SMART INFERENCE-DRIVEN RISKS: LEGAL CHALLENGES UNDER THE GDPR AND THE EGYPTIAN PDPL

Authors

  • Esraa HASHISH Faculty of Law, Alexandria University, Egypt

DOI:

https://doi.org/10.46763/BSSR252626227h

Abstract

This paper examines the legal dilemma surrounding inferences about sensitive data and how the EU General Data Protection Regulation (GDPR) and the Egyptian Personal Data Protection Law (PDPL) treat such inferences as sensitive data. Using doctrinal research supported by a review of the jurisprudence of the Court of Justice of the European Union (CJEU), this study explores how both frameworks address the protection of inferred data. This analysis reveals significant overlap in the definitions of personal and sensitive data, confusion over consent requirements in Egypt, and heightened risks of discrimination arising from inferred data. Moreover, the existing risk assessment mechanism is insufficient to produce a protection for the inferred data and indicates the necessity for an impact assessment akin to that of the GDPR. This study addresses a proposed framework for the Egyptian legislature and courts for the inferred data that could be assessed through the risk criterion, the data subject’s rights with inferences, and the controller and processor’s transparency obligation. Furthermore, the paper argues that recognition of such inferences as sensitive data is globally essential for ensuring stronger safeguards in the era of AI and big data and addresses global lessons for other jurisdictions that have not yet recognized sensitive data.


 

Downloads

Download data is not yet available.

Author Biography

References

Journal Articles

1. Ali, R. M. (2025). Sensitive Digital Financial Data in Transactions of Electronic Commerce in accordance with Law No. 151 of 2020. Legal Journal, Faculty of Law (Al Khartoum Branch), Cairo University, 23 (7), 4063–4142. https://doi.org/10.21608/jlaw.2025.356524.1151

2. Caglar, C. (2021). Children’s right to privacy and data protection: Does the article on conditions applicable to child’s consent under the GDPR tackle the challenges of the digital era or create further confusion? European Journal of Law and Technology, 12(2). https://ejlt.org/index.php/ejlt/article/view/828/1025

3. Citron, D. K., & Solove, D. J. (2021). Privacy Harms. SSRN Electronic Journal. 793¬–863. https://doi.org/10.2139/ssrn.3782222

4. Eldomiaty, T. M. (2022). Digital Consent to the processing of Personal Data: A Comparative Study. Journal of Law and Emerging Technology, 2(1), 13–138. https://doi.org/10.54873/jolets.v2i1.60

5. Gupta, I., Philip, S. S., & Naithani, P. (2024). Introduction to EU Data Protection Law. In I. Gupta, S. S. Philip, & P. Naithani, Introduction to Data Protection Law, 1–58. Springer Nature Singapore. https://doi.org/10.1007/978-981-97-6355-9_1

6. Hoofnagle, C. J., Van Der Sloot, B., & Borgesius, F. Z. (2019). The European Union general data protection regulation: What it is and what it means. Information & Communications Technology Law, 28(1), 65–98. https://doi.org/10.1080/13600834.2019.1573501

7. Jain, P., Gyanchandani, M., & Khare, N. (2016). Big data privacy: A technological perspective and review. Journal of Big Data, 3(1), 25. https://doi.org/10.1186/s40537-016-0059-y

8. Kohli, S. (2023). Data Protection in light of the Digital Personal Data Protection Act 2023. ResearchGate. https://www.researchgate.net/publication/393353824_DATA_PROTECTION_IN_LIGHT_OF_THE_DIGITAL_PERSONAL_DATA_PROTECTION_ACT_2023

9. Kovalenko, Y. (2022). The Right to Privacy and Protection of Personal Data: Emerging Trends and Implications for Development in Jurisprudence of European Court of Human Rights. Masaryk University Journal of Law and Technology, 16(1), 37–58. https://doi.org/10.5817/MUJLT2022-1-2

10. Krutka, D. G., Smits, R. M., & Willhelm, T. A. (2021). Don’t Be Evil: Should We Use Google in Schools? TechTrends, 65(4), 421–431. https://doi.org/10.1007/s11528-021-00599-4

11. Kumar, Y., Marchena, J., Awlla, A. H., Li, J. J., & Abdalla, H. B. (2024). The AI-Powered Evolution of Big Data. Applied Sciences, 14(22), 10176. https://doi.org/10.3390/app142210176

12. Mahdy, A. M. (2025). Acceptance of Digital Processing of Personal Data. Legal Journal, Faculty of Law (Al Khartoum Branch), Cairo University, 23(7), 4247–4474. https://doi.org/10.21608/jlaw.2025.360953.1181

13. Mahmoud, S. A., (2024). Protection of Digital Personal Data in accordance with Egyptian Personal Data Protection Law No. 151 of 2020. Journal of Legal and Economic Sciences, Faculty of Law, Ain Shams University, 66(1), 1439–1482. https://doi.org/10.21608/jelc.2024.341026

14. Mesarčík, M. (2020). Apply or not to apply?: A. Bratislava Law Review, 4(2), 81–94. https://doi.org/10.46282/blr.2020.4.2.171

15. Nguyen, N. S., Tran, B. T., Le, T. N. L., & Nguyen, N. Q. (2025). The impact of digital environmental, social, and corporate governance on consumer purchase intention. Journal of Governance and Regulation, 14(2), 18–27. https://doi.org/10.22495/jgrv14i2art2

16. Quinn, P., & Malgieri, G. (2020). The Difficulty of Defining Sensitive Data – the Concept of Sensitive Data in the EU Data Protection Framework. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3713134

17. Rashad, S. S. (2024). Strengthening the legal protection of sensitive personal data in the fields of inferences: A comparative study. Journal of Economic and Legal Studies, Faculty of Law, Mansura University, 14(88.), 1043–1319. https://doi.org/10.21608/mjle.2024.363494

18. Rupp, V., & Von Grafenstein, M. (2024). Clarifying “personal data” and the role of anonymisation in data protection law: Including and excluding data from the scope of the GDPR (more clearly) through refining the concept of data protection. Computer Law & Security Review, 52, 105932–105957. https://doi.org/10.1016/j.clsr.2023.105932

19. Snyder, H. (2019). Literature review as a research methodology: An overview and guidelines. Journal of Business Research, 104, 333–339. https://doi.org/10.1016/j.jbusres.2019.07.039

20. Solove, D. J. (2022). The Limitations of Privacy Rights. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4024790

21. Solove, D. J. (2023). Data Is What Data Does: Regulating Use, Harm, and Risk Instead of Sensitive Data. SSRN Electronic Journal, 1081¬–1138 https://doi.org/10.2139/ssrn.4322198

22. Solove, D. J., & Schwartz, P. M. (2019). ALI Data Privacy: Overview and Black Letter Text. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3457563

23. Soria-Comas, J., & Domingo-Ferrer, J. (2016). Big Data Privacy: Challenges to Privacy Principles and Models. Data Science and Engineering, 1(1), 21–28. https://doi.org/10.1007/s41019-015-0001-x

24. Staunton, C., Edgcumbe, A., Abdulrauf, L., Gooden, A., Ogendi, P., & Thaldar, D. (2025). Cross-border data sharing for research in Africa: An analysis of the data protection and research ethics requirements in 12 jurisdictions. Journal of Law and the Biosciences, 12(1), lsaf002. https://doi.org/10.1093/jlb/lsaf002

25. Turnšek, E., & Kraljić, S. (2024). The protection of sensitive personal data and privacy in the us and eu with a focus on health data circulating through health apps. Balkan Social Science Review, 24 (24), 179–205. https://doi.org/10.46763/BSSR242424179t

26. Voss, W. G. (2021). The CCPA and the GDPR Are Not the Same: Why You Should Understand Both. CPI Antitrust Chronicle, 1(1), 7–12. https://ssrn.com/abstract=3769825

27. Wanjale, K., Mangla, M., & Marathe, P. (2021). Security of Sensitive Data in Cloud Computing. In S. N. Mohanty, J. M. Chatterjee, M. Mangla, S. Satpathy, & S. Potluri (Eds.), Machine Learning Approach for Cloud Data Analytics in IoT, 1st ed., 99–118. Wiley. https://doi.org/10.1002/9781119785873.ch5

28. Widjaja, G. (2024). Balancing Between Fiscal Interests and Privacy Data Protection. Contemporary Readings in Law and Social Justice, 16(1), 787–794. https://crlsj.com/index.php/journal/article/view/183/77

29. Wiedemann, K. (2020). The ECJ’s Decision in “Planet49” (Case C-673/17): A Cookie Monster or Much Ado About Nothing? IIC - International Review of Intellectual Property and Competition Law, 51(4), 543–553. https://doi.org/10.1007/s40319-020-00927-w

Acts and Regulations

1. Article 29 Data Protection Working Party. (2018, February 6). Guidelines on Automated individual decision-making and profiling for the purposes of Regulation 2016/679. European Data Protection Board. https://ec.europa.eu.newsroom/article29/items/612053/en

2. California Consumer Privacy Act (CCPA) of 2018, Cal. Civ. Code § §§ 1798.100–1798.199 (2018). https://cppa.ca.gov/regulations/pdf/ccpa_statute.pdf

3. California Privacy Protection Agency. (2020). California Privacy Rights Act, (CPRA). https://thecpra.org/

4. Colorado Privacy Act Rules. (2023). Colorado Department of Law. https://www.sos.state.co.us/CCR/GenerateRulePdf.do?ruleVersionId=10872&fileName=4%20CCR%20904-3

5. Data (Use and Access) Act. (2025). Uk Government. https://www.legislation.gov.uk/ukpga/2025/18/pdfs/ukpga_20250018_en.pdf?utm_source

6. Digital Charter Implementation Act. (2020). Office of the Privacy Commissioner of Canada. https://www.sfu.ca/~palys/BillC11-PrivacyCommissionerResponse.pdf

7. Digital Charter Implementation Act. (2022). Canadian Parliament. https://www.parl.ca/DocumentViewer/en/44-1/bill/C-27/first-reading

8. Digital Personal Data Protection Act. (2023). Ministry of Electronics and Information Technology. https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

9. Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, European Parliament. (1995). https://eur-lex.europa.eu/eli/dir/1995/46/oj/eng

10. Egyptian Civil Law No. 131 of 1948. (1948), Official Gazette. https://brill.com/display/book/9789004479906/back-11.xml

11. Egyptian Personal Data Protection Law No. 151 of 2020, issue No. 28 (bis) E. (2020, July 15), Official Gazette. https://www.privacylaws.com/media/3263/egypt-data-protection-law-151-of-2020.pdf

12. European Commission, Article 29 Data Protection Working Party, Advice Paper on Special Categories of Data (“Sensitive Data”), (2011), European Commission. https://ec.europa.eu/justice/article-29/documentation/other-document/files/2011/2011_04_20_letter_artwp_mme_le_bail_directive_9546ec_annex1_en.pdf

13. European Data Protection Board, Guidelines 05/2020 on consent under Regulation 2016/679, (2020).https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf

14. Federal Trade Commission. (1998). Children’s Online Privacy Protection Rule, (16 C.F.R. part 312). Electronic Code of Federal Regulations. https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312

15. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). (2016). http://data.europa.eu/eli/reg/2016/679/oj

16. Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act). (2023). https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng

17. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act). (2024). http://data.europa.eu/eli/reg/2024/1689/oj

18. UAE Federal Decree No. (45) of 2021 Concerning the Protection of Personal Data, Official Gazette. https://www.uaelegislation.gov.ae/en/legislations/1972/download

19. UK Government. (2018). Data Protection Act. Uk Government. https://www.legislation.gov.uk/ukpga/2018/12/enacted

20. UK. (2024a). Special category data. Information Commissioner’s Office. https://cy.ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/special-category-data/

21. UK. (2024b). Special category data. Information Commissioner’s Office. https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/special-category-data/?utm_source

22. UK. (2024c). What is special category data? Information Commissioner’s Office. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-is-special-category-data/?utm_source

Court Decisions

1. Agentsia Po Vpisvaniyata v Ol, ECLI:EU:C:2024:805 ___ (Court of Justice of the European Union 2024). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62023CJ0200

2. Bodil Lindqvist, ECLI:EU:C:2003:596 ___ (Court of Justice of the European Union 2003). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62001CJ0101

3. GC and Others v Commission Nationale de l’informatique et Des Libertés, ECLI:EU:C:2019:773 ___ (Court of Justice of the European Union 2019). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62017CJ0136

4. Maximilian Schrems v Meta Platforms Ireland Ltd, ECLI:EU:C:2024:834 ___ (Court of Justice of the European Union 2024). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62021CJ0446

5. Medizinischer Dienst Der Krankenversicherung Nordrhein, ECLI:EU:C:2023:433 ___ (Court of Justice of the European Union 2023). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62021CC0667

6. Meta Platforms and Others (General Terms of Use of a Social Network), ECLI:EU:C:2023:537 ___ (Court of Justice of the European Union 2023). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62021CJ0252

7. Mousse v Commission Nationale de l’informatique et Des Libertés (CNIL) and SNCF Connect, ECLI:EU:C:2025:2 ___ (Court of Justice of the European Union 2025). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62023CJ0394

8. ND v DR, ECLI:EU:C:2024:846 ___ (Court of Justice of the European Union 2024). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62023CJ0021

9. OT v Vyriausioji Tarnybinės Etikos Komisija (Lithuania), ECLI:EU:C:2022:601 ___ (Court of Justice of the European Union 2022). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62020CJ0184

10. Patrick Breyer v Bundesrepublik Deutschland, ECLI:EU:C:2016:779 ___ (Court of Justice of the European Union 2016). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62014CJ0582

Downloads

Published

2025-12-25

Issue

Vol. 26 No. 26 (2025): Balkan Social Science Review

Section

Articles-LAW

License

Permissions

Authors are expected to obtain permission from copyright holders for reproducing any illustrations, tables, figures or lengthy quotations previously published elsewhere. BSSR will not be held accountable for any copyright infringement caused by the authors.

Copyright
The content offered in the BSSR remains the intellectual property of the authors and their publishers respectively. University “Goce Delcev”- Shtip, R. Macedonia and BSSR keap the right to promote and re-publish the texts.