DUBAI- Emirates (EK) has been fined €180,000 (US$208,000) by Italy’s privacy watchdog over how it processed highly personal and sensitive health data belonging to passengers with reduced mobility and certain medical conditions.
The regulator found shortcomings in how the Dubai-based airline informed passengers about the collection and use of their health information, and ordered it to improve its data handling practices and delete medical records held beyond a newly mandated retention period.
Emirates €180,000 Fine Over Passenger Medical Data
Italy’s data protection authority, known as the Garante, launched an investigation into Emirates in January 2025 after a woman alleged that the airline had breached Italian privacy and data protection laws.
The complaint stemmed from a request for mobility assistance before a flight. To obtain support, the passenger was required to complete a Medical Information for Fitness to Travel (MEDIF) form, a standardised aviation document widely used by airlines worldwide to assess whether passengers with medical conditions are fit to fly.
The complainant argued that Emirates collected personal and sensitive health information beyond what was necessary for her request. She claimed the airline’s online process appeared to require passengers to complete every section of the detailed MEDIF form, even when requesting relatively minor assistance.
The woman also alleged that Emirates failed to clearly explain its privacy policy before collecting her information and did not seek her consent before processing her sensitive medical data.
Emirates Defended Use of MEDIF Forms
During the investigation, Emirates maintained that collecting medical information is necessary to ensure passenger safety and provide appropriate support during travel.
In correspondence with the Garante, the airline argued that “air transport takes place in a physiologically peculiar environment,” which can place enormous pressure even on otherwise healthy adults.
The airline said MEDIF forms help assess whether a passenger is fit to travel and reduce the risk of someone suffering a life-threatening medical event at 38,000 feet, where access to medical support is very limited.
Following a review with Italy’s civil aviation regulator, the Garante accepted that airlines have a legitimate interest in collecting medical information when necessary to confirm fitness to fly, arrange appropriate support, and reduce the risk of in-flight medical emergencies.
Garante Identified Transparency and Compliance Failures
Although the Garante acknowledged the airline’s right to collect relevant medical information, the regulator concluded that Emirates failed to provide sufficient transparency about its data processing practices.
According to the watchdog, passengers were not properly informed about why medical information was being collected through the MEDIF process or how that information would be processed after submission.
The regulator also stated that it was unclear which categories of passengers were actually required to provide medical information through the MEDIF form.
Reported by PYOK, the lack of clarity raised concerns about whether passengers could understand when and why sensitive information was being requested.
Data Retention Policy
A key area of concern involved how long Emirates retained sensitive passenger medical information.
The airline told regulators that medical records could be stored for up to seven years because of the possibility of future legal claims. However, the Garante noted that most legal claims involving international airline operations must be filed within two years under the Montreal Convention.
During the investigation, Emirates acknowledged that a shorter retention period was appropriate and began reducing the storage period from seven years to three years.
The Garante subsequently ordered Emirates to delete passenger medical data that had already been retained for more than three years.
Regulatory Orders and Financial Penalty
In addition to imposing the €180,000 fine, the Garante instructed Emirates to improve the information provided to passengers throughout the MEDIF process.
The airline must clearly explain why medical information is being collected, how the data will be processed, and under what circumstances passengers are required to provide health-related documentation.
Stay tuned with us. Further, follow us on social media for the latest updates.
Join us on Telegram Group for the Latest Aviation Updates. Subsequently, follow us on Google News
