Italy’s data protection authority has imposed a €180,000 ($208,890) fine on Emirates Airline for breaches involving the processing of sensitive health data belonging to passengers with reduced mobility. The decision, announced on June 17, 2026, highlights ongoing challenges in the travel industry around transparency, data minimization, and storage limitations under the EU’s General Data Protection Regulation (GDPR).
The case originated from a complaint filed by a passenger who claimed Emirates required her to complete a medical form despite not falling into categories that typically necessitate such documentation. While the regulator determined that the collection of health data was lawful and necessary for ensuring safe transport and appropriate assistance, it identified significant violations in how the airline informed passengers and retained the information.
Italian Garante per la Protezione dei Dati Personali
The Italian Garante per la Protezione dei Dati Personali found two primary areas of non-compliance:
- Lack of Transparency: Emirates failed to provide sufficiently clear and complete privacy information, both on its website and through staff assisting passengers with reduced mobility. Passengers were not adequately informed about the purposes of data processing, their rights, or the legal basis for handling special category health data.
- Excessive Data Retention: The airline retained health data collected via medical forms for seven years, a period the authority deemed excessive and disproportionate to the legitimate purposes of safe air travel and passenger assistance.
Health data qualifies as a “special category” under GDPR Article 9, requiring explicit legal bases (such as explicit consent or substantial public interest) and heightened protections. Airlines must navigate strict rules while complying with international safety standards, accessibility requirements under EU passenger rights regulations, and aviation security protocols.
“The processing of health data itself was lawful as necessary to guarantee safe transport and assistance,” the regulator noted. However, transparency obligations and data storage limits were breached.
Emirates was not immediately available for comment at the time of the announcement. The fine, while not among the largest issued by the Garante, serves as a pointed reminder to global carriers operating in the EU.
Health Data in Air Travel
Passengers with reduced mobility (PRM) represent a significant portion of travelers. EU regulations, including Regulation (EC) No 1107/2006, mandate that airlines provide assistance without discrimination. This often requires collecting limited health-related information — such as mobility needs, medical equipment requirements, or assistance requests — to ensure safe boarding, seating, and in-flight care.
However, GDPR demands that such processing be strictly necessary, transparent, and limited to the minimum data required. Over-collection or indefinite retention can quickly lead to violations. In this case, the passenger’s complaint underscores a common pain point: unclear or overly broad forms that capture more data than needed, coupled with insufficient privacy notices at the point of collection.
The travel sector has faced increasing scrutiny. Airlines and airports handle vast amounts of personal and sensitive data daily — from passport details and biometric information to medical declarations. Previous enforcement actions across Europe have targeted inadequate privacy policies, consent mechanisms, and third-party data sharing with ground handlers or booking platforms.
GDPR Enforcement Trends and Airline Compliance Challenges
Italy’s Garante has been one of the more active EU data protection authorities, issuing multimillion-euro fines in high-profile cases involving major tech firms and service providers. This Emirates decision aligns with a broader pattern of focusing on special category data, transparency (Articles 12-14), and storage limitation (Article 5(1)(e)).
Key GDPR principles at play here include:
- Transparency: Controllers must provide meaningful information about processing activities in concise, intelligible, and easily accessible form.
- Data Minimization and Purpose Limitation: Only collect what is adequate, relevant, and limited to what is necessary.
- Storage Limitation: Data should not be kept longer than necessary for the purposes for which it was collected.
For international airlines like Emirates, compliance is complicated by operations across jurisdictions with varying requirements. EU routes trigger GDPR extraterritorial application (Article 3), meaning non-EU carriers must appoint EU representatives and maintain robust compliance programs when targeting or monitoring EU data subjects.
Industry experts note that many carriers still rely on outdated paper forms or generic website policies that fail to meet the granular, context-specific information standards expected under GDPR. Retention policies often default to long legal hold periods (e.g., for liability or audit purposes) without proper justification or anonymization/deletion protocols.
Implications for Airlines and Travel Industry
This fine, though moderate, carries significant reputational weight. It signals to passengers and regulators that even necessary data processing must be handled with precision. Potential consequences for non-compliant airlines include:
- Reputational damage among privacy-conscious travelers
- Follow-on complaints or class actions
- Increased scrutiny from other EU authorities (fines can reach up to 4% of global annual turnover)
- Operational disruptions if data processing practices require overhaul
Best practices emerging in the sector include:
- Dynamic, layered privacy notices at the time of booking and check-in
- Digital forms with clear explanations of data fields and retention periods
- Automated deletion schedules and pseudonymization where full retention is not required
- Staff training on privacy-by-design for passenger assistance
- Regular Data Protection Impact Assessments (DPIAs) for PRM processes
As air travel recovers and innovations like biometric boarding, health passports, or AI-assisted accessibility services expand, the volume and sensitivity of data processed will only increase. Airlines that treat privacy as a core part of passenger experience design — rather than a compliance checkbox — will gain competitive advantage.
Global Ramifications and Forward Outlook
Emirates, a major international carrier based in Dubai, serves millions of EU passengers annually. The fine underscores that GDPR compliance is non-negotiable for market access in Europe. Other Gulf carriers and long-haul operators will likely review their own medical information protocols in light of this enforcement.
This case also reinforces the importance of accountability in handling special category data. With the EU AI Act and evolving digital passenger rights on the horizon, airlines face a tightening regulatory environment that demands integrated governance of privacy, safety, and customer service.
For privacy professionals and compliance teams, the takeaway is clear: lawful basis alone is insufficient. Robust transparency, proportionate retention, and demonstrable accountability are essential to withstand regulatory review.
As one of the world’s leading aviation hubs, Europe continues to shape global standards in data protection. Carriers ignoring these signals do so at their own risk — and potential financial cost.
