Key Points

• EU data protection law uses a ‘controller-based responsibility system’, wherein responsibility is primarily attributed to the ‘controller’ of the processing of personal data.
• This article argues that the EU’s controller-based responsibility system suffers from a number of problems, including problems arising from Court of Justice of the European Union (CJEU) case law, as well as problems inherent in the controller-based responsibility system itself.
• First, in relation to the problems arising out of CJEU case law, it is argued that (i) the CJEU has adopted an overly broad conception of joint controllership and that (ii) the CJEU should not have developed a judicial doctrine that allows for the ad hoc differentiation of controllers.
• Second, in relation to problems inherent in the controller-based responsibility system itself, it is argued that there are at least three such problems (namely the complexity problem, the distribution problem, and the impossibility problem) and it is suggested that a non-controller-based responsibility system may be preferable because it avoids these inherent problems.

中文翻译：

---

欧盟数据保护法中基于控制者的责任问题

关键点

• 欧盟数据保护法使用“基于控制者的责任制”，其中责任主要归于处理个人数据的“控制者”。
• 本文认为，欧盟的控制者责任制存在诸多问题，包括欧盟法院（CJEU）判例法产生的问题，以及控制者责任制本身固有的问题。
• 首先，关于 CJEU 判例法引起的问题，有人认为 (i) CJEU 采用了过于宽泛的共同控制权概念，并且 (ii) CJEU 不应该制定允许控制器的特殊差异化。
• 第二，关于责任人责任制本身固有的问题，认为至少存在三个这样的问题（即复杂性问题、分配问题和不可能问题），建议非基于控制器的责任制可能更可取，因为它避免了这些固有问题。