The true paradox of privacy may well be in the need to conceptualise it increasingly in terms of its public dimensions, rather than its personal ones. This is true for both broadening our understanding of how personal data is ‘exchanged’, to reconfiguring the inherent value of privacy, and also beginning to broaden our understanding of what effective remedies for breaches of privacy might be. Looking at personal data protection in the particular context of public-sector driven identity projects in South Africa demonstrates that the standard ‘privacy paradox’ provides little relevant perspective for trying to formulate policy and regulatory responses to data protection. Instead, there are structural and resource impediments which challenge the ‘exercise’ of privacy in context. And while of course no single policy can create the perfect enabling environment for all capabilities, it does highlight the need for creating access to recourse (such as through data protection authorities), but also more realistically for exploring mechanisms to ensure data protection more collectively (such as through data trusts or stewardships). Data protection cannot be fully realised through only ensuring privacy in consumer exchanges, given the role of the public sector and public-private partnerships, but also the remit for collective action needs to be explored more broadly in order to preserve privacy’s true values.