The European Data Protection Board today published a binding decision instructing Belgium's data protection authority not to dismiss a cookie-banner complaint against public broadcaster VRT, rejecting the Belgian regulator's finding that the complaint amounted to an abuse of the right to lodge a grievance under the GDPR.
The decision, formally titled Binding Decision 1/2026, was adopted on 28 May 2026 and made public on 14 July 2026. It resolves a dispute that began with a single complaint filed against a Belgian broadcaster but reaches into a question that has followed noyb, the Vienna-based privacy group, across several jurisdictions: whether an organisation that files complaints on behalf of individuals at scale can have those complaints thrown out simply because of how they were prepared.
What the dispute was about
The underlying complaint concerned Vlaamse Radio- en Televisieomroeporganisatie, the Flemish public broadcaster known as VRT, and was submitted on 10 August 2021 to the Austrian data protection authority. A data subject alleged that VRT's cookie consent practices breached several GDPR provisions, including Article 5(1)(a) on lawful and fair processing, Article 6(1)(a) on consent as a legal basis, and Article 13(1)(c) on transparency obligations, alongside Article 5(3) of the ePrivacy Directive. The data subject had mandated noyb, formally registered as the European Center for Digital Rights, to act on their behalf under Article 80(1) GDPR, which permits individuals to designate a not-for-profit body to lodge and pursue complaints on their behalf.
Because VRT is established in Brussels, the Austrian authority transferred the file to Belgium's data protection authority on 6 June 2023, making Belgium the lead supervisory authority for the case. The complaint was one of many that noyb had filed with regulators across Europe concerning cookie banners; the volume was substantial enough that the EDPB had already set up a dedicated Cookie Banner Taskforce in September 2021 to coordinate how national authorities were handling the wave of filings, a body whose findings were published in a January 2023 report.
Belgium's draft decision, however, did not examine whether VRT's cookie banner complied with the GDPR at all. Instead, the Belgian authority proposed dismissing the complaint outright, arguing that lodging it constituted an abuse of the right to complain under Article 77 GDPR, read together with the right to representation under Article 80(1). The Belgian regulator leaned heavily on a March 2025 ruling from the Brussels Court of Appeal's Market Court section in a separate case involving Mediahuis, a decision that had previously quashed an earlier Belgian authority ruling for failing to properly address a similar abuse allegation. Belgium's underlying findings against Mediahuis over cookie banner design in 2024 had already established that the authority takes consent mechanics seriously; the question the VRT case raised was different, concerning not the banner itself but who gets to complain about it and how.
The abuse-of-law argument, and why it stalled
Belgium's reasoning rested on a two-part legal test drawn from the Court of Justice of the European Union's settled case law on abuse of rights, which requires both an objective and a subjective element to be present before a regulator can refuse to grant someone the benefit of an EU-law right. The Belgian authority argued both were satisfied. On the objective side, the authority pointed to a standardised, bulk-submission approach; the fact that the data subject did not belong to the ordinary audience of a Dutch-language Belgian website; a pre-existing working relationship between the data subject and noyb; and the sequence in which the mandate was granted only after noyb had already identified the target and outlined the project. On the subjective side, the authority argued that noyb sought the power to bring proceedings for a broader "cookie banner complaints" project, that trainees or staff were asked whether they wished to become data subjects in model cases, and that the underlying motivation traced back to noyb's own stated policy goal of ending what the organisation's website calls "cookie banner terror."
Austria's data protection authority disagreed and, on 22 September 2025, formally objected to Belgium's draft decision under Article 60(4) GDPR, the provision that lets a concerned supervisory authority challenge a lead authority's proposed outcome before it becomes final. Austria argued that no other regulator examining similar cookie-banner complaints from noyb had treated the practice as abusive, and warned that letting one authority dismiss on procedural grounds while others examined the same category of complaint on the merits would fragment how the GDPR applies across the bloc. Austria also invoked a domestic precedent: its own Federal Administrative Court had previously held that the non-implementation of Article 80(2) GDPR, a provision letting national legislators authorise organisations to lodge complaints independent of any individual mandate, did not bar staff or members of an association like noyb from filing complaints tied to their own personal activities.
Belgium reviewed the Austrian objection and, on 17 October 2025, told the other supervisory authorities involved that it considered the objection relevant and reasoned on its face, since it concerned how a general principle of EU law interacts with the GDPR's complaint mechanism. Yet the Belgian authority declined to change course. It concluded it would not follow Austria's objection, citing divergent national case law between the two member states on the underlying question. That refusal triggered a formal referral to the EDPB's consistency mechanism under Article 65(1)(a) GDPR, the procedure the Board uses whenever a lead authority and a concerned authority cannot agree, and one it has applied in a range of prior enforcement disputes, including the WhatsApp transparency case that established a company's right to directly challenge EDPB binding decisions before EU courts.
How the case moved through the EDPB
Belgium submitted the dispute to the EDPB on 28 January 2026, opening the formal Article 65(1)(a) procedure through the Board's Internal Market Information system. What followed was a lengthy administrative process focused as much on procedural fairness as on the substance of the complaint. The EDPB Secretariat spent February 2026 confirming the completeness of the file, and in doing so identified a due-process concern: several documents submitted alongside noyb's Article 65 submissions of 12 January 2026, including decisions from other national regulators, existed only in Italian, Spanish, German, and French. Because Article 11 of the EDPB's Rules of Procedure requires that documents be translated into English when necessary, the Secretariat commissioned translations that were validated by the issuing authorities and folded into the file by 23 March 2026.
The EDPB was also careful to document that both VRT and noyb had a genuine opportunity to be heard, a requirement under Article 41 of the EU's Charter of Fundamental Rights. Belgium had already invited both parties to submit written positions on 21 October 2025, ahead of any formal Article 65 referral; VRT responded on 1 December 2025 and again on 19 January 2026, while noyb submitted its own filing, running to twelve annexes, on 12 January 2026. When the EDPB Chair later shared additional documents with both parties for transparency on 12 March 2026, VRT and noyb each submitted further observations on 26 March 2026, and the Board concluded that neither side had been denied the chance to respond to the material actually used in reaching the decision.
The file was declared complete by the EDPB Chair and the Belgian authority on 31 March 2026 and circulated to all Board members that same day. Because of what the decision describes as the complexity of the subject matter, the Chair extended the default one-month adoption deadline by a further month under Article 65(3) GDPR, before the Board adopted its binding decision by the required two-thirds majority on 28 May 2026.
The EDPB's reasoning on the merits
Before reaching the substance, the EDPB had to settle two threshold questions: whether it had the authority to rule on a dispute that did not itself concern whether VRT had breached the GDPR, and whether Austria's objection cleared the bar of being "relevant and reasoned" under Article 4(24) GDPR.
VRT argued the EDPB had no jurisdiction here at all, contending that the Board's competence under Article 65(1)(a) was tied specifically to disputes over GDPR infringements by a controller, and that every prior EDPB binding decision had concerned exactly that. The Board rejected the argument, pointing to the text of Article 65(1)(a) itself, which extends to whether an envisaged action by a controller or processor complies with the GDPR more broadly, not only to infringement findings. The EDPB noted that Recital 136 GDPR describes the Board's role in resolving conflicting views among supervisory authorities on the merits of a case, a formulation the Board read as covering disputes over whether a complaint should be dismissed on procedural grounds just as much as disputes over substantive violations.
On whether Austria's objection was relevant and reasoned, the Board found it was both. The objection directly engaged with the factual and legal content of Belgium's draft decision, proposed a change that would lead to a materially different outcome, cited both CJEU case law and Austrian domestic rulings, and, in the EDPB's assessment, adequately demonstrated the risk that an improper dismissal on procedural grounds would pose to the underlying data subject's rights, as well as the broader risk of inconsistent GDPR application if some authorities dismissed similar complaints on abuse grounds while others examined them on the merits.
Turning to the substance, the EDPB applied the same two-part CJEU test that Belgium itself had invoked, examining first whether the objective conditions for abuse were present. The Board found they were not. Article 77 and Article 80(1) GDPR exist, the decision states, to let a data subject file a complaint about processing they believe infringes their rights, and to let them mandate a qualifying representative to do so on their behalf. Because the data subject in this case had successfully executed a valid mandate authorising noyb to act, and because the validity of that mandate itself was never in dispute, the Board concluded that the formal conditions of the relevant articles had been met and that the underlying purpose of those provisions, enabling representation, had also been fulfilled.
The Board then turned to the subjective element, the question of whether the complainant sought to rely on Article 77 and Article 80(1) not to achieve their intended purpose but to secure some other advantage. Here the EDPB's reasoning diverged sharply from Belgium's. The Belgian draft decision had drawn a distinction between the objectives of the data subject and the objectives of noyb as their representative, treating noyb as the true actor behind the alleged abuse. The EDPB rejected that framing, noting that because both Article 77 and Article 80(1) are phrased as rights belonging to the data subject, the objectives of the representative organisation should not be separated from those of the individual on whose behalf it acts. The Board also pointed to the data subject's own written submission of 7 January 2026, in which they stated they personally considered their data protection rights to have been violated and were seeking redress for that violation.
The EDPB additionally found no concrete evidence supporting Belgium's contention that noyb's institutional policy goals, such as strategic board objectives or donor interests, had displaced the individual complainant's own aims. The Board noted noyb's own submission that its board is not involved in day-to-day litigation and that most cases are run by its legal team independent of board direction. Nor did the EDPB find that professional assistance in filing a complaint, including technical help capturing screenshots and log files at the moment a website is visited, evidence that Austria specifically raised as relevant given the practical difficulty of gathering such proof after the fact, amounted to an undue advantage. Neither the Belgian authority nor VRT had demonstrated that the complainant sought compensation under Article 82 GDPR or any other financial benefit.
On that basis, the EDPB concluded that the complainant had not abused either the right to lodge a complaint under Article 77 GDPR or the right to representation under Article 80(1) GDPR. The Board's operative decision instructs Belgium not to dismiss the complaint on grounds of abuse of law, and orders the Belgian authority to assess the underlying complaint on its merits, with a view to submitting a new draft decision to the other supervisory authorities under Article 60(3) GDPR. Belgium must inform VRT of the outcome and the next procedural steps within one month of notification of the binding decision, and Austria must make the equivalent notification to the complainant.
Why this matters beyond one broadcaster
For publishers, broadcasters, and any advertiser relying on cookie-based consent mechanisms in the EU, the practical significance of this decision has little to do with VRT itself. VRT's cookie banner has not been found to violate the GDPR; the EDPB's ruling only concerns whether the complaint against it may proceed to that merits assessment at all. What the decision forecloses is a specific defensive strategy: arguing that a complaint should be dismissed on procedural grounds because it arrived through an organised, bulk-filing process involving a privacy advocacy group, rather than through an individual acting entirely alone and without professional assistance.
That question has direct relevance to a coordinated wave of cookie-banner complaints moving through European regulators for years. PPC Land's coverage of the parallel Belgian proceedings against DPG Media documented Belgium's Litigation Chamber rejecting a similar abuse-of-process argument in early 2025, distinguishing that case from an earlier ruling, known as the VOO case, where prior coordination between noyb and the complainant had been found. The EDPB's binding decision applies a comparable logic at the EU level: a valid mandate under Article 80(1) does not become suspect merely because the representative organisation operates at scale.
The ruling also arrives against a backdrop of legislative pressure over the EU's cookie consent framework. As PPC Land reported in June 2026, the EU Council's Digital Omnibus negotiations had already stripped out a proposed automated consent signal mechanism following industry lobbying. Where that debate concerns the design of consent tools going forward, the VRT decision concerns who retains standing to challenge existing tools through the GDPR's complaint machinery. Both questions touch the same commercial reality: publishers and advertisers in the EU face a regulatory environment where consent practices remain open to challenge through multiple channels, and where procedural objections to those challenges face a high bar.
Nearly five years passed between the original 10 August 2021 complaint and the binding decision resolving whether that complaint could even be examined on its merits, a duration consistent with patterns PPC Land has documented in other EDPB Article 65 proceedings, including the multi-year path of the WhatsApp transparency case before the Court of Justice. For publishers awaiting clarity on cookie consent enforcement standards, that timeline is itself informative: a finding on whether VRT's banner complies with the GDPR remains pending, since Belgium must now begin a merits assessment that could take considerably longer than the procedural dispute just resolved.
Timeline
- 10 August 2021: The data subject, represented by noyb, submits the original complaint to Austria's data protection authority concerning VRT's cookie consent practices.
- 27 September 2021: The EDPB establishes its Cookie Banner Taskforce to coordinate the response to the wave of similar complaints filed by noyb across member states.
- 6 June 2023: Austria's authority transfers the complaint to Belgium's data protection authority, which becomes the lead supervisory authority given VRT's Brussels establishment.
- 18 January 2023: The EDPB Cookie Banner Taskforce publishes its report on the underlying complaints.
- 12 August 2025: Belgium's authority shares a preliminary draft decision regarding VRT with the other supervisory authorities concerned.
- 22 September 2025: Austria formally objects to Belgium's draft decision under Article 60(4) GDPR.
- 17 October 2025: Belgium tells the concerned authorities it considers Austria's objection relevant and reasoned on its face, but signals it does not intend to follow it.
- 21 October 2025: Belgium invites VRT and the complainant to submit written positions ahead of a potential Article 65 procedure.
- 1 December 2025: VRT submits its first set of written observations.
- 12 January 2026: noyb submits its written observations, including twelve annexes.
- 19 January 2026: VRT submits additional written observations.
- 28 January 2026: Belgium formally refers the dispute to the EDPB under Article 65(1)(a) GDPR.
- 12 March 2026: The EDPB Chair shares additional documents with VRT and noyb for transparency.
- 26 March 2026: VRT and noyb each submit further observations in response.
- 31 March 2026: The EDPB Chair and Belgium's authority jointly declare the case file complete.
- 28 May 2026: The EDPB adopts Binding Decision 1/2026 by a two-thirds majority, instructing Belgium not to dismiss the complaint.
- 14 July 2026: The binding decision is published on the EDPB's website.
Related PPC Land coverage
- Belgian DPA imposes strict measures on Mediahuis for cookie consent violations: covers the September 2024 Belgian decision against Mediahuis that the EDPB's binding decision references as a precedent for the abuse-of-law reasoning Belgium later applied to VRT.
- Belgian data protection case moves forward against DPG Media: reports on a separate Belgian proceeding where regulators rejected a similar argument that noyb-backed complaints amounted to an abusive coordinated campaign.
- Decoding Cookie Consent: a look at noyb's report: examines noyb's own analysis of how national authorities have applied the EDPB Cookie Banner Taskforce's 2023 recommendations.
- Europe's top court hands data controllers new weapon against privacy watchdogs: details the WhatsApp case establishing that companies can directly challenge EDPB binding decisions before EU courts, the same Article 65 mechanism used in the VRT dispute.
- EU Council drops cookie signal after Google lobbying - EUR 40-50 bn at stake: covers the parallel legislative fight over the EU's Digital Omnibus and proposed automated cookie consent signals.
- noyb files GDPR complaint over LinkedIn's paywall for profile visitor data: illustrates how noyb continues to use the same Article 80(1) GDPR representation mechanism at the center of the VRT dispute in more recent cases.
Summary
Who: The European Data Protection Board, Belgium's data protection authority acting as lead supervisory authority, Austria's data protection authority as the objecting concerned authority, Flemish public broadcaster VRT as the controller, and noyb, acting under a data subject's mandate, as the complainant's representative.
What: The EDPB adopted Binding Decision 1/2026, ruling that Austria's objection to Belgium's proposed dismissal of a cookie-banner complaint was relevant and reasoned, and finding on the merits that the complainant had not abused their right to lodge a complaint under Article 77 GDPR or their right to representation under Article 80(1) GDPR. The Board instructed Belgium to assess the underlying complaint against VRT on its merits rather than dismiss it.
When: The Board adopted the decision on 28 May 2026, following a dispute resolution procedure that began with Belgium's referral on 28 January 2026; the decision was published today, 14 July 2026.
Where: The dispute involved supervisory authorities in Belgium and Austria, concerning a complaint originally filed in Austria against a Belgium-based broadcaster, resolved through the EDPB's Article 65 consistency mechanism, which applies across the European Economic Area.
Why: The case tested whether cookie-banner complaints filed at scale through a privacy advocacy organisation could be dismissed as an abuse of GDPR complaint rights without any assessment of whether the underlying cookie practices actually complied with the law, a question with direct bearing on how similar complaints against other publishers and broadcasters may be handled across the EU.
Discussion