Over the last decade, thinking about digital identity has shifted. Traditionally, governments collected personal information, stored it in central systems, and controlled how it was used. In this opinion article, Mark Burke notes that newer approaches aim to keep the state’s role in confirming identity, while giving individuals more say over what information they share, with whom, and in what context, so that a person can provide what is needed for a transaction without revealing everything on record.

This matters because it changes the balance of power between the individual and the system. In South Africa, the stakes are higher given the country’s history of state surveillance under apartheid and the reality that access to devices, data, and digital skills remains unequal. A digital identity system that is meant to serve everyone should therefore align with constitutional commitments to privacy, dignity, and equality, and be designed to reduce exclusion rather than deepen it.

South Africa occupies a particular place in this global shift. Estonia built a more citizen-focused system from the outset in the 1990s. India, by contrast, rolled out Aadhaar as a very large, centralised biometric system for roughly 1.3-billion people. South Africa is trying to move from older, fragmented systems to a more joined-up approach that could give citizens more practical control. The country’s context creates both limits and possibilities. There are major gaps in digital access, strong capabilities in parts of the private sector (especially finance), and unequal state capacity across departments.

South Africa’s approach, set out in the planned design of MyMzansi and the MzansiXchange initiative, aims to introduce a mix of centralised and federated components. It keeps a central identity through the new National Population Register and the Automated Biometric Identification System (ABIS), which is intended to replace the Home Affairs National Identity System (HANIS). Alongside this, it proposes federated data exchange between departments and a citizen-facing credential wallet. This mix is a practical response to existing institutions, but it can create tension. For example, a wallet can create the appearance of user control while sensitive data and key decisions remain centralised.

This essay examines what “citizen control over data” means in practice, whether it is realistic in South Africa’s context, and what is needed to make it work. It compares South Africa’s direction with India’s centralised model, Estonia’s federated approach, and the European Union’s emerging wallet-based framework, and then draws out design and governance insights that can be applied to South Africa’s developing system.

What Does “Citizen Control” Actually Mean?

People often talk about “citizen control” but do not explain what it means and how it should work. In digital identity and data-sharing systems, real control is not one thing. It depends on several parts working together.

Legal control means having clear rights over your personal information so that you can see what an organisation gathers about you, request that errors be corrected, and prohibit the use of certain information. But rights on paper are not sufficient if a citizen is unable to utilise them in practice. South Africa’s Protection of Personal Information Act (POPIA, 2013) sets out these rights, but it was written with an older view of how data is used. It is relevant to slower, more stable relationships between people and organisations, and not fast, real-time data sharing across many systems.

Technical control is about whether the technology actually lets a person control how their information flows. Two examples are important. Selective disclosure means proving a specific fact (like being over 18) without sharing your full identity record. Cryptographic verification means you can hold your credentials yourself, while others can still verify they are real. A key distinction is between procedural control (clicking “accept” on a screen) and substantive control (the system truly limits what others can access). Many systems offer “control” in the interface while the underlying data remains in state hands.

Institutional control is about rules and institutions that make control substantive. This includes independent oversight, clear accountability for data misuse, and practical ways for people to seek redress when their data are compromised. People should be able to challenge decisions made using their data, ask for explanations (including for automated decisions), and receive compensation when safeguards fail. Without this kind of accountability, legal and technical controls remain mostly theoretical.

Practical control focuses on whether people can realistically use these protections in daily life. That depends on digital literacy, reliable connectivity, and access to suitable devices. It also requires non-digital options for people who cannot or do not want to use a digital system. If control only works for people with time, money, and strong digital skills, it will worsen inequality rather than reduce it.

It is also important not to rely on consent alone as proof of citizen control. Consent assumes people can understand complex systems, assess risks, and make real choices when dealing with public institutions. In reality, they have different abilities and capacities, and the balance of power between citizens and the state is unequal. As a result, consent often becomes a tick-box exercise rather than a meaningful one in self-determination. This challenge is more acute in contexts such as South Africa, where digital literacy varies widely and alternatives to “agree” may be limited.

Comparative Models of Digital Identity

These three examples show the main ways in which large digital identity systems seek to balance efficiency with citizen control of their data. They also show that architecture alone does not settle the question and that law, institutional design, and political incentives matter just as much as technology.

India’s Aadhaar: The Centralised Model

India’s Aadhaar is one of the world’s largest centralised biometric ID systems, with about 1.3-billion people enrolled and around 90-million authentications each day. It links a unique 12-digit number to biometric data (such as fingerprints, iris scans, and facial data) stored in a central database. This makes identity checks fast and relatively low-cost, but it also leaves citizens with limited control over how their identity data is used.

Aadhaar also shows some of the risks of this kind of centralisation. If biometric data is compromised, it cannot be “reset” like a password. The system can also record all transactions, making detailed tracking easier, while giving individuals limited tools to see how their data is used or to prevent systems from being linked. In 2018, India’s Supreme Court addressed some privacy concerns but still allowed the mandatory use of Aadhaar for welfare services, showing how efficiency goals can outweigh concerns about control.

For South Africa, Aadhaar is a warning about the long-term risks of building a single, centralised biometric system. The key point is that once a central system is in place, it creates strong institutional interests and technical dependencies, which makes later decentralisation difficult.

Estonia’s X-Road: The Federated Model

Estonia’s system, launched in 2001, is often seen as a leading example of a federated approach. Instead of putting everything into a single database, X-Road allows different institutions to share data securely while maintaining their own databases and responsibilities. Citizen control is supported by strong governance rules, including data access that must be logged, citizens being able to see who accessed their data and why, and purpose limits that are enforced through both law and technical design. Oversight involves multiple bodies, including the Data Protection Inspectorate and parliamentary committees.

A key lesson from Estonia is that governance was prioritised through the establishment of legal rules, institutional roles, and accountability, which were set before the technology was rolled out at scale. Estonia’s ID-card, Mobile-ID, and Smart-ID options work across both government and private services. When linked to X-Road, they form a single system where citizen control is not just a principle, but something people can use in practice. Access logs are central to this as they let individuals identify and challenge unauthorised access to their data, turning accountability into something real rather than theoretical. It should be remembered, however, that Estonia is a small, high-capacity state with a very different administrative history, higher baseline connectivity, and stronger implementation coherence than South Africa.

The European Union: The Credential/Wallet-Based Model

The European Union’s eIDAS 2.0 regulation, which took effect on May 20, 2024, establishes a robust legal framework for a more citizen-controlled digital identity. By December 2026, all 27 Member States must offer European Digital Identity Wallets to citizens and residents, with broader adoption targeted by 2030.

The framework includes several protections aimed at meaningful user control. Wallets must support selective disclosure so people can choose which details to share. Wallet providers are not allowed to track usage for unrelated purposes. Wallets must also work across borders so they are recognised between countries. The November 2024 implementing acts set technical standards, including a privacy dashboard that shows how and with whom wallet data is shared. The design assumes data is stored locally, and that wallets should not enable tracking or profiling. The rules also require that wallets be issued, used, and revoked free of charge for natural persons, with safeguards to prevent discrimination against those who do not use a wallet. eIDAS 2.0 shows that citizen-centred design can be required by law, not only suggested as “best practice.”

For South Africa, the most useful lesson is not that Europe has found a perfect solution. It is that wallet-based systems need binding rules on data minimisation, acceptance, revocation, interoperability, and non-discrimination. Without those rules, a wallet remains a consumer-friendly shell rather than a constitutional or regulatory safeguard.

The Illusion of Control

These examples point to a key risk South Africa must avoid. This is what might be called “wallet-washing.” This happens when a system adds a citizen-friendly wallet interface on top of a state-centric design, without changing who holds the data or who makes the rules. For example, a wallet might let a person choose to share only their age, but the verifier could still query the central register and receive the person’s full identity profile in the background. If a credential wallet is built on top of an unchanged, centralised biometric system, it may only hide information on the screen. It may not stop back-end access to non-disclosed data, or give individuals real control over how verification works.

Information asymmetry, where one party possesses better or more relevant information than the other, worsens these risks. When the system is not transparent, citizens cannot easily test or verify claims about privacy and security. And because these systems can change over time, people may not realise when new data-sharing pathways are added. As a result, a user interface can suggest control even when the real decisions and data access remain elsewhere. The difference between superficial and substantive control is simple. Substantive control means the design genuinely shifts power to individuals, rather than only creating the appearance of choice while leaving state discretion intact.

South Africa’s Emerging Model

South Africa’s emerging digital identity system is a hybrid. It will combine elements of a central database, federated data-sharing between departments, and a citizen-facing wallet. Because the overall model is still taking shape, it is not yet clear how much control citizens will have in practice.

At its core, the system is still centralised. The National Population Register (NPR), created under the Identification Act of 1997, holds key identity and status records under the Department of Home Affairs. South Africa is also upgrading its biometrics by replacing HANIS with the Automated Biometric Identification System (ABIS), which will support several biometric types (including fingerprints, facial recognition, iris, and palm prints). This upgrade may improve reliability and security, but it does not automatically change who controls the data or how decisions are made. Key policy documents, including the 2019 White Paper on Home Affairs and the proposed National Identification and Registration Bill (NIRB), still describe a largely centralised model and give limited detail on concrete, enforceable forms of citizen control.

A more federated layer is developing through MzansiXchange, which uses Estonia’s X-Road technology family as a reference point for data exchange. This should allow departments to share data in a standard, secure way without moving everything into a single database. That could support better privacy and accountability. But the technology on its own is not enough. In Estonia, citizen protections, including access logs showing who viewed your data and notifications, exist because the law and institutions require them. South Africa has not yet set out similar requirements, so there is a risk of building the infrastructure without the safeguards that make it trustworthy.

The citizen-facing part is expected to come through MyMzansi, including a credential wallet that supports selective disclosure. The Roadmap’s commitment to letting people share only the necessary details, rather than handing over full documents, captures the right idea. The challenge is that the supporting rules and standards are not yet clearly defined. For citizen control to be real, the system would need requirements such as default access logs, strong technical standards for selective disclosure, and practical processes for consent, complaints, and remedies when things go wrong. Without these, MyMzansi could improve convenience without delivering meaningful control.

Feasibility in a Developing Country Context

Whether citizen control is realistic in South Africa depends on real-world constraints that shape what can be built and who can use it.

Inequality and digital divides are immediate barriers. While 72.6% of households access the Internet, only 14.5% have fixed access at home, and access varies widely by province and between urban and rural areas. If key services depend on a wallet, people with poor connectivity or no smartphone will be disadvantaged. The Roadmap’s “no one is left behind” commitment, therefore, requires practical alternatives, such as offline options and other authentication methods, but the current documents do not yet spell these out in detail.

Digital literacy affects whether consent and control are meaningful. Even strong technical protections will not help if people do not understand what they are agreeing to, what they are sharing, or the risks. South Africa’s linguistic diversity and unequal education outcomes make this harder. Making citizen control workable would require sustained public education and clear, accessible design, neither of which is currently described in detail in planning documents.

Institutional capacity is another major constraint. The Information Regulator (created under POPIA) has limited resources, with a budget of about R110-million a year and fewer than 120 staff across all its functions. That makes it difficult to supervise a complex digital identity system that spans many departments and the private sector. Oversight also requires specialised technical skills (for example, cryptography, AI, and distributed systems), where capacity is often limited.

Historical path dependency also matters. South Africa’s identity system has developed over time through gradual expansion of state data collection and control. MyMzansi could be a turning point, but only if it changes how power works in the system. If it mainly adds a new user interface on top of the same centralised foundations, it may modernise access without increasing citizen control.

These constraints do not make citizen control impossible, but they affect what reforms are realistic and in what order they should happen. Control requires practical capability, not only legal rights. If many people do not have the resources to use their rights, the system must prioritise usable control through protections that work with limited literacy and intermittent connectivity.

Design Principles for Citizen Control

Based on the discussion above, five practical design principles stand out for South Africa’s digital identity system:

First, selective disclosure must be cryptographically enforced, not just controlled by what the user sees on a screen. If an organisation can still access hidden details through back-end queries, the wallet is only offering the appearance of privacy. The system should be designed so that non-disclosed attributes are not available to other parties at all.

Second, transparency must be at the individual level and in real time, not limited to high-level reports published after the fact. Estonia’s approach, where citizens can view detailed access logs, supports practical accountability. By contrast, delayed or aggregated reporting does not give individuals enough information to identify misuse and respond.

Third, control must be usable, not theoretical. This means the system should work in low-connectivity settings, offer offline or low-tech options, and provide alternative authentication methods. It also means “progressive enhancement,” with basic services working for everyone, while more advanced features are available to those with devices and connectivity. Interfaces should support informed choices without forcing people to navigate complex settings.

Fourth, institutional accountability must be independent and empowered. The Information Regulator (or another oversight body) needs adequate funding, specialised technical expertise, and enforcement powers to match the risks of a national digital identity system. Broader, multi-stakeholder governance, including civil society, technical experts, and citizen representatives, can also enhance legitimacy and incorporate perspectives that might otherwise be overlooked.

Fifth, legal foundations must accompany technical deployment. If the technology is rolled out before the rules are settled, it becomes harder to change course because institutions and systems quickly become dependent on what was built first. Laws and regulations should therefore make citizen control a mandatory design requirement rather than an optional feature.

Conclusion

Is there room to put data control in the hands of citizens in South Africa’s digital identity system? The answer is: potentially, but only if key choices are made. South Africa’s Constitution, the hybrid model now being built, and examples from other countries all create opportunities for a more citizen-centred approach. In particular, MyMzansi (including a wallet) and MzansiXchange (a federated exchange) could support meaningful control if they are backed by clear rules and safeguards.

But this outcome is not guaranteed. On the current path, South Africa could end up with a modern interface and faster services, without giving people real power over their data. The centralised biometric base, the lack of clear citizen-control requirements in pending laws, rolling out technology before settling the governance model, and fragmented oversight can all lead to the same state-centred approach, only with more advanced tools.

The years 2026–2030 are likely to be decisive. Several major steps are expected in this period, including evaluating the MzansiXchange pilot, finalising the NIRB in Parliament, launching the MyMzansi platform, and putting the broader governance framework in place. Decisions made during this window will either build the foundation for genuine citizen control or lock in patterns that are hard to change later. Put simply, South Africa can still shift toward citizen control, but only if implementation includes prioritising individual rights and accountability, not only administrative efficiency.

In the end, citizen control is a policy and design choice, not something technology delivers automatically. It requires deliberate decisions to limit surveillance capabilities even when technically possible, to build transparency tools (like access logs) even if they add cost and slow down some processes, and to strengthen oversight so that officials and institutions are held to clear rules.

Whether South Africa makes these choices will depend on political will, institutional reform, and sustained public advocacy to ensure “citizen control” over their data.

Written by Mark Burke, a researcher and advisor with expertise in digital governance, and a focus on public-sector digital transformation. His research interests are digital identity, privacy, and citizenship in the digitalisation of public services.