Regulation exists to reduce harm.
At its best, it sets boundaries and creates accountability. It protects people from risks they cannot reasonably manage on their own. In the digital world, where systems are complex and consequences are opaque, this role is more important than ever.
Yet many digital identity regulations do the opposite: instead of reducing risk, they create new hazards faced by individuals—often through mandatory data collection and exposure.
Across jurisdictions, new rules increasingly require individuals to upload identity documents, submit biometric data, or link their real-world identities to online activity to access services, express themselves, or simply participate. These requirements are framed as necessary for safety, compliance, or enforcement.
What is rarely acknowledged is which parties ultimately bear these risks, and how.
When an institution must verify identity, the regulatory risk initially rests with them. But when the process includes collecting and storing large amounts of personal data, the risk accumulates with the individual. If data is breached, misused, or poorly governed, it is the individual's identity, privacy, and security that are threatened—not the regulator's or platform's.
This is a fundamental misalignment.
Identity data is uniquely sensitive. Unlike passwords, once exposed, personal identifiers such as passports, facial scans, or biometric templates cannot be revoked or changed. A leak creates a permanent vulnerability for the individual whose data is exposed, leaving them at increased risk of identity theft, fraud, or surveillance. Mandating the collection of such data without strict requirements for its handling places individuals at risk to risks beyond their control.
From a regulatory perspective, this is a design failure.
Good regulation should assume that systems will fail. Databases will be breached. Vendors will change. Laws will evolve. When failures happen, damage should be contained. But many identity regulations assume perfect security and perpetual good behaviour. Regulations are created with those assumptions in mind.
This is how rules end up requiring too much disclosure to prove minimal facts. To show age, people must reveal identity. To access services, documents must be submitted. To comply with safety laws, platforms collect data they neither need nor want.
This leads to regulatory compliance that appears effective on the surface, but in reality, significantly increases individuals' exposure to data breaches, identity theft, and other risks.
There is another path.
Regulation can focus on outcomes rather than mechanisms. It can require proof without demanding exposure. It can set clear limits on data collection, retention, and action after things go wrong. Most importantly, it can ensure those prepared to manage risk are the ones responsible for it.
This shift matters. Regulation shapes behaviour at scale. If laws reward data collection, systems will collect more data. If laws reward minimisation and resilience, systems will adapt.
Reducing harm should not increase exposure. Protecting people should not mean they lose control of their identity. If regulation is to serve the public, it must stop mandating risk for compliance. It should be designed for failure, accountability, and restraint. Lawmakers, regulators, and industry must act now: revisit existing identity regulations, emphasize data minimization, and ensure individuals are not burdened with unnecessary risk.
Regulation cannot eliminate risk entirely. But it can decide who carries it.