SMART INFERENCE-DRIVEN RISKS: LEGAL CHALLENGES UNDER THE GDPR AND THE EGYPTIAN PDPL

Abstract

This paper examines the legal dilemma surrounding inferences about sensitive data and how the EU General Data Protection Regulation (GDPR) and the Egyptian Personal Data Protection Law (PDPL) treat such inferences as sensitive data. Using doctrinal research supported by a review of the jurisprudence of the Court of Justice of the European Union (CJEU), this study explores how both frameworks address the protection of inferred data. This analysis reveals significant overlap in the definitions of personal and sensitive data, confusion over consent requirements in Egypt, and heightened risks of discrimination arising from inferred data. Moreover, the existing risk assessment mechanism is insufficient to produce a protection for the inferred data and indicates the necessity for an impact assessment akin to that of the GDPR. This study addresses a proposed framework for the Egyptian legislature and courts for the inferred data that could be assessed through the risk criterion, the data subject’s rights with inferences, and the controller and processor’s transparency obligation. Furthermore, the paper argues that recognition of such inferences as sensitive data is globally essential for ensuring stronger safeguards in the era of AI and big data and addresses global lessons for other jurisdictions that have not yet recognized sensitive data.