Yes, but all this doesn't apply in the UK does it?
Because we have the Information Commissioner's Office to thank for our data protection law enforcement, and they're rubbish. They never act against Data Controllers *or* Data Processors.
The ICO claim they are 'not technical experts' and cannot comprehend the IT industry they are supposed to govern. They rely on 'assurances' from industry and 'independent experts' like me as a substitute for independent critical and robust regulation.
So the problem is not arguing the toss over the distinctions between black and white for these idiots. The problem is the people enforcing the law; the ICO need to be completely purged.
I have a quick fix. Catch this ICO.