Phenomena such as cloud computing, but also ambient technology, chain informatization, and social networking sites put into question the continuing applicability and relevance of existing legal frameworks, in particular the European Data Protection Directive (henceforth the DPD or the Directive), which dates back to 1995. Its framework of assigning roles of controller and processor appears to stand up no longer. It can be argued that it does not help any more in assigning responsibility for the processing of personal data. By a strict application of the DPD, the data subject can even be construed as playing the role of controller. Not only does the functioning of the principles of the roles need a reconsideration, but other essential principles, such as that of purpose-binding, require it, as well. For example, because data, which in a social networking context are disclosed to friends, are also used for targeted advertising and tailoring services, etc., the purpose-binding called for by the DPD becomes, at the very least, opaque. Furthermore, assigning responsibility to the actual processor in charge is just as unclear. Therefore, these current phenomena make clear that the conceptual foundations of the legislative frameworks, which purport to facilitate and protect privacy, require reflection.