Italy’s data protection authority, the Garante per la protezione dei dati personali, fined Emirates (EK) €180,000 (approximately US$208,000) on 17 June 2026 over how the airline processes sensitive health data submitted by passengers with reduced mobility. The Garante — which is widely considered one of the most active and influential data protection regulators in the European Union — opened its investigation in January 2025 following a formal complaint by a passenger who alleged that Emirates had breached Italian privacy and data protection laws. The case centred on the airline’s use of a MEDIF form, a standardised Medical Information for Fitness to Travel document that Emirates, which introduced a new livery to show solidarity with UAE during the war in Iran, requires passengers with health conditions to complete when requesting mobility assistance.
The Garante accepted that Emirates had a lawful basis for collecting medical data from passengers to assess fitness to fly and determine the appropriate level of on-board support, Paddle Your Own Kanoo reported. However, it found two separate violations: the airline failed to inform passengers clearly how their health data would be used, and it retained that data for up to seven years — a retention period the authority ruled was excessive and disproportionate. The Garante ordered Emirates to delete all passenger health data held for more than three years and to improve the information it provides to passengers at the point of data collection. A fine of €180,000 accompanied those remedial orders.
What Triggered the Investigation: A Passenger’s Complaint About the MEDIF Form
The complaint that prompted the Garante’s probe was filed in January 2025 by a woman who had requested mobility assistance from Emirates ahead of a flight. In order to receive that assistance, the airline required her to complete an online MEDIF form. She objected on two grounds. First, she argued that Emirates appeared to require every field in the detailed form to be completed, even for minor assistance requests that did not clinically justify such comprehensive disclosure. Second, she said Emirates did not clearly explain its data privacy policy before she submitted the form, and did not obtain her explicit consent before processing her health data.
The MEDIF is a standardised document used by many airlines worldwide to assess whether a passenger with a health condition is physically fit to fly. Emirates, in its correspondence with the Garante, noted that “air transport takes place in a physiologically peculiar environment” and argued that the form helps prevent in-flight medical emergencies at altitude, where clinical support is very limited.
The Garante, after consulting Italy’s civil aviation regulator, accepted that position in principle. The collection of medical data was found to be lawful. The violations identified were procedural, not substantive: it was the absence of transparency around the data collection process, and the length of time the data was retained, that the authority penalised.
Further, Paddle YOur Own Kanoo also noted that the Garante also noted that it was unclear which categories of passengers were actually required to submit their personal information via the MEDIF form — a finding that suggested the airline’s communications around the form lacked basic specificity.
The Seven-Year Retention Period and The Montreal Convention Defense
The most significant factual dispute in the case concerned how long Emirates kept passenger health data. Emirates held MEDIF data for up to seven years, citing the risk of future legal claims from passengers as justification for the extended retention window. The Garante rejected that argument. Emirates later admitted that most legal claims against airlines on international routes are governed by the Montreal Convention, which imposes a strict two-year statute of limitations running from the date of arrival at destination. Under the Convention, any claim not filed within that two-year window is extinguished.
The Montreal Convention is an international treaty ratified by more than 140 countries, including all EU member states, that governs liability for passenger injury, death, baggage damage, and flight delays on international routes. Its Article 35 sets a firm two-year deadline for bringing claims, with no provision for extension based on a claimant’s later discovery of the issue. Emirates’ own concession that this two-year window covers most claims significantly undermined its justification for a seven-year data retention period. The Garante found the seven-year window to be excessive and disproportionate to the airline’s actual legal exposure.
Emirates has already begun reducing the retention period to three years. The Garante ordered it to delete all passenger health data registered on its database for more than three years.
How Italy’s Garante Enforces GDPR
The fine against Emirates was issued under the General Data Protection Regulation (GDPR), which applies directly across all EU member states, including Italy. Italy layers its own national Privacy Code (Legislative Decree 196/2003) on top of the GDPR, and also enacted a dedicated AI law — Law No. 132/2025 — in September 2025. The Garante is the supervisory authority responsible for monitoring compliance with both frameworks and has the power to issue fines of up to €20 million or 4% of a company’s global annual turnover under GDPR Article 83.
The Garante is among Europe’s most prolific enforcement authorities. In 2026 alone, it has taken action against several entities, including ITA Airways and Alitalia, which were jointly fined €1.25 million in March 2026 for the unlawful transfer of employee personal data during the transition between the two carriers. The authority’s inspection programme for January to July 2026 explicitly focused on data breaches involving public databases, electronic health records, and biometric recognition systems — signalling continued attention to the processing of sensitive personal data in regulated sectors, including transport and aviation.
The Garante has also previously found the FaceBoarding facial recognition system at Milan Linate Airport unlawful due to GDPR non-compliance, demonstrating that aviation data practices in Italy fall squarely within its enforcement perimeter. Health data — classified under GDPR Article 9 as a special category of personal data requiring heightened protection — receives particular scrutiny. Airlines processing medical information about passengers with reduced mobility are processing data at the intersection of health, disability, and international travel, all of which attract regulatory sensitivity.
Garante Found Two Specific Violations
The Garante’s ruling against Emirates identified two distinct breaches, both relating to the processing framework around the MEDIF form rather than the collection of health data itself:
- Lack of transparency: Emirates failed to provide sufficiently clear and complete privacy information to passengers, either on its website or through the staff assisting them. The Garante also found it was unclear which categories of passengers were required to complete the MEDIF form, meaning passengers had no reliable way to determine whether their specific assistance request actually required full medical disclosure.
- Excessive data retention: The seven-year retention period for health data was found to be disproportionate, particularly after Emirates acknowledged that most legal claims on international routes fall under the Montreal Convention’s two-year limitation period.
The authority did not find that the data collection itself was unlawful. It accepted that Emirates needed medical information to ensure passenger safety and manage in-flight medical risk. The distinction the Garante drew — between the lawfulness of the purpose and the unlawfulness of the process — is an important one. An airline may have a legitimate reason to collect sensitive health data. That does not exempt it from GDPR obligations around transparency, consent, and proportionality in how that data is stored and used.
Emirates is Under Multiple Pressures
The Italian fine comes at a complex moment for Emirates. As previously reported by aviospace.org, the airline removed nearly one in six of its June 2026 services in a single scheduling update, reducing daily departures from Dubai International Airport (DXB) from 237 to 200 as a consequence of geopolitical disruption tied to the conflict in Iran. The cuts affected 47 airports across six continents and removed 480,000 departing seats in a single week.
Despite that operational pressure, the Emirates Group posted a record profit of AED 24.4 billion (US$6.6 billion) for the 2025–26 financial year, triggering a 20-week salary bonus for approximately 130,000 employees. The airline operates flights to 137 destinations across 72 countries. In that context, a €180,000 fine is financially immaterial for Emirates. The significance of the ruling lies elsewhere: in the compliance obligations it creates, the reputational signal it sends, and the precedent it sets for how European regulators treat airline health data practices.
On the commercial side, the carrier was on 17 June 2026 also reported to have introduced its own version of EU-style passenger rights protections — though available to passengers only as a paid add-on. That development, alongside the Garante fine, reflects mounting pressure on Gulf carriers to align their passenger-handling practices with European regulatory expectations.
What Airlines Must Do Under GDPR When Collecting Health Data
The Emirates case illustrates a compliance gap that is not unique to one airline. Many carriers use the MEDIF form or equivalent documents as part of standard procedures for passengers with reduced mobility, health conditions, or special assistance needs. Those forms collect data that falls under GDPR Article 9 — special category personal data — which requires not just a legal basis for processing but also an explicit legal basis drawn from a narrower list of permitted grounds, such as vital interests or explicit consent.
Under the GDPR, controllers processing special category data must:
- Provide clear, complete privacy information at or before the point of data collection, including the purpose, legal basis, retention period, and the rights of the data subject.
- Apply data minimisation principles: only data that is strictly necessary for the stated purpose may be collected. Requiring passengers to complete every field of a detailed medical form for minor assistance requests risks violating this principle.
- Limit retention: data must not be held for longer than necessary. Retention periods must be tied to the actual purpose, not to a theoretical maximum legal exposure.
- Obtain explicit consent where that is the chosen legal basis — or document a clearly applicable alternative legal ground under Article 9(2) GDPR.
The European Data Protection Board’s 2026 coordinated enforcement initiative focuses specifically on transparency obligations across all member states. The Garante is participating in that initiative, meaning aviation operators should expect heightened scrutiny of privacy notices and MEDIF-related data processing documentation across Europe in the months ahead.