Italy Fines Emirates Over Improper Handling of Passenger Health Data
Italy's data protection authority has imposed a €180,000 fine on Emirates for the improper handling of passenger health data. The penalty follows findings of inadequate transparency and excessive, seven-year data retention practices concerning sensitive medical information collected from passengers with reduced mobility.
Highlights
- •Italy's privacy regulator fined Emirates €180,000 over improper handling of passenger health data.
- •The investigation was triggered by a passenger complaint regarding unnecessary medical form requirements.
- •Authorities cited a lack of transparent privacy information and excessive, seven-year data retention periods.
- •The regulator affirmed that while collecting health data for safety is lawful, strict transparency is required.
Italy's national data protection authority has taken decisive action against Emirates, announcing a significant financial penalty of €180,000 (approximately $208,890). This regulatory move follows an investigation into how the airline managed the sensitive health information of passengers requiring special assistance due to reduced mobility. The incident highlights the growing global scrutiny over the privacy of passenger health data by major international carriers.
The regulatory inquiry was initiated after a formal grievance was filed by a passenger. The individual alleged that Emirates had compelled her to complete a medical documentation form, despite the fact that she did not fall into any of the specific categories that necessitated such detailed health disclosures. This prompted authorities to review the airline's internal procedures regarding the collection and management of sensitive customer records.
Regulatory Findings on Data Handling and Transparency
While the Italian watchdog acknowledged that the processing of health-related information is often essential for ensuring traveler safety and providing appropriate transit assistance, they identified several critical failures in the airline's implementation. Specifically, the regulator determined that the privacy of passenger health data was compromised due to a lack of transparency and adherence to strict storage protocols.
The authority reported that Emirates failed to provide passengers with sufficiently clear or comprehensive privacy notices, both through its digital platforms and during direct interactions with ground staff. Furthermore, investigators discovered that the airline maintained these sensitive medical forms in their internal database for a period of seven years. The regulator concluded that this duration was both disproportionate and excessive, violating standard data minimization principles intended to protect individual privacy.
This enforcement action serves as a stark reminder of the regulatory risks faced by global corporations when handling private data. The ruling emphasizes the necessity for companies to align their internal data management policies with stringent data protection mandates, ensuring that consumer information is handled ethically and transparently. As the privacy of passenger health data continues to be a priority for regulators across Europe, airlines must ensure that their collection practices are justified, transparent, and strictly time-bound to maintain compliance with modern digital rights protections.
