EU GDPR enforcement

EDPB Binding Decision Bars Belgium From Dismissing Mass-Filed GDPR Complaints as 'Abuse of Rights'

A binding EDPB ruling forces Belgium's DPA to judge a noyb cookie-banner complaint against VRT on its merits, closing off a procedural dismissal shortcut.

A Five-Year Path to a Merits Review People of Internet Research · EU ~5 years Complaint to merits review noyb filed against VRT on 10 Augus… 2023 Austria's transfer to Belgium Austria referred the file to VRT's… 8 months Objection to binding decision Austria formally objected on 22 Se… peopleofinternet.com
A Five-Year Path to a Merits Review People of Internet Research · EU ~5 years Complaint to merits review 2023 Austria's transfer to Belg… 8 months Objection to binding decision peopleofinternet.com

Key Takeaways

A Five-Year Complaint Finally Gets a Hearing

On 14 July 2026, the European Data Protection Board published Binding Decision 1/2026, instructing Belgium's Data Protection Authority to stop trying to dismiss a complaint against public broadcaster VRT on procedural grounds and instead rule on whether VRT's cookie banner actually violates the GDPR, per the EDPB's own announcement.

The case traces back to 10 August 2021, when a data subject represented by the Austrian privacy group noyb filed a complaint with Austria's DPA alleging VRT's cookie consent banner violated GDPR Articles 5, 6 and 13 alongside the ePrivacy Directive, according to reporting on the case. Austria transferred the file to Belgium — VRT's home regulator and thus lead supervisory authority — in June 2023. Rather than assessing the banner, Belgium proposed dismissing the complaint outright, arguing that noyb's standardized, at-scale filing practice amounted to an "abuse of the right to lodge a complaint" under Article 77 GDPR, combined with abuse of the right to representation under Article 80(1).

Austria objected on 22 September 2025, warning that letting one lead authority wave away complaints on procedural grounds — while other national regulators examined structurally identical complaints on the merits — would fragment the GDPR's supposedly harmonized enforcement. The EDPB agreed. Its binding decision found Austria's objection "relevant and reasoned" and held that noyb had not shown the objective and subjective elements required to prove abuse. A representative organisation operating at scale, the Board concluded, does not thereby make every mandate it holds suspect.

The Case for Belgium's Skepticism

Belgium's instinct deserves a fair hearing before it's dismissed. noyb has filed complaints by the hundreds — its 2021 cookie-banner sweep alone prompted the EDPB to stand up a dedicated Cookie Banner Taskforce to coordinate a cross-border response. A national DPA that must triage a template-driven wave of near-identical filings, on top of its ordinary caseload, has a legitimate administrative interest in distinguishing genuine individual grievances from filings that function as institutional litigation strategy wearing an individual's mandate. Article 80(1) was written with a single data subject's redress in mind, not a standing campaign against an entire sector's cookie practices; treating every mass-filed complaint as automatically legitimate risks turning DPAs into a rubber stamp for advocacy groups rather than neutral arbiters. Belgium's DPA has separately settled cookie-banner cases against fifteen news outlets — VRT among them — for fixed payments rather than compliance orders, a pattern noyb itself has criticized as letting companies "buy themselves free" of GDPR obligations. Read charitably, Belgium's abuse-of-rights theory was at least an attempt to draw a line somewhere.

Why the EDPB Was Right to Reject It

The trouble is that Belgium's line-drawing, if left standing, would have let one lead authority permanently insulate a controller from ever having its practices reviewed — not because the practices were found lawful, but because the complaint arrived through an efficient channel. That is a worse outcome for legal certainty than a prompt ruling either way. Companies operating across the EU rely on the one-stop-shop mechanism to produce a single, binding answer to "is this compliant"; a procedural dismissal produces no answer at all, just years of limbo followed by the same open question. The EDPB's holding — that scale is not evidence of abuse absent proof the representative's institutional goals have displaced the data subject's own — draws a sensible line: it does not ban DPAs from screening for genuinely abusive mandates, say where a "complainant" never actually consented to be represented. It forecloses only the use of volume itself as a proxy for bad faith.

The Deeper Problem Is Speed, Not Standing

The Board found the Austrian authority's objection to be "relevant and reasoned" and instructed Belgium to assess the complaint on its merits.

The more damning number in this case isn't about noyb's litigation strategy; it's the interval between the original complaint and any substantive review. A complaint filed in August 2021 sat with Austria, transferred to Belgium in 2023, faced a dismissal attempt, waited two more years for Austria's formal objection, and only now — mid-2026 — returns to Belgium for a first look at the merits. That timeline, more than the abuse-of-rights doctrine, is the real indictment of GDPR's cross-border enforcement architecture. Businesses do not benefit from regulatory uncertainty stretching half a decade any more than users benefit from a broken cookie banner staying broken that long.

If the EDPB wants to prevent a repeat, barring procedural dismissals is only half the fix. The other half is giving lead authorities a binding timetable for merits decisions on cross-border complaints, the same way the Board just gave Belgium a binding instruction on process. Belgium's regulator must now submit a fresh draft decision to the other supervisory authorities under Article 60(3) GDPR; expect that draft, whenever it lands, to draw exactly the scrutiny this detour was supposed to avoid in the first place.

Sources & Citations

  1. EDPB: Binding Decision 1/2026 (VRT, Art. 65 GDPR)
  2. EDPB news: requires Belgian DPA to rule on merits
  3. ppc.land: EDPB forces Belgian regulator to reconsider case
  4. Digital Watch Observatory: EDPB orders Belgium to examine complaint
  5. noyb: Belgian DPA settlement pattern with news outlets