I missed part of your explanation. I heard what you said only at the end, about citizens being in control of their data security. However, when a breach does occur, how can the government make sure that it is reported or even that sanctions are imposed? I'm not sure whether Estonia has any sanctions in place.
Who is the authority making sure that data are protected and that corrective measures are taken in the event of a breach? If it's the responsibility of citizens, they aren't necessarily equipped to detect privacy violations. When it comes to government services, who provides that oversight?