7. OUTLINE – Given the fundamental importance of both the controller and processor concepts, it is essential to be able to determine which role an actor has assumed towards a particular processing operation. Unfortunately, it can be quite difficult to apply the distinction between controller and processors in practice. Over time, data protection authorities and courts have provided guidance to inform the practical application of the controller and processor concepts. Notwithstanding the guidance, however, certain scholars have continued to question the utility of the controller-processor model. The following sections outline three perceived vulnerabilities of the current framework.

A BROKEN “BINARY”

8. OVERSIMPLIFICATION? – Perhaps the most common critique of the controller-processor model is that the “binary” distinction between controllers and processors is too simplistic. While the model may be readily applied in certain situations, the complexity of today's processing operations is such that a clear-cut distinction between controllers and processors is seldom possible. As a result, the binary distinction is considered inadequate to accommodate the increasingly collaborative manner in which businesses operate. Nowadays, control relationships are more complex than the “either/or” approach of the controller-processor model; whereby one party (or group of parties) exercises complete control over the processing, and another party (or group of parties) simply executes the tasks it has been given, without exercising any substantial influence as to either the purposes or means of the processing.

9. EVOLVING PROCESSING PRACTICES – At the time Directive 95/46 was adopted, the distinction between parties who control the processing of personal data (data controllers) and those who simply process the data on behalf of someone else (data processors) was considered to be relatively clear. Today we are confronted with a “growing tendency towards organisational differentiation”. In both the public and private sector