EU data protection law uses a ‘controller-based responsibility system’, wherein responsibility is primarily attributed to the ‘controller’ of the processing of personal data.

This article argues that the EU’s controller-based responsibility system suffers from a number of problems, including problems arising from Court of Justice of the European Union (CJEU) case law, as well as problems inherent in the controller-based responsibility system itself.

First, in relation to the problems arising out of CJEU case law, it is argued that (i) the CJEU has adopted an overly broad conception of joint controllership and that (ii) the CJEU should not have developed a judicial doctrine that allows for the ad hoc differentiation of controllers.

Second, in relation to problems inherent in the controller-based responsibility system itself, it is argued that there are at least three such problems (namely the complexity problem, the distribution problem, and the impossibility problem) and it is suggested that a non-controller-based responsibility system may be preferable because it avoids these inherent problems.