Iceland

Overview

Iceland ranks #1 globally for internet freedom (Freedom House) and has among the strictest internet privacy laws. Full GDPR implementation through the EEA, criminal penalties up to 3 years imprisonment for data protection violations, constitutional privacy under Article 71, and the IMMI (Icelandic Modern Media Initiative) framework designed to create a “journalistic safe haven.”^[1]

However, Iceland is not a Five/Nine/Fourteen Eyes member but participates as a Tier B third-party contributor on computer network exploitation with Five Eyes nations. Its submarine cables (DANICE, CANTAT-3, Greenland Connect) transit through Denmark and the UK — both with documented cable-tapping programmes (FE/XKeyscore, GCHQ/Tempora) — meaning Icelandic traffic is subject to interception before reaching its destination. In November 2025, Iceland presented its first formal defense and security policy, including deployment of an unmanned surveillance submarine to monitor submarine cables.^[2][3]

Privacy Framework

Persónuvernd enforces GDPR through the EEA with fines and criminal prosecution (up to 3 years). Notable: fined five municipalities for using Google Cloud/Workspace in schools (Schrems II violations), and ISK 5M fine against Primary Health Care of the Capital Area for unlawful integration of ~450,000 medical records. Disputes fall under the EFTA Court, not CJEU. Act No. 90/2018 implements the GDPR with national derogations for public interest processing, research, and journalism. National security processing is governed under separate classified frameworks exempt from the Act.^[4][5]

IMMI (Icelandic Modern Media Initiative)

Passed unanimously by the Althing on June 16, 2010, IMMI inverts the “tax haven” concept by combining the strongest transparency and press freedom laws from various jurisdictions. Key protections include whistleblower protection modelled on the best international standards, source protection, intermediary liability limitations, and prior restraint restrictions. WikiLeaks helped propose the legislation but hosted servers in Sweden, not Iceland. Implementation has been partial — whistleblower protection was enacted in 2020 (Act 40/2020), but source protection and intermediary liability reforms remain pending.^[6]

Surveillance and Intelligence

Intelligence: Modest Apparatus

GRLS (National Security Agency, established 2007): Internal intelligence, monitoring threats to constitutional order. A military intelligence service (GVSÍ) also operates. Current legal powers “severely limit” police ability to counter espionage. Iceland is among nations where the NSA has authority to intercept communications of overseas targets through US companies.^[7]

Cable Transit Exposure

All of Iceland’s submarine cables transit through countries with documented cable-tapping programmes. DANICE (to Denmark, where FE/XKeyscore operates), CANTAT-3 (to Canada/UK/Denmark/Germany), and Greenland Connect (through Denmark) expose Icelandic traffic to interception at every transit point. The IRIS cable (operational 2023, 145 Tbps, to Ireland) provides a newer route but still transits through UK-controlled waters. Iceland has no independent capability to monitor, regulate, or detect such interception.^[3]

Police Surveillance Powers Bill (2024–2025)

The Justice Minister introduced a bill granting police warrantless surveillance authority over individuals suspected of connections to criminal organisations, even if they have not committed a crime. An internal steering group — not a court — would approve each measure. Pirate Party MP criticised the bill for lacking independent oversight: “the police are being given authority to monitor ordinary citizens who have done nothing wrong.”^[8]

Data Retention

The Electronic Communications Act requires 6-month retention of browsing history, phone numbers, IP addresses, usernames, connection data, and transfer amounts. Access requires a court order, restricted to police and prosecutors for criminal cases or public safety. Expert committees have drafted bills to remove retention entirely (IMMI-aligned), but these have not been implemented.^[9]

International Cooperation

Tier B focused cooperation on computer network exploitation with Five Eyes nations, alongside Austria, Belgium, Germany, Japan, and others. Cooperates with Europol under EEA frameworks. Iceland does not have a formal bilateral MLAT with the United States — MLA operates through Council of Europe conventions and EEA frameworks; no sharing of user data without a valid Icelandic court order.^[2]

Recent Developments

First Defense and Security Policy (November 2025): Iceland’s first formal policy, acknowledging its North Atlantic location as its primary vulnerability. Deploys an unmanned surveillance submarine to monitor submarine cables and ports. NATO Secretary General Rutte welcomed the policy during a November 2025 visit.^[10]

Police Warrantless Surveillance Bill: Proposed authority to monitor individuals connected to criminal organisations without a crime being committed and without judicial oversight.^[8]

Digital Infrastructure Boom: Data centre market valued at USD 170M (2024), projected USD 375M by 2030, driven by AI workloads and 100% renewable energy. The IRIS cable (145 Tbps to Ireland) enhanced connectivity. New AI data centre with associated submarine cable announced for 2026.^[11]

Healthcare Records Fine: Persónuvernd imposed ISK 5M on Primary Health Care of the Capital Area for unlawful integration of ~450,000 medical records with multiple parties including the Transport Authority.^[5]

Sources