You are right about providing a more proper digital authentication solution for citizens, and at least one country has this[0], but in this case it just seems that the data was being kept/exploited for no better reason than marketing and that the company should not have had access to it from the start.