Wim Nauwelaerts writes:
Who is in “control” of personal data and who merely processes personal data on behalf of a data “controller”? These are essential questions for purposes of compliance with EU data protection requirements, yet answering them can be quite problematic in practice. The EU Data Protection Directive defines the controller as the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data. The processor, on the other hand, is the person or entity that processes personal data on behalf of the controller. Applying these concepts to a practical case may have been straightforward in the early days of the Directive, but in today’s Web 3.0, RFID and cloud computing environments many are perceiving the controller and processor distinction as archaic and, most importantly, unworkable in practice. At the same time, under the current legal regime the distinction is crucial in order to determine who is responsible for compliance with EU data protection rules, what Member State laws apply, and which data protection authorities are competent to supervise data processing operations.
Read more on Hogan & Hartson’s Chronicle of Data Protection.