Cookies: EDPB orders Belgian DPA to decide the merits in the VRT case
On 14 July 2026, the EDPB ordered the Belgian DPA to rule on the merits of NOYB’s complaint against VRT’s cookie banner, rejecting the abuse-of-rights argument. A signal for CNPD oversight and consent practices in Luxembourg.
Summary — The European Data Protection Board (EDPB) issued a binding decision requiring the Belgian Data Protection Authority (APD) to rule on the merits of NOYB’s complaint concerning VRT’s cookie banners. The “abuse of rights” argument is dismissed; the APD must assess consent compliance.
Facts
On 14 July 2026, the EDPB published a decision (dated 28 May 2026) in a cross-border case between the APD, acting as lead supervisory authority, and the Austrian authority, regarding a NOYB complaint against VRT. The EDPB rejected closing the case for alleged “abuse of rights” under GDPR Articles 77 and 80(1) and ordered the APD to issue a decision on the merits under Article 60(3) GDPR.
An APD information notice of 13 July 2026, within the “Cookie Banner Project,” confirms the obligation to examine the material compliance of banners.
Legal framework and basis
- Article 65(1)(a) GDPR – Dispute resolution mechanism used to settle the divergence between the APD and the Austrian authority.
- Articles 77 and 80(1) GDPR – Right to lodge a complaint and representation: the EDPB rejects “abuse of rights” and requires a merits assessment.
- Article 60(3) GDPR – The APD must submit a new draft decision to the concerned authorities.
- Article 4(24) GDPR – “Relevant and reasoned objection” concept, upholding the Austrian authority’s objection.
The decision does not impose fines or liability at this stage, but it sets a clear procedural path for national authorities, including Luxembourg’s CNPD, in cookie banner complaints. For a refresher on the framework, see our page on GDPR requirements.
What this means for Luxembourg businesses
- Substantive review of banners – The abuse-of-rights filter will no longer easily dismiss structural complaints. Expect a material check of choices offered, banner design, and consent traceability in the context of GDPR compliance in Luxembourg.
- Spillover to the CNPD – Stronger evidence requests on CMPs and potential reviews of prior dismissals.
- Timelines and exposure – Findings of unlawfulness may quickly lead to orders and fines; less tolerance for dark patterns and for the absence of a “Reject all” button equivalent to “Accept all.”
Need help structuring these workstreams and formalising governance? Entrust the DPO mandate and GDPR coordination to our certified experts.
Sources
- EDPB – 14 July 2026, binding decision under Article 65(1)(a) GDPR
- APD/notice via Publicnow – 13 July 2026, “Cookie Banner Project” context
Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →