection rules.

C. Lack of Transparency

Customers may not know:

• why a price changed,
• why a recommendation appeared,
• why service was denied.

D. AI Hallucinations

Example:

Hotel chatbot invents:

• unavailable facilities,
• fake discounts,
• incorrect policies.

The hospitality business may still face consumer liability.

5. Important European Case Laws

Case 1: Google Spain SL v AEPD and Mario Costeja González

CJEU Case C-131/12
Year: 2014

Background:

A person requested removal of outdated search results appearing online.

Judgment:

The Court recognised the right to control personal information.

Tourism and Hospitality Impact:

Hotels and travel companies using AI customer profiling must respect:

• deletion rights,
• privacy rights,
• data accuracy.

AI systems cannot permanently retain unnecessary guest profiles.

Case 2: Wirtschaftsakademie Schleswig-Holstein GmbH

CJEU Case C-210/16
Year: 2018

Background:

A company operated a Facebook fan page and processed visitor data.

Issue:

Who is responsible for data processing?

Judgment:

Entities using platforms can share responsibility with technology providers.

Hospitality Impact:

A hotel using:

• AI marketing platforms,
• booking analytics,
• customer profiling tools

may share responsibility with AI vendors.

Case 3: Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW

CJEU Case C-40/17
Year: 2019

Background:

A website used embedded social media tools collecting user data.

Judgment:

Website operators may be responsible for certain data processing activities.

Tourism Impact:

Travel websites using:

• AI advertising tools,
• tracking systems,
• recommendation engines

cannot avoid responsibility by blaming third-party technology providers.

Case 4: Schrems II — Data Protection Commissioner v Facebook Ireland

CJEU Case C-311/18
Year: 2020

Background:

Concerned transfer of EU personal data outside Europe.

Judgment:

The Court invalidated the EU-US Privacy Shield framework.

Hospitality Impact:

Hotels using international AI platforms must ensure:

• lawful data transfers,
• adequate safeguards,
• guest privacy protection.

Case 5: Österreichischer Rundfunk (ORF) v Commission / Data Protection Principles

CJEU Case C-465/00, C-138/01, C-139/01
Year: 2003

Background:

Concerned privacy and publication of personal information.

Principle:

Privacy restrictions require balancing with legitimate interests.

Tourism AI Impact:

Hospitality AI cannot collect excessive guest information simply because personalisation improves service.

Case 6: S. and Marper v United Kingdom

ECtHR Cases 30562/04 and 30566/04
Year: 2008

Background:

UK authorities retained DNA information of individuals.

Judgment:

Excessive retention of biometric information violated privacy rights.

Hospitality Impact:

Hotels using:

• facial recognition check-in,
• biometric access systems

must apply strict limits on:

• collection,
• storage,
• deletion.

Case 7: Glawischnig-Piesczek v Facebook Ireland

CJEU Case C-18/18
Year: 2019

Background:

Concerned online platform responsibility for illegal content.

Principle:

Platforms may have obligations regarding harmful content.

Tourism AI Impact:

AI travel platforms hosting:

• reviews,
• recommendations,
• automated content

may face responsibility for harmful outputs.

6. AI Liability Example Scenarios in Tourism

Scenario 1: AI Hotel Pricing Error

AI increases prices unfairly during emergencies.

Possible liability:

• consumer protection violation,
• unfair commercial practice.

Scenario 2: AI Concierge Gives False Advice

Chatbot says:

“Your booking can be cancelled anytime.”

Actual policy:

Non-refundable.

Possible responsibility:

Hotel operator because the AI acted as its service representative.

Scenario 3: Facial Recognition Wrongly Rejects Guest

AI incorrectly identifies a guest.

Possible issues:

• discrimination,
• privacy violation,
• inadequate human review.

7. Compliance Model for European Hospitality Businesses

A responsible AI system should include:

Governance

• AI risk assessment
• clear responsibility allocation
• vendor contracts

Technical Controls

• accuracy testing
• cybersecurity protection
• monitoring
• human override

Customer Protection

• AI disclosure notices
• complaint mechanisms
• explanation of automated decisions

8. Future Challenges

AI Travel Agents

Future AI systems may:

• book hotels,
• negotiate prices,
• change itineraries.

Legal question:

Who is responsible when an autonomous AI agent makes a harmful decision?

Emotion Recognition in Hospitality

AI analysing guest emotions may create privacy concerns.

Personalisation vs Privacy

The industry must balance:

better experiences

against

excessive surveillance.

Conclusion

European law does not prohibit AI in tourism and hospitality. Instead, it places responsibility on businesses that deploy AI.

The core principle is:

AI may automate hospitality services, but legal responsibility remains human and organisational.

European case law shows that:

• customer data requires protection,
• businesses cannot avoid liability by blaming technology providers,
• AI decisions affecting consumers must be transparent and fair,
• automation must respect privacy, equality, and consumer rights.

The future European hospitality model will likely be based on AI innovation combined with accountability, human oversight, and strong consumer protection.