On July 14, 2026, the European Data Protection Board published Binding Decision 1/2026 under Article 65(1)(a) GDPR, forcing the Belgian Data Protection Authority to rule on the substance of a NOYB cookie-banner complaint instead of dismissing it as an abuse of rights. Adopted on May 28, 2026 and made public on July 14, 2026, the decision instructs the Belgian DPA, acting as Lead Supervisory Authority (LSA), to assess the complaint on its merits and submit a new draft decision to the concerned supervisory authorities under Article 60(3) GDPR.
The complaint was lodged with the Austrian DPA by the NGO NOYB on behalf of an individual, targeting the cookie banners deployed on the website of VRT, the Flemish public broadcaster. Because VRT is established in Belgium, the Belgian DPA took the lead under the one-stop-shop mechanism, while the Austrian DPA acted as Concerned Supervisory Authority (CSA).
Why did the Belgian DPA try to dismiss the complaint?
The Belgian DPA's draft decision proposed to reject the case on procedural grounds, arguing that the complainant had abused the right to lodge a complaint under Article 77 GDPR and the right to mandate a representative under Article 80(1) GDPR. The Austrian DPA objected, contending the LSA should decide the case on its merits rather than throw it out on procedure. When the Belgian DPA declined to follow the objection, it referred the dispute to the EDPB under the Article 65(1)(a) dispute-resolution mechanism, the channel meant to ensure consistent GDPR application in cross-border cases.
What did the EDPB decide on the abuse-of-rights argument?
The EDPB first confirmed the Austrian objection was relevant and reasoned within the meaning of Article 4(24) GDPR, applying its Guidelines 09/2020 on the relevant and reasoned objection, and assessed it on the merits. It then applied the CJEU test for alleged abuse of rights and found that the complainant had not abused Article 77 or Article 80(1) GDPR, because neither the objective nor the subjective components needed to prove such abuse were demonstrated. The EDPB therefore instructed the LSA not to dismiss the complaint but to examine it on its substance.
Who is impacted, and what should compliance teams do now?
The decision lands squarely on DPOs and privacy compliance teams at every EU-facing company operating a cookie banner, as well as on consent management platform (CMP) vendors and adtech actors whose consent flows now face heightened enforcement risk. The practical signal is that lead authorities cannot sidestep NOYB-style cookie-banner complaints by invoking abuse of rights at the procedural stage: the merits, including whether consent is freely given, specific and informed under the ePrivacy Directive and the GDPR, must be adjudicated.
Three immediate actions follow. First, audit your cookie consent flows against EDPB guidance on deceptive consent designs, because a complaint that survives procedural dismissal will be assessed on whether the banner itself complies. Second, review whether your CMP relies on dark patterns or pre-ticked boxes that a supervisory authority would now have to scrutinize on substance. Third, document the lawful basis and consent-capture mechanism for each tracking technology, so you can defend the merits if a complaint reaches your lead authority.
| Stage | What happened | Legal basis |
|---|---|---|
| Complaint filed | NOYB lodges complaint with Austrian DPA over VRT cookie banners | Art. 77 + Art. 80(1) GDPR |
| Lead authority draft | Belgian DPA (LSA) proposes to dismiss for abuse of rights | Art. 60(3) GDPR |
| CSA objection | Austrian DPA objects, demands a decision on the merits | Art. 4(24) GDPR |
| EDPB binding decision | EDPB finds no abuse, orders the LSA to rule on the merits | Art. 65(1)(a) GDPR |
Take advantage of this real-time watch
The Belgian DPA must now issue a new draft decision on the substance of the VRT cookie-banner complaint and circulate it under the one-stop-shop cooperation procedure. Expect the EDPB's reasoning to be cited in further NOYB cookie-banner complaints across the EU, narrowing the procedural exit routes for lead authorities. Continuous, per-jurisdiction real-time monitoring surfaces this kind of enforcement shift the moment it publishes, so your team is not caught reviewing a consent flow only after a complaint lands.


