This opinion article by Mark Burke assesses how the interests, incentives, and influence of actors shape the prospects for data sovereignty and control by citizens.

Digital Public Infrastructure (DPI) has emerged as the dominant framework through which states pursue digital transformation. Proponents describe it as a "societal operating system", functioning through a set of shared, interoperable digital systems built on open standards that enable population-scale service delivery across health, finance, and social protection. The architecture is presented as an "architecture of opportunity" - as open, inclusive, and empowering. Multilateral institutions, philanthropic foundations, and technology vendors have together constructed a powerful narrative in which DPI adoption is not merely desirable but necessary for development.

However, this positive framing hides some important realities. DPI is not only about technology. It is also about power. Decisions about who controls identity databases, whether biometric data is compulsory, how consent works, and where data is stored are not neutral technical choices. They shape who controls citizens’ personal information and, by extension, important parts of their lives. The real issue is not whether systems include or exclude people, but whether claims of openness match the reality of who actually holds control.

This essay examines these claims through a political economy lens, with particular attention to digital identity as the anchor layer of the DPI stack. Digital identity is the keystone component of this stack. It determines who can access services, who can be tracked, and who can be excluded.

The core question is to what extent the interests, incentives, and influence of key actors in the DPI ecosystem shape digital identity systems in ways that enable or undermine data sovereignty and citizen control? It cautions that DPI risks concentrating power in states, corporations, and multilateral institutions at the expense of the countries and their citizens it is meant to serve.

What Are DPI and Digital Identity Systems?

DPI refers to shared digital systems built on open standards that function like public infrastructure. These infrastructures are available to all, governed in the public interest, and capable of enabling diverse applications built on top of them. The DPI stack comprises three layers: (1) a digital identity layer ("who you are"), (2) a data exchange layer ("how information flows between institutions"), and (3) a digital payments layer ("how value moves"). Each layer is designed to be interoperable, modular, and scalable.

Digital identity systems constitute the foundational layer. They typically combine a foundational ID (a unique identifier linked to a person's demographic and biometric data), an authentication system (enabling verification of identity), and a data exchange layer that allows verified identity to unlock services across government and private sector providers. The design tenets of interoperability, open standards, and modularity are presented as enabling broad participation and preventing lock-in.

What these principles obscure is the question of governance. Interoperability enables data to flow, but it does not determine who controls where it flows or under what conditions. Open standards reduce licensing costs but do not prevent implementation dependencies. Modularity allows components to be swapped, but it does not guarantee that the actors who control critical components will act in the public interest. The technical architecture is always downstream of political choices about governance, accountability, and power.

Drivers and Dynamics of DPI Adoption

DPI diffusion is not an organic process driven by demand from adopting countries. It is being actively promoted worldwide by a small network of powerful organisations with shared interests. It is important to understand who is driving this agenda and why.

The World Bank has played a major role through its ID4D programme, which provides funding, technical guidance, and strong encouragement for countries in the Global South to adopt digital identity systems. In many cases, these systems are bundled into development loans, making adoption hard to refuse. The United Nations Development Programme (UNDP)  has also promoted DPI through initiatives like GovStack, which aims to roll out open‑source digital systems. During its G20 presidency in 2023, India pushed DPI onto the global development agenda, presenting its own systems (Aadhaar for identity, UPI for payments, and DigiLocker for documents) as a model that other countries should follow.

Large private foundations, especially the Gates Foundation and Omidyar Network, have also been highly influential. They have funded both the technology itself, such as the open‑source identity system MOSIP, and the organisations that promote DPI globally, including iSPIRT and the 50‑in‑5 campaign. Their support has helped shape which technical models are seen as credible and which concerns receive less attention. At the same time, technology companies benefit directly, because once governments adopt these systems, it becomes very difficult to switch away from them.

Technology companies form the commercial backbone of DPI. Some firms are rapidly expanding across Africa by offering biometric systems that fit with promoted standards. Large multinational companies dominate the market for biometric hardware, identity databases, and cloud hosting. Companies like Identy.io are expanding aggressively across Africa, aligning biometric solutions with MOSIP's compliance requirements. Larger firms, such as Thales, IDEMIA, and NEC, dominate biometric hardware and ABIS platforms, while AWS, Azure, and Google Cloud host significant DPI deployments globally. Their business model depends on long‑term contracts, ongoing maintenance, and systems that are expensive and risky for governments to replace. Even when systems are described as “open,” they often include built‑in dependencies that keep customers locked into a particular ecosystem.

There are many ways powerful organisations influence how digital identity systems are built. For example, when the World Bank provides large loans for digital ID projects, such as the $350-million loan for Ethiopia’s Fayda system, countries often feel pressure to use the designs and technologies the Bank recommends. Technical advisors funded through these projects can also shape decisions from inside government programmes. In South Africa, the MzansiXchange system is based on technology developed in Estonia and has received financial support from international actors including Swiss, UK, and Gates Foundation sources.

Global rules and guidelines also play a role. Principles set by groups such as the G20, the United Nations, and international standards bodies help define what is seen as “best practice.” Over time, this creates a global environment where some approaches are treated as normal or expected, while other options are pushed to the sidelines.

This influence is reinforced by reports, international conferences, and widely circulated success stories. These often focus on how quickly or efficiently systems work, while paying less attention to political debate, citizens' rights, or long‑term risks.

The key question is whether digital public infrastructure is truly a neutral public good or whether it is being shaped by a coordinated global agenda. There is strong evidence that digital identity systems can help include large numbers of people, as seen in countries like India. At the same time, there is also clear evidence of a shared push by governments, donors, foundations, and companies whose interests align around fast rollouts, standard designs, and easy‑to‑measure results. These forces influence how systems are built and who ultimately benefits from them.

There is a political economy at work, shaping the outcomes observed.

Mapping Interests, Incentives, and Influence

Governments adopt DPI for multiple, sometimes competing reasons. Service delivery efficiency and fiscal control are the dominant official justifications. Digital identity enables direct benefit transfer, eliminates ghost beneficiaries, and reduces administrative costs. These are genuine gains.

But DPI also expands surveillance infrastructure to monitor citizen behaviour, enforce compliance, and manage populations at scale. The same infrastructure that delivers social grants can track political dissent. Governments with weak accountability mechanisms face strong incentives to exploit this dual-use character, and centralised identity systems are structurally vulnerable to mission creep.

Technology vendors that sell biometric devices, build large IT systems, and provide cloud services are usually trying to grow their market and keep governments using their products for a long time. Once a government adopts a particular biometric system or database, it becomes very hard to change suppliers later. The data may not work with other systems, staff become trained on one specific setup, and long‑term contracts lock the system in place. Even when governments move to so‑called open‑source software, this does not fully remove vendor influence. Power often shifts to areas like system setup, customisation, and ongoing maintenance. In some cases, technologies are labelled “open” but are designed in ways that still keep users dependent on a particular company’s ecosystem, even without obvious licensing fees.

Large private foundations, such as Gates and Omidyar, play a powerful but unusual role in shaping digital public infrastructure. They help design the technical systems and also promote the idea that these systems are essential for development. Unlike governments or private companies, however, they are not subject to the same public oversight or accountability. By funding projects like MOSIP, iSPIRT, and the 50‑in‑5 campaign, they have strongly influenced which technical approaches are seen as credible and which concerns, especially about governance and citizens’ rights, receive less attention. As a result, important decisions about DPI are often shaped behind the scenes, without the level of democratic scrutiny that would normally apply.

Citizens have the most to lose if digital systems misuse their data or exclude them from services. They care deeply about privacy, control over personal information, and fair access. Yet they have the least influence over how digital public infrastructure is designed. Civil society organisations have started pushing back by challenging forced enrolment in court, documenting cases where people are excluded, and calling for a voice in how these systems are governed. However, they are usually shut out of the technical design discussions where the most important decisions are made, long before the public ever sees the system.

Data Sovereignty and Citizen Data Control

Data sovereignty operates at two distinct levels that are frequently conflated. At the state level, data sovereignty is about a government’s ability to control data produced within its borders by setting rules for how data is collected, stored, shared, and protected, and by enforcing those rules on local and foreign companies. At the citizen level, data control is about whether individuals can actually decide how their personal information is collected, used, and shared.

These two levels are not the same and often create tension. A government can tightly control data within the country while giving citizens very little say over their own information. Strong state control does not automatically mean strong privacy or personal choice. On the other hand, laws that protect individual rights can limit state surveillance but do not necessarily address deeper problems, such as reliance on foreign technology companies to store and manage data.

Today, the biggest challenge to data sovereignty lies in infrastructure. Even when countries require data to be stored locally, much of Africa’s data is still held on cloud systems owned and controlled by foreign companies. Africa represents just 1% of global data centre capacity despite comprising 17% of world population, with most African data stored in the United States (56%) and Europe (32%). South Africa's data centre market, though relatively mature by regional standards, is dominated by US-headquartered firms such as Teraco (Digital Realty), Vantage Data Centers, and Equinix, with hyperscalers AWS, Microsoft Azure, and Google Cloud operating local cloud regions that remain under US legal jurisdiction (the subject of the next essay in this series).

This matters because foreign laws extend across borders. For example, a US law (Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018) allows American authorities to demand access to data held by US companies, even if that data is stored in another country. This means that data stored in South Africa by a US‑owned cloud provider could be accessed by US law enforcement without the knowledge or consent of South African authorities or the people to whom the data belongs. In other words, keeping data physically inside the country does not necessarily mean it is under local control. This is a built‑in structural problem that cannot be solved simply by contracts or hosting agreements.

South Africa’s Readiness for this DPI Moment

Several developments have come together to create both opportunities and risks for South Africa’s digital public infrastructure. The Department of Home Affairs’ push to modernise its systems, the launch of the MyMzansi digital identity initiative, and South Africa’s leadership role in the G20 in 2025 have all elevated digital identity higher up the national policy agenda.

The National Population Register (NPR), administered by the Department of Home Affairs, constitutes the foundational layer of South Africa's identity infrastructure. It is a legacy system with significant data quality problems, limited interoperability, and governance challenges. The publication for comment on the draft amended regulations in terms of the Identification Act of 1997 for public comment until 6 June 2026, on 5 May 2026, by South Africa’s Minister of Home Affairs, suggests that this reform initiative is gathering pace. It will extend the register's functionality and enable broader use of digital identity. Without clarity on architecture, data governance, or accountability mechanisms, these expansions risk embedding the existing system's limitations on a larger scale.

South Africa has also joined the global “50‑in‑5” campaign, which promotes the rapid rollout of digital public infrastructure in fifty countries. While participation shows South Africa’s willingness to engage with global digital trends, the details matter. If outside technical support limits local decision‑making or locks the country into certain technologies or systems, it could recreate the kinds of dependency that undermine data sovereignty and citizen control.

South Africa's regulatory framework, including the Protection of Personal Information Act (POPIA) and National Data and Cloud Policy, provides the legal foundation. But POPIA has been unevenly enforced, the Information Regulator remains under-resourced, and the National Data and Cloud Policy has not established the domestic infrastructure requirements or sovereignty safeguards that would close the gap between legal protection and operational reality.

The key question is whether South Africa’s institutions are ready. The country has the legal foundations needed to build digital identity systems that respect citizens’ rights, but it lacks strong coordination and clear governance to apply those rules consistently. If South Africa moves ahead with large‑scale digital identity systems that rely on foreign infrastructure or highly centralised designs before addressing these governance gaps, it may be extremely expensive, or even impossible, to reverse those choices later.

Risks and Political Economy Outcomes

The risks emerging from current DPI implementation are not accidents. They are the result of political and institutional decisions made by different actors, each pursuing their own interests.

One of the biggest and most immediate risks is becoming locked into a single technology supplier. Once a government rolls out a biometric system for the whole population, changing it later becomes extremely difficult. Moving large amounts of data, retraining staff, renegotiating contracts, and keeping services running during a switch all come at a very high cost. Technology companies understand this and often design their systems and contracts to make it hard to leave, giving them long‑term influence and ongoing income well beyond the original procurement.

Another serious risk is the concentration of power in a few critical systems. When identity, payments, and data sharing all depend on a small number of databases, cloud platforms, or government systems, any failure or breach can affect millions of people at once. The same centralisation that makes systems efficient also makes them vulnerable to hacking, misuse, or pressure from powerful actors, and turns them into surveillance tools for monitoring the population.

Expanded surveillance is often justified as a way to prevent fraud, reduce crime, or target benefits more accurately. But the same tools that can detect fake beneficiaries can also be used to track political opponents or activists. The difference between effective administration and harmful control is determined not by technology but by political institutions. When those institutions are weak or compromised, digital systems can easily be used to control people rather than serve them.

Guardrails for Data Sovereignty and Citizen Control

Protecting people’s data and giving citizens real control over it requires action on several fronts. It concerns how systems are governed, how laws are written and enforced, how technology is designed, and how political decisions are made.

First, strong governance is essential. There must be independent oversight bodies to protect privacy and personal data, with adequate funding, skilled staff, and real power to enforce the rules. In South Africa, the Information Regulator is meant to play this role, but it currently lacks the resources to oversee complex digital identity systems. In addition, decision‑making should not be left only to the government and technology providers. Civil society groups, researchers, and communities affected by these systems should have a formal role in shaping how digital public infrastructure is designed and run.

Second, legal protections need to be strengthened and effectively enforced. South Africa’s data‑protection law already sets out many important rights, but those rights are not consistently applied in practice. Laws should clearly limit how data can be reused for new purposes and impose penalties when systems slowly expand beyond their original role. People should not be forced to use a digital identity system to access essential services if no alternatives exist. South Africa should also explore legal tools that allow local courts to challenge foreign access to citizens’ data. Crucially, sensitive identity and biometric data should be stored on infrastructure located within South Africa and governed by South African law. Recent draft regulations under the Identification Act begin to move in this direction, but more clarity is needed.

Third, privacy protections should be built directly into the technology, not added as an afterthought. This means designing systems that avoid collecting everything in a single central database, allow people to choose exactly what data they share and withdraw that permission later, and use software that can be independently checked for security issues. Biometric data should be protected in ways that prevent it from being reconstructed if systems are breached. Countries like Estonia show that it is possible to build national digital systems that share data securely without centralising it.

Finally, political safeguards matter. People should be involved in shaping digital identity systems before they are rolled out, not only consulted after key decisions have already been made. Contracts with private companies should be transparent and open to public and parliamentary scrutiny. Laws should also require regular reviews of digital systems, forcing lawmakers to revisit and re‑approve them over time. This helps prevent today’s technical choices from becoming permanent, unchangeable systems without democratic oversight.

The Power of Platforms

DPI is not merely digital infrastructure. It is political infrastructure that determines the distribution of power between states, markets, and citizens. The principles of openness, interoperability, and inclusion that underpin DPI implementation have genuine value. Caution is, however, required as these campaigns are often promoted by governments, companies, and international actors whose main goals are expanding markets, increasing influence, or tightening administrative control. When this happens, new digital systems can end up reinforcing old inequalities, just in more modern and less visible ways.

South Africa stands at a genuinely critical juncture. It possesses the foundational institutional and legal capacity to adopt DPI on terms that protect data sovereignty and citizen control. But these foundation are under pressure. International initiatives are pushing for rapid adoption, while local institutions still have gaps in coordination and oversight, and much of the underlying digital infrastructure is controlled by foreign companies. The risk is not that South Africa will fail to adopt DPI, but that it will adopt it on terms that embed dependency and limit future choices.

A different path is possible, but it requires treating digital public infrastructure as a political choice. That means designing systems from the start to protect citizens' rights, rather than adding safeguards later. It means having independent institutions with the power and resources to enforce those protections. It also means being transparent and involving citizens in decisions about systems built on their personal data. Above all, it requires a frank assessment of what each technological dependency means for data sovereignty and citizen control.

The goal is not to avoid DPI but to claim it on terms that make it genuinely public infrastructure rather than a vehicle for the consolidation of state and corporate power.

Written by Mark Burke, a researcher and advisor with expertise in digital governance, and a focus on public-sector digital transformation. His research interests are digital identity, privacy, and citizenship in the digitalisation of public services.