EDPB orders Belgian DPA full review of cookie banner complaint under GDPR
The European Data Protection Board (EDPB) has issued a binding decision concerning a dispute between the Belgian Data Protection Authority (DPA) and the Austrian DPA. The case revolves around a complaint filed by the Austrian NGO Noyb on behalf of an individual, regarding cookie banners used on the website of Vlaamse Radio-en Televisieomroeporganisatie (VRT), a public broadcaster in Belgium.
The Belgian DPA, acting as the Lead Supervisory Authority (LSA), initially proposed dismissing the complaint. The dismissal was based on the claim that the complaint constituted an abuse of rights under Articles 77 and 80(1) of the GDPR. However, the Austrian DPA, as the Concerned Supervisory Authority (CSA), disagreed with this approach. It argued that the complaint should not be dismissed on procedural grounds but should be examined on its merits.
The EDPB reviewed the objection raised by the Austrian DPA and found it justified. Applying the relevant GDPR provisions and guidelines, as well as the Court of Justice of the European Union’s (CJEU) criteria for abuse of rights, the EDPB concluded that the complainant did not abuse their rights. Both the objective and subjective elements required to establish abuse were absent in this case.
Consequently, the EDPB instructed the Belgian DPA not to dismiss the complaint but to assess it based on its substance. The LSA must now prepare and submit a new draft decision to the other supervisory authorities for further evaluation. This ruling highlights the EDPB’s role in ensuring consistent application of the GDPR in cross-border cases and protecting individuals’ rights under the regulation.