⟵  ASIA TRAVEL NEWS

Emirates fined €180,000 by Italy for illegally retaining passenger health data

ATC Intelligence
 ⋅ 

Quick summary

Italy’s data protection authority, the Garante per la protezione dei dati personali, fined Emirates €180,000 (approximately US$208,000) on June 17, 2026, for two distinct violations: failing to clearly explain to passengers why their health data was being collected via MEDIF forms, and retaining that medical data for seven years — more than double what regulators consider proportionate. The Garante has ordered Emirates to delete all passenger medical records held beyond three years and to overhaul the information it provides during the special-assistance process.

All five key facts in this case are classified as general coverage — no single outlet broke this story exclusively. The ruling applies to passengers flying with Emirates from Italian airports, but its implications extend to every airline collecting medical data from EU-departing passengers.

Emirates has been handed a €180,000 fine by Italy’s privacy regulator after an investigation found the airline kept passenger health records for seven years and gave travelers almost no meaningful explanation of why their medical details were being collected in the first place. The Garante launched its inquiry in January 2025 following a complaint from a passenger who needed mobility assistance and was required to complete a Medical Information for Fitness to Travel (MEDIF) form before her flight.

The regulator identified two separate breaches. First, Emirates’ privacy notices — both online and via staff — failed to adequately explain the purpose, legal basis, or scope of health data collection under GDPR Article 9, which governs special-category data including medical information. Second, the airline’s seven-year retention window for those records was ruled excessive and disproportionate, given that most cross-border aviation claims carry a two-year limitation period under the Montreal Convention.

Emirates has since reduced its retention period to three years. The Garante has ordered the airline to go further: delete every medical record held beyond that threshold and rewrite the information passengers receive when submitting health documentation for special-assistance requests.

The ruling lands at an awkward moment. Emirates posted record financial results for the 2024–25 fiscal year, making a €180,000 penalty look more like a regulatory warning shot than a financial deterrent — but the compliance obligations attached to it are real and immediate.

What the Garante actually found — and what Emirates must fix

The Garante’s investigation centered on a single passenger complaint, but the findings exposed systemic gaps in how Emirates handles medical data across its Italian operations. The regulator accepted that airlines have a legitimate interest in collecting health information — assessing fitness to fly and managing in-flight medical risk are genuine operational needs. What it rejected was Emirates’ execution: passengers were not told clearly which categories of travelers must submit MEDIF forms, what the data would be used for, or how long it would be stored.

The seven-year retention period was Emirates’ most exposed position. The airline argued it needed records that long to defend against potential future legal claims. The Garante pointed directly to the Montreal Convention’s two-year statute of limitations for most cross-border aviation disputes, calling the seven-year window disproportionate on its face. Emirates has already moved to a three-year retention ceiling — but the order to actively delete records older than that means the airline now faces a backward-looking compliance task, not just a forward-looking policy change.

Emirates GDPR enforcement action — key facts, June 17, 2026
Element Emirates’ practice Garante’s finding Required outcome
Privacy transparency Incomplete notices on website and via staff Breach of GDPR Article 9 transparency obligations Rewrite MEDIF information provided to passengers
Data retention period Seven years for medical records Excessive — Montreal Convention sets 2-year claims limit Reduce to three years; delete older records immediately
Scope of data collection No clear guidance on which passengers must submit MEDIF Lack of clarity on mandatory vs. optional submission Publish explicit eligibility criteria
Fine imposed €180,000 (approx. US$208,000) Paid to Garante

For passengers who have submitted MEDIF forms for Emirates flights departing Italy, the practical implication is that records held beyond three years should now be erased — though travelers have no automatic notification mechanism and would need to contact Emirates’ data protection officer directly to confirm deletion of their specific records.

Full details of the Garante’s decision and the scope of Emirates’ compliance obligations are covered in depth by Paddle Your Own Kanoo, which confirmed the investigation timeline, the MEDIF focus, and the deletion order. The AvioSpace breakdown clarifies the two-breach structure and the Montreal Convention’s role in undercutting Emirates’ retention argument.

For travelers planning flights from Europe with Emirates, the compliance changes are already in motion — but verifying what you agreed to when submitting health documentation remains your responsibility for now.

Flight deals
most people never see

Our AI monitors 150+ airlines for pricing anomalies that traditional search engines miss. Air Traveler Club members save $650 per trip per person on average: see how it works.


Each deal saves 40–80% vs. regular fares:

Superdeals to Asia preview

Why airlines keep medical data longer than they should — and who pays the price

The tension at the heart of this case is not unique to Emirates. When a passenger requests wheelchair assistance or flags a recent cardiac procedure, that request travels through multiple hands: airline agents, contracted ground handlers, and sometimes third-party IT vendors managing reservation systems. Commercial teams want comprehensive records to minimize in-flight incidents and manage liability exposure. Regulators insist that only strictly necessary data be gathered and kept for the shortest defensible period.

Those two incentives pull in opposite directions, and airlines have historically defaulted toward retention. Keeping records longer feels safer from a legal standpoint — until a regulator points out that the legal framework you’re citing (here, the Montreal Convention) actually sets a much shorter clock than your retention policy implies.

The British Airways precedent is instructive. The UK Information Commissioner’s Office fined British Airways £20 million in October 2020 after a cyberattack exposed personal and payment data of roughly 400,000 customers — a case focused on security failures rather than medical forms, but one that established European regulators’ willingness to impose eight-figure penalties on major carriers for GDPR violations. The Emirates fine is smaller in absolute terms, but the compliance obligations are arguably more operationally disruptive: rewriting forms, retraining staff, and actively purging records are harder to execute than paying a fine.

For travelers, the systemic shift matters more than this single fine. GDPR is forcing airlines to move from broad, open-ended medical forms toward narrowly defined data sets with explicit consent language — a change that benefits anyone who has ever wondered what exactly an airline does with the health information they submitted three years ago for a flight they barely remember booking.

Protecting your medical data when flying with Emirates or any EU-departing carrier

The Garante’s order is in force, but Emirates’ compliance is still being implemented — passengers who submitted MEDIF forms in the past have no automatic guarantee their older records have been deleted yet.

  • Save your MEDIF submission confirmation: When you upload health documentation through emirates.com or any airline’s special-assistance portal, screenshot or download the privacy notice displayed at that moment. This creates a timestamped record of what the airline told you about data use and retention — useful if you later want to request deletion or challenge how long your data was kept.
  • Request deletion in writing: If you submitted a MEDIF form for an Emirates flight departing Italy more than three years ago, you have grounds to request deletion under GDPR. Contact Emirates’ data protection officer via the privacy section of emirates.com and ask for written confirmation that your records have been erased per the Garante’s order.
  • Ask before you submit with any carrier: Before completing a medical form for any EU-departing flight, ask the airline’s special-assistance desk — in writing, via email — how long your data will be retained and how to request deletion. If their answer significantly exceeds two to three years without a clear legal justification, that’s a flag worth escalating to the airline’s DPO or your national data protection authority.
  • Know your rights under GDPR: EU passengers have the right to access, correct, and in many cases delete personal data held by airlines. These rights apply regardless of where the airline is headquartered — Emirates in Dubai is subject to GDPR when processing data of passengers in Italy, as this case confirms.
  • Check updated privacy notices before your next special-assistance request: Emirates is required to improve its MEDIF-related disclosures. Before submitting any health documentation on a future Emirates booking, review the updated privacy notice to confirm it now specifies the legal basis for collection, the retention period, and the process for requesting deletion.

Watch: A formal bulletin from Italy’s Garante confirming that Emirates has completed deletion of medical data older than three years — expected within the next 6–12 months — will signal full practical compliance. If that confirmation does not appear, expect closer coordination between the Garante and other EU data protection authorities, with possible joint inspections of airline special-assistance data flows across multiple carriers.

ATC Intelligence

Reporting by

ATC Intelligence

15 years in Asia-Pacific aviation. We monitor 150+ airlines across four continents, track fare anomalies with AI, and verify every deal by hand — from Bali, in the heart of the market we cover.

Travel Intel  ·  Asia Travel News  ·  Superdeals  ·  Facebook

Questions? Answers.

Does this fine mean Emirates misused my medical data?

The Garante found two specific violations: insufficient transparency about why data was collected, and retention periods that were too long. There is no finding that Emirates shared, sold, or misused passenger health data for unauthorized purposes. The breach was about how the airline explained its practices and how long it kept records — not about what it did with the data itself.

I submitted a MEDIF form for an Emirates flight years ago. What can I do now?

Under GDPR, you have the right to request access to and deletion of personal data held by Emirates. Contact Emirates’ data protection officer through the privacy section of emirates.com and ask for written confirmation of what data is held and whether records older than three years have been deleted per the Garante’s order. If Emirates does not respond adequately within 30 days, you can escalate to your national data protection authority — or, if the flight departed Italy, directly to the Garante.

Does this ruling apply only to Emirates, or should I be concerned about other airlines?

The fine applies specifically to Emirates’ Italian operations, but the legal framework — GDPR Article 9 on special-category data — applies to every airline processing health information from EU-departing passengers. The Garante’s action gives other EU data protection authorities a clear template to follow. Travelers submitting medical forms to any carrier for EU-departing flights have the same rights to transparency and data deletion, regardless of which airline they fly.

What is the Montreal Convention and why does it matter here?

The Montreal Convention is an international treaty governing airline liability for passenger injuries, delays, and baggage issues on international flights. Most legal claims under it must be filed within two years of the incident. The Garante used this two-year limitation period to challenge Emirates’ argument that it needed to keep medical records for seven years to defend against future lawsuits — if the legal window closes at two years, retaining data for seven has no proportionate justification under GDPR.

Related travel intel

Intel featured image | 2026-04-29T00:58:26.142Z | DO NOT DELETE
Medevac insurance for Papua New Guinea: Non-negotiable for North Americans

Medical evacuation from Papua New Guinea to Australia or Singapore costs $50,000 to $100,000 upfront — double to quadruple the maximum coverage limits of standard travel insurance policies sold to North Americans. Standard policies cap emergency medical at $15,000–$50,000, and evacuation expenses count toward that total, leaving insufficient funds for both transport and treatment.

Intel featured image | 2026-05-08T09:40:13.394Z | DO NOT DELETE
Buy medical evacuation insurance for Mongolia travel

A medical evacuation flight from rural Mongolia to Seoul or Beijing costs $30,000–$50,000 USD — far exceeding the $10,000–$25,000 caps on standard credit card travel insurance. International SOS manages 220+ medical evacuations annually from Mongolia, reflecting high operational demand driven by limited in-country emergency care infrastructure. Travelers booking horseback riding, remote trekking, or winter camping face zero evacuation coverage unless policies explicitly include activity riders.

Intel featured image | 2026-05-15T21:39:56.198Z | DO NOT DELETE
Medical evacuation insurance for Solomon Islands: Mandatory coverage

Medical evacuation from Solomon Islands to Brisbane costs $50,000 to $100,000 upfront — and local facilities cannot treat serious injuries or illnesses. Air Traveler Club's analysis of Pacific medevac pricing shows that standard credit card insurance caps at $10,000–$50,000, leaving travelers exposed to five-figure bills they must pay before boarding the evacuation flight.

Intel featured image | 2026-02-13T22:26:35.760Z | DO NOT DELETE
Taiwan customs: A forgotten ham sandwich could cost you $6,500 USD

Taiwan enforces one of the world's strictest food import bans. Bringing any pork product into the country—even a vacuum-sealed jerky packet or a leftover sandwich from your flight—triggers an automatic fine of NT$200,000 (approximately $6,500 USD / €6,000). No exceptions, no negotiations. Customs deploys detection dogs throughout the arrivals hall, and they are specifically trained to find meat products in carry-on bags, checked luggage, and jacket pockets. This applies to all international travelers regardless of origin. The enforcement rate is near 100%—this is not a theoretical risk. Before you land, check every bag pocket and discard any food items in the amnesty bins located before the customs checkpoint. Declare everything if in doubt. The safest strategy: buy your snacks after you clear customs in Taipei. A $3 bag of jerky is not worth a $6,500 fine.

Intel featured image | 2026-05-01T19:37:53.523Z | DO NOT DELETE
Alaska miles from North America: 55k for Fiji Airways business class

Alaska Airlines Mileage Plan charges 55,000 miles one-way for Fiji Airways business class from the West Coast — 25,000 miles cheaper than American Airlines' 80,000-mile rate for the identical seat. Real bookings from August 2025 show redemption values of 3.5–5.1 cents per mile after taxes, with cash equivalents ranging $5,433–$6,320 for round-trips. Alaska also allows free stopovers in Australia or New Zealand on the same award, effectively bundling two destinations into one redemption.

Intel featured image | 2026-06-13T09:39:58.593Z | DO NOT DELETE
Medical evacuation coverage is non-negotiable for Bhutan

Medical evacuation from Bhutan's trekking regions costs $20,000–$50,000 or more — and that figure covers only the helicopter off the mountain. Onward air ambulance transport to Bangkok or Delhi adds tens of thousands more, with long-haul repatriation to the US or Europe pushing total costs past $200,000 in complex cases. Bhutan has one national referral hospital in Thimphu; outside the capital, only basic care is available. The U.S. Department of State explicitly recommends purchasing medical evacuation insurance before travel.