Location : Home > Resource > Paper > Theoretical Deduction
Wang Xixin | ​​The Risks of Government Data Aggregation and Its Legal Controls
2024-07-15 [author] Wang Xixin preview:

[author]Wang Xixin

[content]

The Risks of Government DataAggregation and Its Legal Controls



Author Wang Xixin

Professor,School of Law, Peking University;

and Executive Director, Law and Development Academyof PKU



Abstract: Government datacollection is the foundation of digital government construction, but also hascertain legal risks, from the requirements of the deep integration of digitalgovernment and the rule of law government, it is necessary to clarify its legalrisks and control them. Based on the different legal relationships betweendata-providing authorities and data-using authorities, governmental dataaggregation activities can be summarised into three modes: modular aggregationbased on business synergy, vortex aggregation based on mutual assistance of resources,and pivotal aggregation based on coordination and command relationships.According to the typology of data aggregation, the legal risks of governmentaldata aggregation can be further analysed: first, the risk of overstepping theauthority by alienating the authority and responsibility of the law into the"authority and responsibility of the number of determination";second, the risk of data misuse induced by the data aggregation of the loss ofcontrol of the power; third, the risk of over-monitoring by integratingpersonal information, which impedes the citizens' personality development;fourth, the risk of blurring the attribution of responsibility, which breedsthe risk of the development of the citizens' personality. In order to controlthese risks, it is necessary to follow the guidance of the rule of law valuesystem, orientated to the operation logic of governmental data collection, andtransform and upgrade the control technology of administrative rule of law. Onthe one hand, a mechanism for evaluating the legitimacy of data collectionactivities should be established to ensure the necessity of collection, thenecessity of sharing, and the legitimacy of procedures, and to promote a fitbetween the data-sharing structure and the configuration of legal powers andfunctions; on the other hand, the internal administrative supervision mechanismand the mechanism for assigning responsibility should be improved, and at thesame time, effective remedies should be provided for the data subjects.

Keywords: data sharing, holistc government,digital rule of law government, digital administration


1. The need for governmentdata aggregation and its risk perception


Inthe governance of the country, government governance is always faced with thechallenge of "capacity deficit" in the face of the huge scale ofspace and population and the complexity of affairs. Accordingly, the desire tostrengthen governance capacity constitutes an important guideline for theoperation and transformation of administrative power. When new technologiesemerge, "technological empowerment" becomes an important option tostrengthen governance capacity. Nowadays, against the backdrop of a new roundof technological revolution, the introduction of digital technology into governmentgovernance has become a trend of governance change. China's digital governmentconstruction is the practical unfolding of this technology-enabled logic.

Inthe construction of digital government, the collection of government data is abasic project. Nowadays, "one-netcom office"(“一网通办”),"multi-code", "cross-provincial" and other government datasharing practices are emerging, and the "Guidelines for theConstruction of a Nationally Integrated Big Data System for Government Affairs"clearly emphasises that the nationally integrated data-sharing architecturewill regulate social risks and improve the quality of public services. In thecontext of digital administration, data transfers between organisations are nolonger individual, sporadic, or occasional interactions, but ratherlarge-scale, continuous, and automated data sharing aggregations. Based on thepolitical and economic benefits of big data, the aggregation of various typesof data resources has become a fundamental element of "digital empowerment"and even "data empowerment", and a large-scale specialised databaseand information-sharing platform has been gradually established with real-timeupdating and continuous capacity expansion,andthe aggregated big data are continuously transformed into governanceperformance and financial resources.

Theaggregation of government data refers to the transmission, transfer andaggregation of data collected by various administrative organs or departmentsamong different administrative organs, so that the data resources can becombined from division to composition, constituting overall government data. Inthis regard, some policy documents use the concept of "sharing";China's Personal Information Protection Law uses the concepts of"transmission" and "provision"; and some foreign legaldocuments use the concept of "transfer". The concept used in China'sPersonal Information Protection Law is "transmission" and"provision"; the concept used in some foreign legal documents is"transfer". This paper mainly adopts the concept of"pooling", in order to highlight the resultant characteristics fromdecentralisation to wholeness behind this kind of transmission and transfer. Inthe specific elaboration, for the sake of convenience and contextualconsiderations, it is not strictly differentiated from other similar concepts.In addition, this paper does not distinguish between the concepts of"government data" and "government information", nor does itdistinguish between the subconcepts of "personal data" and"personal information". The subconcepts of "personal data"and "personal information" are also not distinguished.

Whileempowering administrative power, data aggregation, sharing and application havealso shaped increasingly large digital technology systems. While data aggregationactivities have broken down data silos, they have also brought about thereproduction, extension and reorganisation of digital power among differentinstitutions, altering the logic of the operation of administrative power, andare likely to lead to the uncontrolled use and even misuse of big data. In thisregard, some studies have already focused on the legal risks of government datapooling and expressed concerns about government data sharing. However, thereare still certain deficiencies in the established discussions: firstly, theresearch is not refined enough, often discussing the activity of governmentaldata pooling as a broad research object, and not combining differentorganisational law constructs to conduct a precise typological analysis.Second, the comprehensiveness of the research is insufficient, focusing mainlyon some personal information protection issues in governmental dataaggregation, and lack of attention to administrative law issues such as thelegalisation of rights and responsibilities and the consistency of rights andresponsibilities brought about by data aggregation activities. Thirdly, theanalytical framework is not systematic enough, and there is a lack of aconceptually clear, structurally complete and systematically coherent rule oflaw analytical framework, which makes it impossible to formulate an effectiverisk regulation scheme for the current complex data aggregation practice.

Thispaper attempts to provide a normative and holistic analytical framework for therisk control and rule of law constraints of governmental data aggregationactivities. Firstly, the basic types and practical features of governmentaldata aggregation are sorted out from the legal relationship between dataproviding authorities and data utilising authorities. Secondly, on the basis ofthe typology, the legal risks of governmental data pooling activities areanalysed, and the real challenges brought by governmental data pooling to theadministrative rule of law are summarised. Finally, it further discusses thecorresponding risk control programmes in the light of the risks of dataaggregation activities.


2. Main Scenarios andModels of Government Data Aggregation


Inorder to promote the standardisation and rule of law in governmental data collectionactivities, it is first necessary to clarify a key question: what is the powerbase of governmental data collection? Compared with the behaviour of a singleorgan processing data on its own, the behaviour of governmental data collectionhas the characteristics of multiple subjects and interactivity. The legalrelationship between the organs involved in data collection is different, andthe corresponding basis and foundation of authority are also different. Basedon the administrative authority basis of data collection, governmental datacollection activities can be divided into three modes: first,"modular" collection, i.e., multiple administrative organs, based onthe commonality of task fulfilment, carry out data collection in the process ofbusiness collaboration; second, "vortex" collection, i.e., in theprocess of specific management objectives, data collection is carried out bymultiple administrative organs in the process of business collaboration. Thesecond is "vortex-type" pooling, i.e., driven by specific managementobjectives, multiple administrative organs that are not cross-functional pooldata resources around a certain data integration demand, and the pooled bigdata becomes a resource for the data utilisation organs to perform their duties;and the third is "pivotal" pooling, which is based on theorganisational law hierarchical relationship, the higher-level organs canadjust and allocate the flow of data resources of the lower-level organs to thelower-level organs, and the higher-level organs can adjust and allocate theflow of data resources to the lower-level organs. The third is"hub-type" aggregation, i.e., based on the hierarchical relationshipin the organisational law, higher-level authorities can adjust and allocate theflow and utilisation of data resources of lower-level authorities, inparticular, control the specific operation of the first two aggregation modesthrough specific commanding hubs. The following is a brief analysis of thelogic and practice of different modes of data pooling.


2.1Modular pooling based on business synergy relationships

Withthe complexity of social life, driven by specific administrative tasks, theprocess of administrative activities involving multiple administrative organsand combined by multiple staged behaviours has been the norm in modernadministration. This multi-stage process is embedded with administrativecollaborative relationships such as operational co-operation, power constraintsand effect undertakings. However, the decentralised set-up of organisationshas, to a certain extent, led to the fragmentation of public administration,overlapping jurisdictions and sectoral centrism, weakening the public sector'sability to work together. The core concept of the current "wholegovernment" construction lies in the fact that, in the light of specificadministrative tasks and real governance needs, the powers and functions ofdifferent departments and administrative organisations should be consolidatedto form a business collaboration module, so as to make the policy outputs ofthe relevant organisations consistent. In this process, the aggregation ofgovernment data becomes a key factor in promoting departmental collaboration.When administrative organs with common tasks and related competencies worktogether and participate in administrative tasks according to specificmanagement processes, each organisation can be regarded as part of a holisticand integrated module, and data transmission between organisations in such ascenario belongs to modular aggregation. At this time, the data processingactivities of the providing organ and the data processing activities of theutilising organ are highly interrelated in terms of responsibilities, and dataaggregation can effectively eliminate information asymmetry and fragmentationbetween the providing organ and the utilising organ.

Publicservice integration reform is a typical scenario of modular aggregation ofgovernment data. Taking problem solving as the starting point, focusing governmentorganisation on solving problems rather than delineating departmental divisionof labour inevitably requires administrative task-oriented business grouping,functional integration and data pooling. In welfare administration, forexample, the concept of focusing on the needs of the public rather than ongovernment management has become more prominent, and the mode ofinter-organisational data flow has also changed. Welfare administration coversall aspects of life, and is both broad and complex. Almost all social securityprogrammes require the use of personal information of natural persons, such asa large amount of information at the start of the programme as a basis forinitiation, and the collation and analysis of personal information during theoperation of the programme. However, the same social security matter ofteninvolves the authority and responsibility of multiple authorities, which maybring about problems of fragmentation, segregation and cumbersomeness caused byorganisational decentralisation. Another example is that the determination ofretirement benefits may involve administrative professional judgements ondisease conditions, work injury determination, household registration status,etc. The approval of guaranteed housing involves a number of departments, suchas housing management, civil affairs and trade unions. Under the traditionalbusiness workflow, the respective information systems of public servicedepartments are neither compatible nor shared, and applicants often need to requestdifferent authorities to carry out investigations and verification and issuecertificates in respect of the same matter, which is not only inefficient, butalso prone to inducing the risk of mutual contradiction among differentauthorities.

Inview of this, the goal of integrating welfare administration requiresinter-agency functional integration and data pooling as a means to that end.Through data collection and analysis, it is possible to more accurately gaugethe basic situation of the applicant and help the relevant administrativeauthorities to make more objective and rational administrative decisions. Incomparative law, Article 69, Title 10 of the German Social Code (DasSozialgesetzbuch) provides a broad authorisation for the sharing of informationin the course of the joint and co-operative efforts of related administrativeorgans to complete social administrative tasks in successive stages. Therationale behind this is that, although these administrative bodies are notsubordinate to each other, the social tasks they perform are similar, and thesharing of information between them can help to improve the quality of publicservices and save administrative costs. It is therefore important to view thedifferent organs performing social administration tasks as a whole and toeliminate the fragmentation of information caused by the fragmentation oforganisations. If the information collected and stored by a socialadministration organ in accordance with its legal duties contributes to theachievement of the social security tasks of other administrative organs, thecollection and subsequent sharing of information may be understood as aprocessing activity carried out under the overall purpose, thus avoiding therestriction of the principle of limitation of purpose in the PersonalInformation Protection Law. Historically, in the 1980s, the German FederalConstitutional Court put forward the requirement of "informationseparation", stressing that the government is not a unified"information unit" but consists of different departments, and thatthe importance of the division of information power should be emphasised. Itshould emphasise the importance of the division of information powers, andrequire each department to handle information only within its own scope ofauthority and responsibility, and for specific purposes, so as to constrain thegovernment's information powers. However, with the advancement of publicservice integration and digitisation, "information separation" nolonger formally emphasises inter-departmental constraints on the flow ofinformation, but rather allows cross-departmental and cross-territorialadministrations to share information within the organisational module based onthe same administrative tasks, in order to improve administrative efficiency.

Similarly,the phenomenon of modular pooling has emerged in the field of risk regulation.In a risk society, the government is faced with the task of regulating"holistic risks". Traditional administration is centred on functionaldepartments, and officials tend to deal with problems within their ownjurisdictions, making it difficult to take a holistic view of the risks thatcan easily trigger a chain reaction, and lacking a systematic and globalapproach to governance. A fragmented administration responding to increasinglycomplex risk governance needs will inevitably result in more and moremanagement gaps being overlooked or not being filled, resulting in"organised irresponsibility". This places higher demands on thecoordination and flexibility of the administrative system. The administrativelaw of risk involves a complex network of facts and interests, and the relevantadministrative decisions must have the characteristics of "cross-sectoralcollaboration" and "integration". Take the major risk facilitysiting as an example, the performance of administrative tasks is centred on thesiting of the planning, construction, operation, maintenance, supervision andother aspects of the process, which may involve planning, land management,environmental protection, electric power approval and supervision of a numberof departments, the need for the departments to make a comprehensive decision,which also forms the corresponding behavioural process and data collection.


2.2Aggregation of vortex based on the goal of resource sharing

Theconcept of mutual assistance is inherent in "administrativeintegration". In order to improve the overall administrative efficiency,different administrative organs share resources to the necessary extent, whichis in line with the principle of efficiency. In the digital age, governmentdata is increasingly considered an administrative resource, and thenon-competitive and non-exclusive nature of data resources allows differentadministrative authorities to reuse the same data set. This process can resultin overall savings in data collection costs for administrative activities. Inthis sense, even if there is no direct business synergy between data-providingand data-utilising authorities, there is a drive to break downinter-organisational data barriers based on administrative resource sharing andefficiency considerations. In administrative practice, such aggregation isoften driven by the task centred on achieving specific management objectives,and all relevant data are aggregated as much as possible to achieve the goal ofdigital empowerment. In this data aggregation model, different organisations'spin' around a particular administrative task at the centre, and data fromdifferent organisations may be transferred across modules based on modularaggregation to serve the central task. In contrast to information sharing in adhoc, one-off administrative assistance scenarios, today's vortex dataaggregation presents a holistic, routine, and large-scale data transferpattern.

Forexample, in big data policing, in order to obtain specific personal informationabout individuals suspected of engaging in illegal activities, the policedepartment is authorised to retrieve data from the databases of different departmentssuch as taxation, welfare, and market regulation, etc., and to analyse and minethe aggregated data to obtain an accurate personal portrait to enhance theresponsiveness of law enforcement. Similarly, social credit regulation usescitizens' personal ID numbers and organisational codes as units to establish aunified social credit code and digital credit files, which reduces informationasymmetry between regulators and the regulated and improves the efficiency ofrisk regulation through data pooling. In addition, by establishing automaticcomparison procedures between different databases, social control becomes moreprecise and efficient. Once the regulated person has registered his/herinformation in a certain administrative activity, the automatic matchingprocedure can provide corresponding risk alerts and warnings. In the EU, theRegulation on the Establishment of a Framework for Interoperability between EUInformation Systems in the Field of Borders and Visas authorises data matchingbetween different databases such as visas, tourism management, criminalrecords, etc., and sets up interoperability components such as search portalsand biometric information matching services. In the opinion of the EUlegislator, even if the original objectives of different databases are not thesame, the need to identify specific control subjects can break down thebarriers between databases and achieve interoperability between databases.

Anotherexample is that in the field of administrative licensing, in order to reducethe burden on the relative and avoid duplication of data collection, datatransfer is explicitly required between many administrative authorities whosefunctions do not intersect. This kind of resource mutual assistance behaviourwill be originally dispersed everywhere in the government data quickly copy,transfer, use, improve the administrative efficiency, at the same time reducesthe relative data to provide the burden. Many of our local practices, "onenetwork unified management" "most run once" management andservice model are implied in the government data collection. Take the"unmanned second-approval" system in the "One Net OneOffice" as an example, the key to realising the second-approval system isthe data connection, which can connect all the relevant databases and carry outautomatic data comparison. Although the statutory duties of various departmentsare not similar, they still collaborate by means of data pooling. This trend ofdata pooling also exists overseas, for example, Article 2, Item 2 of theDigital Public Management Promotion Act introduced in Japan in 2019 states that"information provided by private business operators and other persons toadministrative agencies, etc., shall be shared through mutual co-operationusing an information system that does not require the applicant to provideinformation with the same content as the said information. "


2.3Hub-type aggregation based on "co-ordination-command" relationship

Inthe two aforementioned modes of aggregation, there is no hierarchicalrelationship between the data-providing organ and the utilising organ, and thepurpose of aggregating government data is to enable the utilising organ tobetter manage the data externally. However, in order to carry out managementand supervision within the administrative organisational system, and to achievethe integrity and consistency of the internal administrative system, the drivefor governmental data aggregation has also emerged. The aggregation ofgovernment data in this context is dependent on specific command hubs and canbe called "hub aggregation".

Onthe one hand, based on the hierarchical relationship between higher and lowerlevels of administration, higher-level authorities may request lower-levelauthorities to provide them with data to facilitate decision-making, commandand supervision by higher-level authorities. At this point, the higher-levelorgan directly enjoys the "right to request data collection" from thelower-level organ, while the lower-level organ has the obligation to providedata. For example, in order to supervise a lower-level traffic managementdepartment, the higher-level traffic management department may request it toprovide data on a timely or regular basis. For example, during the Xin Guanepidemic, data was pooled at the "county-city-province" level inseveral places, and higher levels of government analysed the data to carry outcommand and supervision. On the other hand, in the case of multiple subordinateauthorities under the jurisdiction of a higher authority, the higher authoritycan set up a relationship of rights and obligations between the subordinateauthorities in terms of data collection and utilisation. In this case, thehigher-level organ enjoys the "right to form data collection". If thedata-providing organ refuses to provide data to other departments on the basisof departmental interests, security risks, or lack of clear legal basis, thehigher-level organ can supervise the organ through orders, performanceappraisals and accountability. If a dispute arises between the providingauthority and the utilising authority over the scope, mode, frequency,technical standards and other matters of data aggregation, the higher authoritymay enjoy the right to adjudicate.

Thispivotal pooling of government data is becoming the "infrastructure"of digital government construction that is of concern to all countries. Manycountries, including China, have established organisations or mechanismsspecifically responsible for government data governance, such as data bureausand big data centres, etc., with these organisations acting as authoritativeand dedicated bodies leading the establishment of technical standards for dataaggregation, and gathering, processing and managing government data fromvarious channels on government platforms in accordance with the law. Theseorganisations are given the right to assess and adjudicate on data aggregationmatters, and become an important organisational tool for higher authorities toexercise the command of data aggregation. In China, all regions are exploringgovernment data management models, building government data platforms, andunifying the collection and governance of government data within theirjurisdictions. Through the pivotal collection of government data, the goal of"modular collection" and "vortex collection" of governmentdata can be better achieved. In terms of "modular pooling", throughthe hub platform of "one network unified management", on the basis ofintegrating the data of various business-related departments, the higherauthorities can better determine the departments responsible for dealing withcross-departmental complex events (hosting and co-organising authorities),construct corresponding operation processes, and issue disposal instructions.The higher authorities can better identify the departments responsible forhandling cross-departmental complex incidents (organising and co-organisingauthorities), construct corresponding operating procedures and issue disposalinstructions. For example, joint remedial actions against food operations ingroup rented accommodation usually involve the participation of severalprofessional departments such as urban management, public security, marketsupervision, housing construction, cityscape greening and hygiene, as well asthe cooperation of grass-roots teams such as streets and communities, and arecommanded and supervised by the "One Network Unified Management" onthe basis of real-time data monitoring, which helps to optimise the overall processconnection and supervision. This is conducive to optimising overall processconvergence and departmental synergy. For "vortex pooling", somelocal "city brain" command centres require each functional departmentto connect data to the command centre's information-sharing platform, on thebasis of which the command centre collects and integrates big data on allaspects of urban governance, and establishes a corresponding command centrecentred on a specific management object. On this basis, the command centre collectsand integrates big data from all aspects of urban governance and establishescorresponding application scenarios centred on specific management objects. Forexample, in response to the difficulty of mapping the number of mentally illpatients, the difficulty of dynamic management, the difficulty of earlywarning, etc., the command centre of the urban brain in some places bringstogether data from the Health Commission, the Disabled Persons' Federation, theCivil Affairs Bureau, the Medical Insurance Bureau, etc., and then sends earlywarning information to the police department after the formation of a personalportrait, so as to promote the police department's rational allocation ofpolice resources and eliminate potential security risks. At present, theconstruction of China's digital government takes the construction of a big dataplatform for government affairs as an important task, and the pivotal poolingof government data has become a basic trend in the construction of digitalgovernment.


3.Legal risks of government data aggregation


Thepooling of government data and the digitised administration based on it willhave a huge "digital empowerment" effect on administration. However,we should also be fully aware that, as a new technology-driven administrativeactivities, the collection of government data on the principle ofadministrative rule of law and its requirements also brings a lot ofchallenges, implying legal risks that can not be ignored. These risks aremainly manifested in the following four aspects: first of all, government datacollection may weaken the principle of legal rights and responsibilities of theorganisational law, the legitimacy of the administrative activities and theadministrative internal rights and responsibilities of the configuration of theframework of the impact, triggering the "rights and responsibilities ofthe number of determination" of the risk of overstepping the authority;Secondly, the data collection can be enlarged the power of the administrativeorganisations, resulting in the relationship between the administrative rightsand the rights of the relative further loss of the relationship between therights of the relative. Secondly, data aggregation can amplify the power ofadministrative organisations, leading to a further imbalance betweenadministrative power and the rights of the relative people, and magnifying therisk of abuse of power; thirdly, in the process of data aggregation, theoriginally dispersed personal information is integrated and centralised, whichmay exacerbate the privacy risk and the risk of over-monitoring; and lastly,the aggregation of data from different departments may lead to the blurring ofthe responsibilities of administrative activities, impacting on the originalmechanism for unification of rights and responsibilities, and even triggeringthe risk of "digital The following is a brief analysis of the aboveissues. These issues are briefly analysed below.


3.1Risk of ultra vires: data aggregation may impact on the law of authority andresponsibility

Thepooling of government data poses a significant challenge to the principle ofstatutory authority and responsibility in administrative organisational law,and may give rise to the risk of organisational ultra vires. Firstly, there isthe risk of organisations exceeding their jurisdiction in accessing data. Theprinciple of administration in accordance with the law firstly emphasises thatthe powers and responsibilities of organisations are statutory, and each functionaldepartment enjoys specific levels, territories and jurisdictions over affairs,and the exercise of organisations' powers and responsibilities has clearboundaries. Among them, "statutory duties" is both the authorisationof the administrative organ to use data and the legal control of how theadministrative organ collects and uses data. In other words, administrativeorgans can only collect and utilise data on the basis of their "statutoryduties". For example, Article 34 of the Personal Information ProtectionLaw stipulates: "State organs shall handle personal information in orderto fulfil their statutory duties in accordance with the authority andprocedures stipulated by laws and administrative regulations, and shall not gobeyond the scope and limits necessary for the fulfilment of their statutoryduties." Some local laws and regulations, such as the Zhejiang ProvincialPublic Data Regulations, explicitly state, "Data collection by publicadministration and service organisations shall follow the principles oflawfulness, legitimacy, and necessity, and shall be collected in accordancewith the legal authority, scope, procedures, and standard specifications."However, driven by factors such as technological empowerment and performanceincentives, the demand and impulse of government departments for datacollection is increasing, and it is not uncommon for government departments tocollect and process data beyond the legitimate and necessary purpose of"necessary for the performance of legal duties". There are also viewsin the academic community that it is difficult to say that there is anyspecific administrative purpose for the management and operation of big data ingovernment affairs. Serving possible future administrative purposes seems to bethe purpose of the act of data aggregation; however, if the purpose limit isset in advance for each specific act of information management, this is notonly unrealistic, but will also hinder the play of the extended advantages ofdigital technology. This philosophy is more common in practice. Some localitiesand departments have promoted the "full collection" of governmentdata, with different departments enjoying virtually unrestricted access andcalling rights to the collected big data. In the scenario of "modularpooling", administrative agencies may pool data only on the grounds ofbusiness synergy and cooperation; in the scenario of "vortexpooling", administrative agencies may pool data on the grounds of broadrisk prevention and improvement of service quality. Aggregation. To a largeextent, these practices have exceeded the boundaries of the statutory duties ofthe departments concerned, thus violating the principle of statutory powers andresponsibilities.

Secondly,by means of data compilation, administrative organs may make decisions inexcess of their powers in disguise. Different administrative organs havestatutory jurisdiction over their affairs, and even in administrativeco-operation, the principle of statutory powers and responsibilities should be strictlyfollowed. The pooling of government data cannot change the configuration ofadministrative and jurisdictional powers. However, at the technical operationallevel, as data aggregation and algorithmic administration are often integrated,the provision of data in fact has an impact on algorithmic decision-making,sometimes even a decisive impact, which means that the data-providing organ hasa de facto right to decide on automated decision-making. For example, in the"code governance" scenario represented by the "healthcode", the administrative organ relies on algorithmic technology toprocess the data provided by multiple parties and directly transforms theresults of the calculation and processing into an administrative decision,which poses a risk of overstepping its authority in decision-making.Specifically, although grassroots self-governing organisations such asresidents' committees and villagers' committees can participate in themanagement of epidemic prevention and control and provide data based on themandate of joint prevention and control, based on Article 9 of the InfectiousDisease Prevention and Control Law, they do not have the right to makedecisions on administrative coercive measures. However, in the case where thedecision-making process is highly controlled by the algorithm, the dataprovided by the grassroots autonomous organisations to the CDC department, suchas information on individual travel trajectories, nucleic acid testing, andpersonnel interactions, can become key variables that influence the algorithmicdecision-making, and directly affect the outcome of the algorithmicdecision-making. In this case, it is of organisational law interest to seewhether the neighbourhood councils actually have decision-making powers that theydo not legally enjoy.

Similarly,in the vertical relationship, there is a legal risk that the higher authorityor the government data governance body will exceed the boundaries of thecommand and supervision power, and excessively interfere with or even supersedethe decision-making power of the commanded authority. The hierarchical divisionof labour under administrative integration means that the command andsupervision of higher authorities does not replace the decision-making ofstatutory departments, but rather optimises the administrative decisions offunctional departments through the formulation of workflows, the issuance ofgeneral directives, and performance appraisals, which need to preserve thespace for case-by-case considerations and dynamic trade-offs by frontlinefunctional departments. However, the data pooling mechanism in practiceconstrains the situationalised operation of frontline administrators to acertain extent, and limits the ability of administrators to exercise discretionin accordance with the statutory allocation of powers and responsibilities. Forexample, in the operation of the city brain, the commanded authority may needto complete the sharing and pooling of law enforcement data in strictaccordance with the processes, standards and operational timeframes set inadvance by the command centre, but as the data provided by the former isdirectly linked to the exercise of powers and functions set by the latter, thelatter's instruction on data pooling may essentially become a specific act ofcommanding the former, which to a large extent restricts or even deprives theformer of its discretionary power. Discretion. It is thus clear that theprocess formulated by the government data governance body, which transgressesthe original organisational process of discretionary benchmarks and guidingdocuments for law enforcement, may transfer the decision-making power of thefunctional departments to itself, which may bring about problems such as"the name does not correspond to the reality" and "the powersand responsibilities do not correspond to each other".

Third,in terms of national governance at the macro level, the data pooling mechanismmay also have a structural impact on central-local relations. For example,Robert A. Mikos, an American scholar, pointed out that state governments pooldata with the federal government, which has a great impact on federal-staterelations and brings high political costs. The federal government uses the datapooling mechanism to shift the cost of data processing, which belongs to thefederal government, to local governments, violating the original fiscaldecentralisation structure. At the same time, the data pooling mechanismeffectively requires states to implement federal rather than state policies indisguise, which undermines state autonomy and may lead to a blurring ofaccountability. Moreover, the pooling of data at the federal level exceeds theexpectations of the subjects whose information is being collected. After astate collects data under its own authority, pooling it upwards beyond itsoriginal purpose will erode citizens' trust in the state. Bridget A. Faheypoints out that data cooperation between federal and state governments underthis concept of "Data Federalism" faces both the rule of law anddemocracy. A large number of coordinating agencies have been set up between thestates and the federal government to promote data sharing, but there is a lackof control mechanisms for these agencies; although the data itself isnon-competitive, there is a certain degree of competitiveness in the datacollection system, which will conflict with the established administrativemanagement system and change the original power allocation relationship.

AlthoughChina is not a federal State, such a central-land relationship exists bothconstitutionally and in the practice of government governance, so the impact ofthe data pooling mechanism on the original central-land power andresponsibility distribution structure should be considered. Currently, the"Guidelines for the Construction of a Nationally Integrated Big DataSystem for Government Affairs" and the "Circular on theStatistical Work on the Landing and Use of Docking Data for Pipeline Management"require localities to actively dock with the central database at the verticallevel in order to promote central-local data connectivity. It should be notedthat, based on the principle of statutory authority and responsibility, in theabsence of changes to the organisational framework, higher-level governmentsshould neither unilaterally delegate their own authority to lower levels, norshould they upwardly delegate statutory authority to lower-level governments.Although, in the unitary structure of our country, the lower level governmentsare led by the higher level governments and have the correspondingresponsibility to implement the decisions of the higher level governments, theleadership of the higher level governments in administrative affairs belongingto their own localities should mainly be manifested in the form of supervisionbased on the statutory way, avoiding interfering in a direct way. It should benoted that the integration of national government data may have an impact onthis constitutional mechanism of "dual responsibility of local governments".


3.2Risk of misuse: data aggregation may lead to the coalescence of administrativepowers.

Bigdata and algorithms as governance technologies have a clear enabling effect ontraditional administrative powers. Data aggregation not only increases the"quantity" of data available to administrative power, but alsoimproves the "quality" of data. In this sense, in the administrativesystem within the scale, daily, systematic government data collection, so thatthe original scattered in various departments of the data into a "big datapool", which will greatly amplify the effectiveness of the administrativepower, will amplify the original existence of the administrative power - therelative rights of the right between the imbalance, and induce administrativepower This will greatly amplify the effectiveness of administrative power,amplify the existing imbalance between administrative power and the rights ofthe relative, and induce the risk of abuse of administrative power.

First,the data pooling mechanism carries the risk of data pollution and datamanipulation. In a data aggregation mechanism, if the data utilisationdepartment can access and obtain data unrelated to its duties, it will have theurge to tamper with and manipulate data that may affect its interests. Inparticular, in the more common scenario of hub-and-spoke aggregation ofgovernment data, where there are big data organisations that can manage allgovernment data, the risk of data manipulation has the potential to betransformed into a real danger. The control of aggregated data from a singleorganisation over all aspects of government governance will magnify the risk ofabuse such as data manipulation, and even induce systemic risks in digitaladministration. For example, in the case of the "red code assigned todepositors of some village banks in Zhengzhou", the epidemic preventionand control department was able to assign a red code to depositors preciselybecause information on depositors in the financial management area, which isunrelated to epidemic prevention and control matters, was aggregated andmisused.

Secondly,data aggregation can induce the risk of procedural violations. After thecollection of government data to form government big data, the administrativedepartment of big data for deep mining, and may be for specific parties to takeregulatory and punitive measures, but the parties to this process is difficultto obtain the right to know, the right to participate in, the right tosupervise, which may be a huge impact on the traditional administrativeprocedure mechanism. The pooling of government data will greatly expand theability of administrative agencies to carry out monitoring and management, andto obtain the information needed for regulation and law enforcement withouteven having to go through traditional procedures such as investigations andinspections. Under such circumstances, the constraints designed foradministrative investigations in traditional administrative procedures, such asthe due process mechanisms of identification, justification, hearing ofstatements and defence, have been largely diluted or even made invisible. Thismeans that in a digital administrative scenario, there is a double risk of"data arbitrariness" and "data laziness". The risk ofprocedural violations superimposed on the risk of data quality will lead todecision-making errors that are more and more difficult to correct, and thestructural bias hidden in big data will continue to solidify.

Finally,data aggregation will amplify data privacy and security risks. This firstmanifests itself in the risk of external attacks on databases. Big data formedby the aggregation of government data is often the target of network attacks.The larger the volume of data, the more important and sensitive the datacontent, the more likely it is to become a target of attack. In fact, alldatabases face a "defence-attack" spiral of technical competition. Inparticular, once a huge amount of sensitive personal data contained in thegovernment data set is leaked, will be directly abused by external criminals,the victims can be tens of millions of people, and then identity theft andpersonal injury and other issues caused by the serious impact of theimmeasurable, thus, personal and property security and even national securityand other interests are very vulnerable to infringement or threat. In addition,security risks also exist within the administrative system, such asunauthorised access to databases, illegal downloads, transmissions, leaks and soon. Driven by digital empowerment, social governance nowadays pays more andmore attention to the intelligent management of global data and evencross-region, and stresses the active prevention of potential risks, which to acertain extent creates the inversion of "ends-means" in the sense of"analysing the data first, and then searching for the needs and solutionsof governance". To some extent, this has resulted in an inversion of the"ends-means" principle: "analyse the data before findinggovernance needs and programmes". In this context, institutionalconstraints on access to data by public officials are weak. Broad data accessrights are likely to induce unauthorised analysis and data leakage. Forexample, data leaks, such as surveillance data on public places and privateinformation on celebrities, reflect data abuse and privacy risks.


3.3Risk of excessive surveillance: impeding the free development of citizens'personalities

Thecombination of data aggregation and data analysis technology will significantlyenhance the state's ability to monitor individuals, which in turn will helpimprove the state's governance capacity. In the practical operation of thegovernmental data aggregation mechanism, scattered personal informationoriginally collected based on specific legal duties and processing purposes istransferred across departments and levels, and personal fragmented life recordsstored in different administrative organs are centralised for identification,classification and integration. In welfare administration, for example, anational database of personal social information based on modular aggregation,combined with specific algorithms, can be used to determine the subsequentbehavioural patterns of applicants and the effectiveness of welfare benefits,thereby facilitating rational payments. Such personality profiles can also beused in the tax and police sectors for precise control of individuals.

However,it should be noted that big data technologies also carry the risk ofover-surveillance of societies and individuals, with far-reaching consequencesfor the social personality of citizens. The traditional view of personality andprivacy centred on the tranquillity and autonomy of private life and emphasisedthe "solitary", "exclusive" and "secret" conceptsof privacy; however, the contemporary view of information privacy placesgreater emphasis on the social network of privacy and on the individual'spersonal relationships. However, the contemporary view of information privacyplaces more emphasis on the social network of privacy, and emphasises thatindividuals should be free from manipulation, prying eyes and discrimination inthe flow of data, and that the development of their personalities should not behindered as a result of data-processing activities. In the digital age, it isimportant to pay attention to the 'social attributes' of personality. Socialpersonality is not only conducive to individual personality development, butalso important for building social trust and maintaining the quality of publicdiscussion and public rationality in the digital age.

Inthe absence of an effective restraining mechanism, the administrativeempowerment effect brought about by data integration and data miningtechnologies may cause individuals to become "transparent", and theywill continue to lose the ability to defend themselves from prying eyes andsurveillance. This state of affairs will further generate anxiety at thesocio-psychological level, triggering the "chilling effect" or theindividual's "self-censorship" mechanism, and even leading to thefusion of technology and power and the formation of digital oppression. Infact, based on similar concerns, the US Privacy Act of 1974 prohibitsthe sharing of personal information between administrative agencies inprinciple. However, even in the United States, driven by technologicalempowerment, the phenomenon of administrative agencies circumventing theprovisions of the Privacy Act and expanding the scope of data sharinghas become more and more common.

Inparticular, it should be noted that with the iterative changes in big datatechnology, even anonymising personal data does not mean that the above riskscan be avoided. As long as the anonymised data is sufficiently fine-grained andcomprehensive, the data utilisation authority may still be able to identify aspecific individual through certain reverse engineering through analysis andcomparison. In this regard, Article 38 of Japan's Personal InformationProtection Law specifically stipulates that anonymised information shallnot be processed by administrative agencies for the purpose of identifying theindividual, nor shall anonymised information be compared with otherinformation. Even if anonymisation techniques make individuals immune fromidentification, it is still possible to categorise and regulate people with thesame background using algorithmic techniques. In fact, what is often mostvalued for big data algorithmic models is the aggregation of individual datainto group portraits and the corresponding management of group categorisation.This means that the privacy risks caused by contemporary digital management areshifting from individual to group risks. For example, the Dutch government hasanalysed high-risk groups of offenders from connected and anonymised data, anddeveloped control measures applicable to these groups. For example, in theconstruction of smart cities, the use of the Internet of Things (IoT) has madeit possible to connect location, social and other data from individual mobilephones with data from sensors placed in urban spaces, which allows digitalmanagement systems to manage and make decisions on the basis of anonymiseddata, and to guide and control groups of citizens with certain types ofbehavioural characteristics to cooperate with the government's governance goalswithout identifying individuals.


3.4Risk of avoiding responsibility: the crisis of blurring the attribution ofresponsibility.

Governmentdata collection activities will also lead to the blurring of legal responsibility,impacting the original administrative accountability and supervision mechanismand triggering the risk of "digital responsibility avoidance". Theadministrative rule of law focuses on the logic of "authorisation -attribution of responsibility" for specific institutions anddecision-making subjects, emphasising the correspondence between power andresponsibility, and that the right to power must have responsibility. If asingle or a small number of departments have violated the law or processed dataincorrectly, the chain of accountability is relatively clear; however, datacollection involves multiple geographic regions, multiple levels, multipledepartments, and the combination of big data and algorithmic decision-makingwill result in the chain of authority and responsibility for digitaladministrative decisions becoming very complex, or even fuzzy, and it will bevery difficult to pursue accountability once administrative activities haveviolated the law and caused harm.

Firstly,the blurring of responsibility for data accuracy issues. For the accuracy ofdata, is the data providing organ responsible or should the data utilisingorgan be responsible? If the basic data of a social subject (e.g., householdregistration, social credit) is incorrectly recorded, the error will affectmultiple legal relationships and trigger multiple erroneous results. Further,the sharing of government data may generate derivative data, for example, thedata utilisation department may mark and comment on the original data,synthesise it with other data, process it and derive conclusive dataaccordingly, which will induce a "mosaic effect" with the conclusivedata. Accordingly, accountability for administrative errors resulting from dataerrors will be very difficult. For example, when the big data collected andaggregated by multiple sensors is wrong and the algorithms provide wrongoutputs, which entity should be held accountable?

Second,responsibility for data legitimacy issues is blurred. In the case of modularaggregation versus vortex aggregation, does the data-providing organisationneed to monitor the legitimacy of the data accessed by the data-usingorganisation? To what extent does the supervision need to be carried out? Inpivotal pooling, based on the co-ordination and command relationship, therewill be overlapping responsibilities between the original responsible unit andthe governmental data governance body, as well as the question of who bears themain responsibility.

Finally,responsibility for data security is blurred. With multiple departments enjoyingbroad data access rights, it is often difficult to locate the source of anincident in the event of data leakage, destruction, or tampering; and even ifit is found, the fact that multiple subjects can handle the data makes thecausation of responsibility very complicated. At the same time, the moredepartments responsible for overseeing data compliance, the more ambiguouszones and gaps in the chain of responsibility for security, and the risk of datasecurity will increase accordingly.

Insummary, as data aggregation involves the aggregation of data from multipledepartments and levels, this will greatly increase the difficulty of definingthe rights and responsibilities of different subjects and complicateaccountability. This also means that it is more difficult to remedy rights in adata aggregation scenario. Traditional privacy and personal informationinfringement liability focuses on specific infringements, so it is easier tohold the infringing subject accountable; however, governmental data aggregationoccurs between multiple subjects within the administrative system, and thebasic issues of infringement liability become complicated by which part of theinfringement occurs and by whom it is carried out, not to mention the analysisof the causal relationship. Indeed, data aggregation is a systematic andholistic activity aggregated by multiple behaviours, and the eventualinfringement is often difficult to trace back and attribute. For example, inpivotal data aggregation, if more and more data resources and departmentalorganisations are accessed by the governmental digital platform, and personalinformation continues to flow between numerous departments, the ongoing dataprocessing activities of multiple departments will continue to make it more andmore difficult to account for infringements.


4.Approaches to risk control in the aggregation of government data


Inthe face of the risks associated with government data aggregation, the developmentof a targeted risk control mechanism has become a top priority in theconstruction of a digital rule of law government. If the risks of legality,security, privacy and liability of data aggregation are not effectivelycontrolled, data sharing and aggregation may deviate from the principle of therule of law and lead to a crisis of public trust in the construction of digitalgovernment.

Dataaggregation activities are essentially the exercise of administrative power andshould therefore be subject to the principles and institutions of theadministrative rule of law. Legal control of data aggregation activities needsto follow the guidance of the rule of law values, for the various links andnodes of data aggregation, providing appropriate regulatory strategies andtechniques to achieve the synergistic evolution of the "rule of numbers -rule of law".


4.1Establishment of a mechanism for evaluating the legality of data collectionactivities

Inthe traditional framework, it is usually considered that the information flowbetween administrative organs does not have dominance and externality, but isonly a medium for the exercise of power, and thus is mainly managed through theofficial document management system and the duty assistance system, and the issueof "media control" involved in data aggregation has not been givendue attention. However, in a governmental data aggregation scenario, dataaggregation has become an important way of exercising power, which cansubstantially influence the law enforcement and decision-making of otherorganisations, thus taking on externalities and dominance. In this sense, it isnecessary to incorporate into the statutory framework of competence the"media control" derived from data aggregation by administrativeorganisations. The core concept is that data collection is a means to serve theadministrative organisation in exercising its statutory powers and completingits statutory tasks, but the means should not deviate from the end, let alonetreating the means as the end. Following this logic, the legitimacy control ofgovernmental data collection activities should focus on the legitimacy of datacollection, the legitimacy of data sharing, the legitimacy of data collectionprocedures, and the legitimacy of data sharing rights and responsibilities.

Thefirst is the control of data collection legitimacy. From the perspective ofsource control, it should be ensured that the data-providing organ has theauthority to collect data, i.e., the act of collection can only be carried outwithin the scope necessary for the performance of its legal duties, and thescope of specific affairs for which the organisation is responsible should notbe broadly taken as the basis for the authority to collect data. For example,collecting data for broad purposes such as "maintaining socialorder," "preventing and controlling infectious diseases," and"enhancing the level of wisdom in urban governance" is a blurring ofthe need to collect data. The second issue is the legality of data sharing.

Secondly,the legality of data sharing should be controlled. On the one hand, thenecessity of data sharing should be controlled. In data collection scenarios,the necessity of sharing data should be clarified, that is, the purpose of datasharing, the scope of sharing, and the necessity of the required data should beexplained. In terms of purpose, data sharing must be based on realistic andspecific purposes and serve specific administrative tasks, rather thanaimlessly pooling data or broadly accessing data. It is worth pointing out thatthe current central and local legislation, represented by the Interim Measuresfor the Administration of Sharing of Government Information Resources and theRegulations on Data Sharing and Openness of the Guizhou Provincial Government,emphasises the principle of "sharing as a principle and non-sharing as anexception", and classifies data into unconditional, conditional andprohibited sharing, which is worthy of further exploration.

Onthe other hand, the appropriateness of the sharing method should be controlled,i.e. it should be made clear that data sharing, transmission and aggregationshould be carried out in a way that minimises security and privacy risks. Forexample, in some administrative scenarios, government departments in possessionof data only need to use proprietary interfaces to respond to relevantinformation and provide enquiry results in accordance with standard processes,without sharing raw data with other departments. As a result, only conclusive informationis shared through the technology of "data available but not visible,original data not out of domain", which reduces privacy and securityrisks. It is also worth considering whether data aggregation should be done bymerging departmental databases or by achieving interoperability betweendifferent databases. In modular pooling, because of the close business tiesbetween data-providing and data-using authorities, there is a stronger demandfor the unified establishment of thematic databases; whereas in vortex pooling,in addition to the construction of basic databases such as demographic andlegal person information, the merging of databases should be carried outcautiously, and replaced by a single comparison and retrieval programme on thebasis of distributed storage, in order to reduce the risk of data privacy andsecurity.

Legitimacyrequirements for the purpose, reason and manner of data sharing and poolingneed to be specified through corresponding legislative rules to ensure thatdata pooling is incorporated into the framework of the rule of law. For somehigher-risk data pooling activities, there should be clear authorisation in theform of legal norms. For example, the creation and merging of large databasesshould be authorised by higher-level legal norms. In cases where it isdifficult to follow up legislation in a timely manner, the legalisation of dataaggregation should be promoted by improving sharing agreements (catalogues) andstrengthening the justification of the necessity of sharing.

Onceagain, it is the control of the legality of data aggregation procedures.Government data aggregation should follow the principles of openness,transparency and participation. Government data aggregation involves theunderlying architecture of digital government, and citizens' knowledge,participation, and supervision are crucial to both digital administrative riskcontrol and trust building. For example, a study on data governance publishedby the European Parliament states that oversight of AI systems and the dataecosystems on which they depend should be delegated to civil society anddemocratic institutions. Such a distributed, domain-related oversightinfrastructure would complement the current centralised but overburdenedapproach. In order to implement the obligation to inform and promotetransparency, the publication of shared processes should establish a hierarchyof announcements that promotes continuous social participation and publicoversight through a typological and friendly announcement mechanism thatprovides the basis for public interest litigation initiated by socialorganisations to negotiate with prosecutorial public interest litigation andthe public domain. In addition, when administrative organs establish importantorganisational, technical and management processes in the sharing structure,such as the information processing processes and technical links in the"one-code governance" and "one network" systems, theyshould fully consult the relevant public and experts, so as to avoid theadministrative organs' influence on the discourse and power in the constructionof the sharing system. The administrative authorities' monopoly of discourseand power in the construction of the sharing system should be avoided.

Oneissue of concern in the data collection process is risk impact assessment. Withregard to the risks of abuse, security and privacy that may arise from datapooling, a risk impact assessment of data pooling should be carried out, takinginto account the purpose of the data pooling, the scope of the data, theapplication scenarios and other specific indicators, and corresponding riskcontrol measures should be taken in accordance with the assessed risk level.The risk impact assessment should be dynamic and continuous. The legislativelevel has begun to pay attention to data risk assessment. For example, Article55 of China's Personal Information Protection Law stipulates that"In any of the following cases, a processor of personal information shallcarry out a personal information protection impact assessment beforehand andkeep records of the processing: ...... (iii) entrusting the processing ofpersonal information, providing other processors of personal information withpersonal information, disclosing personal information ...... "Some locallegislations have also made preliminary provisions on risk assessment in datapooling.

Finally,there is the matching of rights and responsibilities in data sharing andpooling. Data sharing and pooling should be prevented from breaking through thelegal configuration of rights and responsibilities, and the effectiveness ofdata-enabled tools should be prevented from impacting the rule of lawgovernment requirements of legal rights and responsibilities. Government dataaggregation should be carried out in accordance with the principle of statutorypowers and responsibilities in the framework of the established organisationallaw, and should not destroy the configuration structure of statutory powers andresponsibilities. In this regard, in modular and vortex pooling, the internalaudit process of algorithmic models and decision-making applications should beimproved, so as to avoid the situation where the data-providing organinfluences or even directly determines the specific decision-making power ofanother organisation through the input and editing of data. In pivotalaggregation, attention needs to be paid to controlling the "dataaggregation formation rights" enjoyed by government data governancebodies. Although the logic of power and responsibility allocation may berationally reorganised across government departments according to the needs ofgovernance tasks based on a functionalist perspective of 'whole of government',this process cannot break the explicit provisions of the organisational law. Inother words, data aggregation is only a tool for more effective implementationof the organisational law's powers and responsibilities, and cannot, in turn,be a means of altering the organisational law's statutory configuration ofpowers and responsibilities.

Similarly,in the vertical dimension of data sharing and pooling between the upper andlower levels, data pooling should be in line with the framework for theallocation of power and responsibility for the division of labour between thecentral and local levels. In Japan, the Local Government Information SystemStandardisation Act statutoryises the basic policy of digital governmentconstruction by requiring that the standards for information processing systemsused by local governments should, in principle, be uniformly set by the centralgovernment, thus facilitating cross-geographical data pooling, with thecorresponding decision-making power being centralised in the central governmentdata governance body. However, this approach poses a significant threat tolocal autonomy, so the Act also provides that local governments may use theirown locally designed business processes and data specifications as thestandards for their government information systems, while ensuring effectiveuse of information and system compatibility. The Japanese experience suggeststhat following the constitutional central-local decentralisation relationshipshould make the standardisation of government information systems an importantinfluencing factor. This is instructive for data aggregation in our verticalrelationship. Starting from the connotation of "local affairs" inChina's legislation, the standardisation of government data collection andgovernment information systems should take into account local governance needs,so as to make data collection and the construction of government informationsystems match the power and responsibility structure of the central-localrelationship, and to prevent government data collection from becoming a means of"upward centralisation" in disguise. upward centralisation".


4.2Improving the Supervision and Relief Mechanism for Data Aggregation Activities

Onthe basis of controlling the legal risks of governmental data collection, it isalso necessary to further consider improving the supervision and reliefmechanism of governmental data collection activities. The combination offront-end risk control and end-end supervision and relief can establish thelegal control of the whole process and chain of data collection activities. Thesupervision and relief mechanism mainly includes three aspects: attributionmechanism, supervision mechanism and relief mechanism.

4.2.1Attribution Mechanism

Inorder to control the risk of "digital liability avoidance", it isnecessary to clarify the object and standard of accountability in datacollection activities. This requires setting the conditions for attribution ofresponsibility and defining the subject of responsibility in accordance withthe principle of unity of power and responsibility and the basic elements ofdata collection, such as data authenticity, accuracy, legality and security.Taking into account the characteristics of data pooling activities, theconditions for initiating the attribution of responsibility do not need to bethe occurrence of direct, concrete and visible damage, but rather whether unduerisks have arisen in the data pooling activities. In other words, theconditions for accountability should be changed from the "damage resultorientation" emphasised in traditional administrative liability law to"risk regulation orientation".

Specifically,accountability for the legality of data aggregation can be typified on thebasis of the pattern of the relationship between the data-providing authorityand the data-using authority. For example, the German Federal DataProtection Act distinguishes between obligatory and request-basedaggregation of government data. If the data-providing authority has a directobligation to transfer data based on the provisions of the law, it shall beresponsible for the legality of the transfer; if the data are transferred atthe request of the data-using authority, the data-using authority shall beresponsible for the legality of the act, and the data-providing authority onlyneeds to formally verify whether the requested act falls within the scope ofthe authority's authority and responsibility, without having to make ajudgement on the necessity of sharing. However, if the transferred datainvolves important personal social security information, the data-providingorgan should comprehensively examine the legality of the transfer, includingthe necessity. At the same time, procedures should be put in place between thedata-providing agency and the data-using agency to control the secondarysharing of data. For example, the data user authority should periodicallycertify that it has reviewed its practices regarding secondary sharing of data.

Accountabilityfor data aggregation accuracy issues is generally recognised as an obligationof the data providing authority to update and safeguard data accuracy. Forexample, the Guangdong Provincial Public Data Management Measures stipulate that if there is one and only one statutory data source authority fora piece of data, the data-providing authority is required to bear theresponsibility of verification. However, for data involving significant rightsand interests of the data subject, the data utilising authority cannot becompletely exempted from the verification and checking responsibility. Forexample, in the case of vortex pooling, the US Privacy Act provides thatbecause information shared between agencies may be used to deny, reduce, orotherwise adversely affect the welfare of an individual, the data-receivingagency must have reasonable procedures in place to ensure the accuracy of theshared data; and that if the receiving agency takes an adverse action againstan individual based on conclusions arising from the comparison of data pooling,it must independently verify the If the receiving organisation takes adverseaction against an individual on the basis of a finding from a data aggregationcomparison, it must independently verify the information unless the relevantdata integrity board determines that the information has a high level ofconfidence. In the case of modular aggregation, where multiple departments areprocessing data for the same purpose, they should be considered "jointcontrollers" of the data, with shared obligations for data accuracy.

Withregard to accountability for the security of data aggregation, data-providingauthorities and utilising authorities should set up a secure means oftransferring personal information under existing conditions, and make clear theobligations for the protection of personal information and data securitythrough the signing of a sharing agreement, for example. In practice,administrative authorities often process data in their own departments in orderto fulfil their own statutory duties, and data processing can also be carriedout with the help of third-party technology, and the technical standards usedmay not be uniform, so that the utilising authorities are exposed to greaterrisks in terms of data quality and security in obtaining data from theproviding authorities. At this point, cross-departmental data transmissionrequires co-ordination of technology, standards and other issues, strengtheningthe role of governmental data governance bodies, and improving data quality andsecurity mechanisms to adapt to the sharing and transmission methods. Afterdata transmission, data utilisation departments should take the necessarytechnical and organisational measures to provide special protection and timelydeletion of personal information to prevent illegal access, destruction,alteration or unauthorised disclosure. After data pooling, the data utilisationdepartment shall assume the obligation of data security management in theprocess of using the data, except in the case where the data security liabilityincident is directly related to the data providing department or thegovernmental data governance body providing the infrastructure. If a dataleakage occurs in a database built by multi-departmental aggregation, the datautilising department shall be held responsible, and other departments involvedin data aggregation shall only have a duty of reasonable care.

4.2.2Supervisory Framework

Inthe governmental data aggregation system, how to design the structure ofinternal supervision and how to configure the supervision power is a key issueto promote the standardisation, rule of law and rationalisation of governmentaldata aggregation activities. At present, the issues of both the structure ofsupervision and the configuration of power need to be explored urgently. Fromthe normative level, there are only some fragmented rules. For example, Article68 of the Personal Information Protection Law stipulates that when stateorgans and their staff fail to fulfil their obligations to protect personalinformation, they shall be ordered to make corrections by their superior organsor by the authorities that perform personal information protection duties. The DataSecurity Law, on the other hand, grants supervisory authority over datasecurity matters to competent authorities in various industries and regions.Some local laws and regulations or government regulations provide for "bigdata authorities" to assume supervisory responsibility for government datagovernance. It should be noted that if the supervisory power is too dispersed,there will be multiple authorities, which will also lead to problems such asunclear powers and responsibilities and fragmentation of responsibilities.Whether it is data classification and hierarchical management or theconstruction of a supervisory system, it is necessary to deal with the inherentpowers and responsibilities of the supervisory body, and to implement theimpartiality and consistency of the supervisory system.

Fromthe perspective of safeguarding the impartiality of the supervisory system, itis necessary to implement the principle of separation of functions, with aspecialised and authoritative risk-regulation body responsible for supervisionand accountability. The functions of public data operation, data industrydevelopment and data risk control should not be overly centralised in the samepublic body, but should be moderately separated to ensure the neutrality of therisk-regulation body. If the big data development sector, which promotes dataaggregation and strengthens digital empowerment, is also the subject ofsupervision and accountability, the incentive and impartiality ofaccountability may be affected. In terms of safeguarding the consistency of theoversight system, the focus should be on integrating systemic concepts and thelogic of risk regulation into the data aggregation system. Specifically,high-level and specialised government data management agencies can firstformulate norms and guidelines for various operations, and then set upprofessional positions within the administrative organs, with professionalsassessing and reviewing government data compliance and lawful pooling, andfinally forming a unified risk management standard through the deliberative andcoordinating body responsible for the overall management of data pooling. Forexample, in the United States, the Foundations for Evidence-Based DecisionMaking Act of 2018 establishes a coordination network of government chief dataofficers, with the Office of Management and Budget (OMB) setting up a chiefdata officer council to establish best practices for data sharing, promoteproper sharing agreements among agencies, continuously evaluate technicalsolutions, and facilitate communication, exchange, and coordination among chiefdata officers across different departments.


4.3 Remedial Mechanisms

Governmentdata aggregation may cause infringement of privacy and personal informationrights and interests. From the requirement of balancing administrativeeffectiveness with the protection of personal rights and interests, the legalsystem of data aggregation should pay full attention to the construction ofrelief mechanisms. Data aggregation includes a series of activities ofadministrative organs in handling personal information, and theseadministrative activities should be incorporated into the system ofadministrative remedy law according to different situations, and thecorresponding administrative reconsideration, administrative litigation andstate compensation mechanism should be improved. First, the respondent in areview or the defendant in a lawsuit should be determined based on theprinciple of convenience. For example, in administrative litigation,individuals may be allowed to choose one of the data-providing authorities,data-utilising authorities or government data governance bodies as thedefendant; if a sharing agreement has been signed between the data-processingauthorities, the defendant may be determined on the basis of the sharingagreement. The court may include other organisations as third parties as neededfor the trial. Second, it should facilitate the interface between internaloversight mechanisms and external judicial oversight to alleviate difficultiessuch as the court's lack of understanding of internal sharing structures andlack of expertise. For example, for the judicial review of inter-agency datasharing behaviour, the US Privacy Act provides for the principle ofexhaustive administrative remedies, whereby the internal supervisory bodywithin the administrative system first conducts a review to clarify the focusof the case dispute, technical details and other issues, so as to facilitatethe subsequent court's judicial review at the legal level.


5.Conclusion


Thegovernment data sharing and pooling system is the infrastructure and underlyingstructure of digital government construction. With the comprehensive promotionof China's digital government construction, the sharing and pooling ofgovernment data has been comprehensively carried out in the horizontal andvertical dimensions of the administrative system. At the same time,administrative data pooling activities have raised new issues and challengesfor administrative organisational law, conduct law, and relief law. Theconstruction of digital government should be deeply integrated with theconstruction of government under the rule of law, which requires us to have anall-round understanding of the legal risks of the system of sharing and poolingof governmental data in the construction of digital government, and to developcorresponding legal control techniques.

Thecombination of digital technology and administrative power has given rise to"digital governance", which is a new national governance technology.Digital technology essentially follows the logic of instrumental rationality,which is potentially competitive and conflicting with the traditional logic ofthe rule of law, but the proposition of digital rule of law governmentconstruction implies the normative requirements of digital technology into therule of law track. Big data-enabled administration is not a free lunch oftechnology, but involves the "re-organisation" of administrativeorganisational jurisdiction, data processing legitimacy and security,personality and privacy, administrative accountability, and many other legalsystems. In the new scenario of digital administration, the traditionaladministrative law system and control techniques need to be improved andadjusted accordingly with the changes in administration. Under the guidance ofthe value concept of the administrative rule of law, it is necessary to improvethe corresponding administrative law control means and mechanisms in responseto the specific scenarios and new problems of governmental data collectionactivities, establish a framework for analysing the legitimacy of datacollection activities, and supplement it with effective attribution ofresponsibility mechanisms, supervisory frameworks and remedies, so as toincorporate digital administration into the framework of the administrativerule of law and to promote the in-depth fusion of the construction of a digitalgovernment and a government governed by the rule of law.