Clifford Chance

On 26 June 2025, the Litigation Chamber of the Belgian Data Protection Authority (APD) delivered a notable set of decisions, dismissing no less than 16 complaints lodged by the Austrian data protection advocacy group None of Your Business (NOYB) against prominent companies. These decisions have sparked considerable debate about GDPR enforcement and the appropriate role of privacy advocacy groups in initiating regulatory actions. [Decisions nr. 106/2025, 107/2025, 108/2025, 109/2025 and 110/2025 of 26 June 2025].

Context of the Decision

The complaints, initiated under NOYB’s "Cookie Banner Complaints" project, alleged various breaches of GDPR rules related to cookie consent banners on websites. Crucially, NOYB relied on automated software not only to detect potential non-compliance, but also to generate the complaints themselves. This process involved the software systematically scanning websites for possible GDPR infringements and then automatically producing standardised complaints based on the findings. Subsequently, NOYB enrolled its own employees as complainants to file these automatically generated claims against the companies involved - resulting in what is, perhaps ironically, a perfect example of 'cookie-cutter' complaints.

Importantly, the APD’s decisions do not address the technical or substantive merits of the alleged cookie consent violations. The focus of the decisions is exclusively on the procedural admissibility and the representational legitimacy of the complaints. The underlying data protection issues and the lawfulness of the cookie consent mechanisms themselves were not examined or assessed. 

The Decision

The APD concluded that the approach taken by NOYB constituted an abuse of the right to lodge complaints under GDPR Articles 77 and 80(1). While the formal conditions for filing complaints were met, the APD found that the substantive purpose of these GDPR provisions had been undermined. This approach is rooted in the current Belgian implementation of Article 80 GDPR, which does not (yet) allow for complaints by associations without a direct mandate from a data subject - unlike the position in some other EU Member States.

APD’s legal reasoning

Relying on established jurisprudence from the Court of Justice of the European Union, such as CJEU, Case C-116/16, T Danmark (2019), the APD articulated two critical criteria for abuse of rights:

1.      Objective criterion: Despite compliance with formal legal requirements, the intent and purpose behind these requirements are not genuinely met.

2.      Subjective criterion: The intentional creation or exploitation of legal conditions to derive an undue advantage which was not envisioned by the legislators.

The APD identified several objective elements to support its conclusion:

• The automated and standardized format of the complaints;
• The lack of prior interaction or genuine concern from complainants with respect to the defendants’ websites;
• The employment relationship between complainants and NOYB, potentially limiting independent judgement;
• The fact that complainants had been proactively instructed by NOYB to "become data subjects" by visiting specific websites explicitly to generate complaints.

Additionally, the APD emphasized the subjective dimension, finding NOYB deliberately engineered circumstances to artificially create standing, effectively circumventing Belgian law, which does not allow independent action by associations without direct mandates from data subjects.

Refocusing on actual harm and Data Subject interests

While much of the commentary on the APD’s decisions has focused on procedural aspects and NGO standing, the dismissals have also reignited discussions around the extent to which certain activist-driven complaints align with the fundamental aims of the GDPR: empowering individuals in relation to their personal data and protecting them from privacy-related harm. This perspective is echoed in the APD's own words, as articulated in Decision 106/2025: "(..)  a representative (…)  must give priority to the interests of the person or persons it represents and not (solely) pursue its own political objectives" (Paragraph 26)[1].

By identifying NOYB’s complaints as procedural constructs rather than reflections of genuine grievances, the APD's decision has not only spotlighted differences in EU Member State approaches to allowing association-driven complaints, but also renewed focus on the issue of allocation of regulatory resources. For many, the dismissals align with a wider philosophy that regulators should prioritise substantial harms over technical non-compliance that is detached from the concerns of the relevant data subjects.

Comparative view and legislative opportunities

The APD’s decision, based on NOYB's lack of standing under Belgian law, contrasts notably with the position in other European jurisdictions, such as France, where organizations have broader rights to initiate collective actions without a mandate of a data subject, due to the ways in which Member States have implemented Article 80(2) GDPR. For example, France’s GDPR implementation allows qualified associations to file complaints independently.

Yet, the APD's decision highlights an important issue: association-driven complaints do not always reflect genuine individual grievances or address systemic issues with clear implications for data subject welfare.

With enforcement resources already stretched thin, many data protection authorities are in principle opposed to diverting attention away from critical privacy concerns in order to address technical violations without demonstrable harm or risks to individuals. Indeed, there appears to be increasing alignment between regulators, industry and individuals that, if GDPR enforcement becomes a technical exercise abstracted from the privacy concerns of individuals, it may weaken the public trust and confidence that data protection authorities are serving the interests of data subjects.

The APD explicitly recognized its willingness to support legislative reform to  Belgian law to include the ability for organisations to bring complaints independently of a data subject's mandate, pursuant to Article 80(2) GDPR. Such reform would enable organisations to independently pursue systemic issues, but could also leave the door open for actions that many may consider to be a technical exercise, detached from actual individual concerns. Until such reform is enacted, the APD is likely to continue dismissing similar complaints unless they are clearly grounded in genuine data subject grievances. A live issue is how data protection authorities who are not required to dismiss association-driven complaints are prioritising and dealing with these where they focus on arguably lower-risk issues.

Practical implications and outlook

For organisations, these decisions may provide greater certainty in the face of mass or automated complaints, but they also raise questions about the future role of advocacy groups in GDPR enforcement in Belgium. It is important to note that the APD’s decisions are not binding on other EU data protection authorities, and the approach to NGO standing remains divergent across the EU. Whether these decisions will be subject to further appeal, or whether legislative reform in Belgium will alter the landscape for association-driven complaints, remains to be seen. In the meantime, organisations should continue to monitor developments in this area, particularly as approaches to NGO standing and the prioritisation of regulatory resources continue to diverge across the EU.

More broadly, the APD’s dismissal of NOYB’s cookie complaints has served as an arguably necessary reminder: GDPR enforcement is fundamentally about protecting individuals from harm and safeguarding their privacy rights. For authorities and privacy advocates alike,  ensuring that their actions consistently align with this underlying goal may prove to be key to preserving public trust and ensuring the GDPR’s effectiveness as a practical safeguard for individual data subjects.

Note

[1]      Original: "Néanmoins, un représentant - selon la lettre et l’esprit de l’article 80.1 du RGPD - doit donner la priorité aux intérêts de la personne ou des personnes qu’il représente et pas (uniquement) poursuivre ses propres objectifs politiques.