Encoding Necessity for Standing Government Access to Platform-Held Data: A Three-Axis Model
Download PDF

Keywords

Government data access
Platform regulation
Data minimisation
Proportionality
Interface governance
China
Auditability

DOI

10.26689/jera.v10i5.15268

Submitted : 2026-05-30
Accepted : 2026-06-14
Published : 2026-06-29

Abstract

Government access to platform-held data is increasingly implemented not through isolated requests but through durable interfaces: dashboards, periodic reporting pipelines and application programming interfaces. This shift changes the object of legality. A single request can be assessed by asking whether a stated purpose justifies the particular disclosure. A standing interface, by contrast, creates an ongoing access capability whose intrusiveness accumulates through repetition, aggregation and time. This article develops a three-axis model for encoding the requirement of minimum necessity at the configuration layer of such interfaces. The model treats data fields, extraction frequency and temporal persistence as the minimal auditable surface of standing access, while requiring purpose, recipients, selectors and onward sharing to be recorded in the same authorisation schedule. Using Chinese administrative interface governance as a stress test, especially health-code pipelines and ride-hailing supervisory feeds, the article shows how lawful or plausible access channels can drift through field accretion, cadence escalation and retention extension. EU and US materials are used as design exemplars rather than as complete solutions, illustrating the importance of reasoned requests, strict-necessity limits, duration sensitivity and auditable safeguards. The article concludes by proposing a procedural toolkit: reasoned authorisations, versioned parameter sheets, access logs, renewal triggers, independent audit and remedies for drift. Where feasible, a policy-as-code counterpart can make authorised limits executable at the gateway.

References

Cohen J, 2019, Between Truth and Power: The Legal Constructions of Informational Capitalism, Oxford University Press.

Regulation (EU) 2016/679 of the European Parliament and of the Council, General Data Protection Regulation.

Nissenbaum H, 2009, Privacy in Context: Technology, Policy, and the Integrity of Social Life, Stanford University Press.

Zhang X, 2022, Decoding China’s COVID-19 Health Code Apps: The Legal Challenges. Healthcare, 10(8): 1479.

PRC CPC News Network, 2022, Zhengzhou Announces Investigation and Accountability for Red Health Code Assignment to Rural Bank Depositors, June 22, 2022.

PRC Ministry of Transport, et al., 2022, Interim Measures for the Administration of Online Car-Hailing Operation Services.

PRC Ministry of Transport, 2022, Measures for the Operation and Management of the Online Ride-Hailing Supervision Information Interaction Platform.

Carpenter v United States, 138 S. Ct. 2206, 2018.

Ohm P, 2010, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. UCLA Law Review, 2010(57): 1701–1777.

Koops B, 2021, The Concept of Function Creep. Law, Innovation and Technology, 13(1): 29–56.

Dwork C, Roth A, 2014, The Algorithmic Foundations of Differential Privacy. Foundations and Trends in Theoretical Computer Science, 9(3–4): 211–407.

Joined Cases C-511/18, C-512/18 and C-520/18, La Quadrature du Net and Others, EU:C:2020:791.

Regulation (EU) 2023/2854 of the European Parliament and of the Council, Data Act.

Regulation (EU) 2022/2065 of the European Parliament and of the Council, Digital Services Act.

National Institute of Standards and Technology, 2020, Security and Privacy Controls for Information Systems and Organizations, Special Publication 800-53 Revision 5.