A Five-Year Complaint Finally Gets a Hearing
On 14 July 2026, the European Data Protection Board published Binding Decision 1/2026, instructing Belgium's Data Protection Authority to stop trying to dismiss a complaint against public broadcaster VRT on procedural grounds and instead rule on whether VRT's cookie banner actually violates the GDPR, per the EDPB's own announcement.
The case traces back to 10 August 2021, when a data subject represented by the Austrian privacy group noyb filed a complaint with Austria's DPA alleging VRT's cookie consent banner violated GDPR Articles 5, 6 and 13 alongside the ePrivacy Directive, according to reporting on the case. Austria transferred the file to Belgium — VRT's home regulator and thus lead supervisory authority — in June 2023. Rather than assessing the banner, Belgium proposed dismissing the complaint outright, arguing that noyb's standardized, at-scale filing practice amounted to an "abuse of the right to lodge a complaint" under Article 77 GDPR, combined with abuse of the right to representation under Article 80(1).
Austria objected on 22 September 2025, warning that letting one lead authority wave away complaints on procedural grounds — while other national regulators examined structurally identical complaints on the merits — would fragment the GDPR's supposedly harmonized enforcement. The EDPB agreed. Its binding decision found Austria's objection "relevant and reasoned" and held that noyb had not shown the objective and subjective elements required to prove abuse. A representative organisation operating at scale, the Board concluded, does not thereby make every mandate it holds suspect.
The Case for Belgium's Skepticism
Belgium's instinct deserves a fair hearing before it's dismissed. noyb has filed complaints by the hundreds — its 2021 cookie-banner sweep alone prompted the EDPB to stand up a dedicated Cookie Banner Taskforce to coordinate a cross-border response. A national DPA that must triage a template-driven wave of near-identical filings, on top of its ordinary caseload, has a legitimate administrative interest in distinguishing genuine individual grievances from filings that function as institutional litigation strategy wearing an individual's mandate. Article 80(1) was written with a single data subject's redress in mind, not a standing campaign against an entire sector's cookie practices; treating every mass-filed complaint as automatically legitimate risks turning DPAs into a rubber stamp for advocacy groups rather than neutral arbiters. Belgium's DPA has separately settled cookie-banner cases against fifteen news outlets — VRT among them — for fixed payments rather than compliance orders, a pattern noyb itself has criticized as letting companies "buy themselves free" of GDPR obligations. Read charitably, Belgium's abuse-of-rights theory was at least an attempt to draw a line somewhere.
Why the EDPB Was Right to Reject It
The trouble is that Belgium's line-drawing, if left standing, would have let one lead authority permanently insulate a controller from ever having its practices reviewed — not because the practices were found lawful, but because the complaint arrived through an efficient channel. That is a worse outcome for legal certainty than a prompt ruling either way. Companies operating across the EU rely on the one-stop-shop mechanism to produce a single, binding answer to "is this compliant"; a procedural dismissal produces no answer at all, just years of limbo followed by the same open question. The EDPB's holding — that scale is not evidence of abuse absent proof the representative's institutional goals have displaced the data subject's own — draws a sensible line: it does not ban DPAs from screening for genuinely abusive mandates, say where a "complainant" never actually consented to be represented. It forecloses only the use of volume itself as a proxy for bad faith.
The Deeper Problem Is Speed, Not Standing
The Board found the Austrian authority's objection to be "relevant and reasoned" and instructed Belgium to assess the complaint on its merits.
The more damning number in this case isn't about noyb's litigation strategy; it's the interval between the original complaint and any substantive review. A complaint filed in August 2021 sat with Austria, transferred to Belgium in 2023, faced a dismissal attempt, waited two more years for Austria's formal objection, and only now — mid-2026 — returns to Belgium for a first look at the merits. That timeline, more than the abuse-of-rights doctrine, is the real indictment of GDPR's cross-border enforcement architecture. Businesses do not benefit from regulatory uncertainty stretching half a decade any more than users benefit from a broken cookie banner staying broken that long.
If the EDPB wants to prevent a repeat, barring procedural dismissals is only half the fix. The other half is giving lead authorities a binding timetable for merits decisions on cross-border complaints, the same way the Board just gave Belgium a binding instruction on process. Belgium's regulator must now submit a fresh draft decision to the other supervisory authorities under Article 60(3) GDPR; expect that draft, whenever it lands, to draw exactly the scrutiny this detour was supposed to avoid in the first place.