EDPB Decision Opens Floodgates to Activist Driven Complaints
On 14 July 2026, the European Data Protection Board (EDPB) published Binding Decision 1/2026, which will be unwelcome news to businesses subject to the General Data Protection Regulation (GDPR). The decision concerned a dispute between the Austrian and Belgian Data Protection Authorities regarding the latter’s handling of a cookie-banner complaint brought against Flemish public broadcaster VRT by NOYB, acting as a representative on behalf of an individual under Article 80(1) GDPR. The Belgian Data Protection Authority (DPA) had dismissed the complaint on the basis that it was clearly driven by NOYB, rather than the individual on behalf of whom it was ostensibly made. The EDPB overturned this and instructed the Belgian DPA to assess the complaint on its merits. For businesses, the EDPB’s rationale is unwelcome news — and the implications extend far beyond a single broadcaster’s cookie banner.
The Background
The complaint against VRT was one of hundreds lodged by NOYB, acting as a representative, as part of its self-styled "Cookie Banner Complaints" project, an initiative that used automated software to identify allegedly non-compliant cookie banners and generate standardised complaints at scale. For the purpose of this complaint against VRT, NOYB sourced an individual who could mandate NOYB to lodge a complaint to the Austrian DPA, which then transferred the complaint to the Belgian DPA in its capacity as the lead supervisory authority for VRT.
The Belgian DPA took a dim view of this arrangement. In a series of decisions in 2024 and 2025, it concluded that NOYB had engaged in an abusive use of the right to lodge complaints. It determined that NOYB had effectively “provoked” the alleged GDPR breaches by directing its own staff members to visit specific websites previously identified by NOYB as having non-compliant cookie banners, thereby qualifying them as data subjects on behalf of whom complaints could be lodged, based on pre-prepared mandates. The Belgian DPA held that the initiative for the complaints came from NOYB, not from the complainants themselves. This was, in the regulator's words, a case where the representative body had artificially created its own standing to pursue its policy objectives.
The EDPB's Decision
The EDPB disagreed with the Belgian DPA. Its decision sets out a detailed consideration of relevant CJEU case law (including the recently delivered Brillen Rottler ruling) regarding the abuse of rights, which requires consideration of whether alleged abuse involves both an objective and a subjective component. According to the EDPB:
- where a complaint is brought by a representative on behalf of a data subject, when considering whether the complaint is an abuse of law, DPAs should not distinguish the objective pursued by the data subject from the objective pursued by the representative, they should be construed holistically;
- where a DPA is minded to dismiss a complaint on the basis that it is abusive, the onus is on the DPA to be able to sufficiently demonstrate the existence of such abuse;
- there was no concrete evidence to support the view that NOYB’s policy objectives were linked to interests other than those of the individual data subject, such as strategic objectives of the board or the wishes of donors to NOYB;
- based on the documents made available to the EDPB, there were “insufficient elements to conclude that NOYB has pursued its own interests and not those of the data subject, or that the data subject has been instructed on how to act without being part of the initiative behind the complaint”.
Why This Matters for Business
The practical consequence of this decision is clear: it sets a very high bar for DPAs to dismiss representative complaints on the basis that they are an abuse of rights. This will make it difficult for businesses to persuade DPAs to dismiss complaints brought by representatives against them, even when it is clear that the protagonist in the complaint is the representative, rather than the individual on behalf of whom the complaint ostensibly is made.
This opens the door to a model of enforcement that many businesses will find deeply troubling. NOYB was transparent about its approach for the Cookie Banner Complaints project. It developed automated systems capable of scanning websites for potentially non-compliant practices and generating thousands of complaints, filed ostensibly on behalf of individuals recruited by NOYB to the cause. As the Belgian DPA itself observed, the complainants in these cases were often not part of the target audience of the websites in question and had never previously exercised their rights with the relevant controllers. The entire infrastructure for these complaints was designed, constructed, and operated by NOYB, with individual data subjects slotted into the process to provide the jurisdictional trigger that Article 80(1) requires. The EDPB decided that, based on the information provided to it, this did not entitle a DPA to dismiss complaints arising from this process.
Any activist body can replicate this model at scale to pursue a wide range of potential complaints under the GDPR. Based on the principle set out in the EDPB’s decision, a DPA will not be able to dismiss such complaints on the ground that they are an abuse of process, unless the DPA can overcome the burden of proof that the EDPB determined the Belgian DPA had failed to meet in connection with this specific complaint. This will make it harder for businesses to counteract industrialised GDPR complaints led by activist representatives.
This content has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.


Select how you would like to share using the options below