A Framework Worth Taking Seriously — With Structural Gaps That Cannot Be Patched Later
When South Africa's public comment window on its draft biometric digital identity regulations closed on June 6, 2026, Minister of Home Affairs Leon Schreiber could fairly claim the country had produced something technically sophisticated. The amended Identification Act of 1997 framework proposes elliptic-curve asymmetric cryptography, device-specific credential binding, biometric deduplication against the national population register, and a data minimisation architecture that lets citizens prove their age without revealing their ID number — precisely what POPIA requires. Against a continental backdrop where digital identity programmes routinely skip security fundamentals, South Africa's draft is a serious document.
The government's case for urgency is also strong. With the Home Affairs budget for 2026/27 standing at R13.8 billion ($828 million), the Department needs a delivery vehicle for its Smart ID expansion, biometric visa processing, and doorstep document services. A smartphone-based credential that works across public and private sectors — banks, telecoms, SARS — eliminates queues, reduces identity fraud, and extends inclusion to the roughly 21 million South Africans who already hold biometric Smart ID cards. The ambition is proportionate to the problem.
But steelmanning the case for speed does not resolve the structural defects that technical specialists and privacy lawyers flagged before the comment deadline. Three of them are architectural — meaning they cannot be fixed by a future amendment without rebuilding the system.
The Single-Wallet Problem
The draft designates MyMzansi as the sole credential distribution mechanism. This is a significant architectural choice, and the wrong one. Gerhard Oosthuizen, writing in TechCentral's gap analysis of the plan, put it plainly: "Will only the MyMzansi app be the purveyor? It would have been better if the regulation said there will be approved wallets."
The comparison to mature digital identity deployments is instructive. Twelve U.S. states now permit digital driver's licences in Apple Wallet and Google Wallet, following ISO mobile driver's licence standards (ISO/IEC 18013-5). The EU's Digital Identity Wallet framework under eIDAS 2.0 requires member states to offer an official wallet — but also mandates that relying parties accept credentials from certified third-party wallets. South Africa's draft goes in the opposite direction: one government app, no interoperability path.
Concentrating the credential layer in a single government application creates a single point of failure — operational, political, and security. A DDoS attack, a procurement failure, or a political decision to restrict access collapses the entire system. More immediately, it excludes the hundreds of thousands of South Africans who already manage their digital lives through banking apps: ABSA, FNB, and Standard Bank all have established digital identity flows that could integrate a compliant credential standard. Locking them out is not a privacy win — it is an unnecessary concentration of state power.
Liveness Detection That an Attacker Can Game at Home
The regulations require liveness detection during enrollment and renewal. What they do not require is how that liveness detection must work — and the current implementation relies on 2D selfie checks. The risk is not theoretical. Oosthuizen noted that a determined attacker with controlled home lighting can spoof most commercial 2D liveness checks: "Unless we force in liveness with additional sensors, the risk of a 2D camera on its own is dangerous."
ISO/IEC 30107-3 defines presentation attack detection (PAD) tiers precisely because the industry learned this lesson the hard way. 2D passive liveness performs adequately against casual fraud; it fails against sophisticated printed-photo or video-replay attacks. South Africa's national identity register is not a casual fraud target. The regulation should specify minimum PAD conformance levels — or, at minimum, a path to mandatory hardware-backed liveness (NFC tap of the physical Smart ID card, fingerprint sensor, or certified 3D depth-camera check) before renewal credentials are issued at scale.
Verifier Accountability: The Missing Chapter
The draft creates a "trusted entities" framework for banks, telecoms operators, and government departments to verify credentials in real time. It prohibits data commercialisation and requires access audit logs retained for seven years — both meaningful provisions. What it does not address is the operational accountability layer: device-limit policies, lost-phone revocation protocols, offline usage throttling, and fraud signal collection (unusual verification locations, behavioural anomalies). These are not edge cases. They are the scenarios that produce identity theft at scale.
European eIDAS 2.0 standards require relying parties to display their identity and stated purpose to the user before authentication — a transparency gate against social engineering. South Africa's draft omits this entirely. If a fraudster sets up a fake verification terminal, the credential holder has no mechanism to confirm the verifier's legitimacy before handing over biometric confirmation.
The Watchdog Problem
All of this falls under the supervision of the Information Regulator, established under POPIA. The Regulator's 2025/26 Annual Performance Plan, presented to Parliament's Portfolio Committee on Justice in May 2026, signals a more proactive enforcement posture — own-initiative inspections, sector-specific compliance assessments, and expanded guidance notes. The intent is right. The resource base is not. Analysis of the Regulator's operational capacity indicates it functions with a fraction of the staff and budget that supervising a national biometric credential system spanning public and private sectors would require.
Estonia's Data Protection Inspectorate, governing a country of 1.3 million, employs around 50 full-time staff and has decades of operational experience with digital identity oversight. South Africa, with 62 million people and a system that will eventually touch banks, telecoms, SARS, and law enforcement, needs an oversight body built to match that scale before, not after, promulgation.
Surveillance at Scale Is Already Here
The regulatory debate over MyMzansi is not happening in a vacuum. On June 30, 2026, ahead of anti-migrant protests in Gauteng, South Africa deployed 33,000 CCTV cameras, drones, helicopters, and 13,000 law enforcement officers across the province — a R600 million ($35.5 million) operation that integrated municipal, private, and state surveillance infrastructure in real time. The deployment was operationally effective. It also demonstrated that South Africa's surveillance architecture is expanding rapidly, often ahead of the legal frameworks designed to constrain it.
A national biometric credential system will, over time, interface with this expanding surveillance infrastructure. The draft regulations contain the right language about judicial authorisation for law enforcement access. The implementation framework — including the verifier accountability layer, the monopoly wallet architecture, and the watchdog capacity — needs to match that language with enforceable mechanism.
What Promulgation Should Require
The draft regulations should not be promulgated as written. Before finalisation, three changes are essential: replace the single-wallet mandate with an open, certified-wallet framework following ISO 18013-5; specify minimum ISO/IEC 30107-3 presentation attack detection tiers for liveness checks; and add a verifier transparency and accountability schedule covering device limits, revocation, and fraud reporting. The Information Regulator's capacity should be addressed separately through a Parliamentary budget process tied to the implementation timeline.
South Africa has the technical architecture to build a world-class digital identity system. It does not yet have the governance architecture to match. Fixing the latter before launch is not a reason to slow down — it is the reason the system will survive contact with reality.