Iceland

Overview

Iceland’s privacy framework is built on four foundations: full implementation of the General Data Protection Regulation (GDPR) despite not being an EU member (Iceland is part of the European Economic Area), criminal penalties of up to 3 years imprisonment for serious data protection violations (stronger than most GDPR jurisdictions), constitutional privacy protections under Article 71 of the Icelandic Constitution, and the Icelandic Modern Media Initiative (IMMI), a 2010 parliamentary resolution designed to make Iceland a “journalistic safe haven” by combining what its proponents describe as the strongest transparency and freedom of expression laws from various jurisdictions.^[3]

Iceland is not a member of the Five Eyes, Nine Eyes, or Fourteen Eyes intelligence alliances, though it does participate in “Tier B” focused cooperation on computer network exploitation with Five Eyes nations.^[4] The country maintains a modest intelligence apparatus (the National Security Agency (Greiningardeild Ríkislögreglustjóra, GRLS) established in 2007 and a military intelligence service) but current legal powers “severely limit” police ability to counter espionage.^[5]

The country’s reputation as a “data haven” and “Switzerland for data” originated from a vision articulated by Electronic Frontier Foundation founder John Perry Barlow in 2008 and has been reinforced by the IMMI framework, which inverts the traditional “tax haven” concept by combining transparency laws rather than secrecy provisions.^[6] While WikiLeaks had organizational ties to Iceland and helped propose the IMMI legislation in 2010, the organization’s servers were actually hosted in Sweden, not Iceland.^[7]

Iceland’s data protection authority, Persónuvernd, actively enforces GDPR requirements and has been particularly focused on protecting children’s data, investigating and fining five municipalities for using Google Cloud Services and Google Workspace for Education in schools, citing violations of the Schrems II requirements for transfers to the United States.^[8]

Data Protection Authority: Persónuvernd

Structure and Leadership

Iceland’s data protection authority is Persónuvernd (Icelandic Data Protection Authority), an independent supervisory authority under Article 51 of the GDPR.^[9]

Commissioner: Helga Þórisdóttir has served as head of Persónuvernd for approximately eight years (as of 2024). She holds a law degree from the University of Iceland and has 29 years in the legal profession, with previous experience at the EFTA Brussels office, Iceland’s Ministry of Education, the Icelandic Medicines Agency, and the Parliament Committee Department. She serves as a member of the European Data Protection Board (EDPB). In 2024, she ran for Icelandic president while on leave from her position.^[10]

Contact Information:

• Website: www.personuvernd.is (redirects to island.is/en/o/the-data-protection-authority)
• Email: postur@personuvernd.is
• Phone: +354 510 9600
• Address: Rauðarárstígur 10, 105 Reykjavík

Enforcement Powers

Persónuvernd has full GDPR Article 58 investigative and corrective powers, including:^[11]

• Requiring information from controllers and processors
• Conducting data protection audits
• Access to premises of controllers and processors
• Issuing warnings and reprimands
• Enforcing individuals’ rights (access, erasure, correction, portability)
• Issuing temporary or permanent processing bans

Administrative Penalties:

• Daily fines up to ISK 200,000
• Administrative fines from ISK 100,000 to ISK 1.2 million
• Or up to 2% of total worldwide annual turnover (whichever is higher)
• Full GDPR Article 83 fine authority applies

Case Volume

Persónuvernd has seen a considerable increase in new cases in recent years:^[12]

• 2023: 2,082 cases registered
• 2024: 216 new cases (as of February 1, 2024)

In November 2023, Persónuvernd announced amendments to streamline complaint-handling procedures to reduce workload and decrease processing times in response to the increasing case volume.^[13]

Legal Framework

Act No. 90/2018 on Data Protection and the Processing of Personal Data

Iceland’s primary data protection legislation is Act No. 90/2018 on Data Protection and the Processing of Personal Data, which entered into force on July 15, 2018. The act implements the GDPR in Iceland and repealed all previous pre-GDPR legislation.^[14]

EEA Membership and GDPR Adoption

Iceland is not an EU member but is a member of the European Economic Area (EEA). As an EEA/EFTA country, Iceland is obligated to incorporate EU acts with EEA relevance into its national legal framework. The GDPR was incorporated into the EEA Agreement on July 6, 2018 (EEA Joint Committee Decision No. 154/2018) and entered into force in Iceland on July 20, 2018.^[15]

The GDPR now applies throughout the Internal Market, including all three EEA EFTA states: Iceland, Liechtenstein, and Norway.

Criminal Penalties – Up to 3 Years Imprisonment

Iceland’s implementation of the GDPR goes beyond standard administrative fines by including serious criminal penalties under Act No. 90/2018:^[16]

• Major violations: Up to 3 years imprisonment for especially serious breaches of data protection law
• DPO/Authority employee confidentiality breach: Up to 1 year imprisonment, or up to 3 years in special circumstances
• Corporate liability: Representatives or employees of legal entities can be sentenced to prison in addition to administrative fines imposed on the organization

These criminal sanctions make Iceland one of the few jurisdictions where data protection violations can result in significant prison sentences, a provision that distinguishes Iceland’s framework from most other GDPR implementations.

National Security Exceptions

Iceland’s Act No. 90/2018 includes specific national security provisions that vary from standard GDPR requirements. Data breach notifications may be withheld if they would not serve national security interests or if they would deter criminal investigation or prosecution.^[17] This represents Iceland adding specific national security provisions beyond the standard GDPR framework.

Icelandic Modern Media Initiative (IMMI)

Overview and Passage

The Icelandic Modern Media Initiative (IMMI) was proposed in February 2010 and passed unanimously by the Icelandic Parliament (Althing) on June 16, 2010. The chief sponsor was Birgitta Jónsdóttir (Pirate Party co-founder), with key contributions from Smári McCarthy, Rop Gonggrijp, and Julian Assange.^[18]

As described in the Overview, IMMI aims to make Iceland a journalistic safe haven by inverting the “tax haven” concept, creating a stronghold for investigative journalists, publishers, and watchdogs rather than a jurisdiction of secrecy.^[19]

Key Protections Proposed

1. Whistleblower Protection: Protections with clear legal position, source protection between journalist and source, and prizes for journalists, whistleblowers, human rights activists, and publishers.^[20]

2. Anti-SLAPP Legislation: Modeled on California’s anti-SLAPP law. Defendants can request a “freedom of speech” designation; if granted, the plaintiff pays all legal costs if the defendant prevails. This protects against “libel tourism,” the practice of forum shopping to jurisdictions with plaintiff-friendly defamation laws.

3. Communications Protection: Data protection enhancements, removal of data retention requirements (though not fully implemented; see Data Retention section below), and intermediary limited liability.

4. Access to Information: Freedom of information strengthening and increased transparency in government operations.

Implementation Status – Partially Implemented

IMMI’s full implementation requires changes to at least 10 laws across four ministries. The Ministry of Education, Science and Culture oversees implementation, with estimated completion originally projected as “a few years” depending on governmental will.^[21]

As of 2015, Birgitta Jónsdóttir stated: “It has been a disappointment for me and many others how slowly the writing of the laws has progressed.”^[22] In early 2013, the Information Act was passed, moving two IMMI goals forward, but the IMMI website states it “does not satisfy the IMMI resolution’s level of quality and assurance.”

As of early 2026, no recent information indicates completion of the full IMMI legislative package. Implementation appears ongoing but incomplete, more than 15 years after the unanimous parliamentary resolution.

Constitutional Privacy Protections

Article 71 of the Icelandic Constitution

Article 71 of Iceland’s Constitution provides comprehensive privacy protections:^[23]

“Everyone shall enjoy freedom from interference with privacy, home, and family life.”

The article establishes multiple layers of protection:

1. Search and Seizure: Bodily/personal search or search of premises or possessions may only occur with a judicial decision or explicit statutory law provision.

2. Communications Privacy: Examination of documents, mail, telephone communications, and “any other comparable interference” requires judicial authorization.

3. Control Over Personal Life: The right to control one’s life, body, and enjoy peace about way of life and private life.

4. State Obligations: The State must avoid interfering with privacy and personal affairs and must set legal rules to protect individuals from each other’s interference.

Permissible Limitations: Privacy may be limited by statutory provisions only if “urgently necessary for the protection of the rights of others.”

This constitutional foundation establishes a baseline for privacy rights that predates and complements Iceland’s implementation of the GDPR.

Enforcement Actions

Google Cloud Services in Schools

Persónuvernd has been particularly active in protecting children’s data, conducting multiple investigations into municipalities using Google services in primary schools without adequate safeguards for transfers to the United States following the Schrems II judgment:^[24]

• City of Reykjavík: €13,270 fine for GDPR violations using Google Cloud Services in primary schools
• Kópavogur Municipality: €19,907 fine (2024) for Google Workspace for Education use
• Kópavogsbær: €26,812 fine (May 2023) for Seesaw student system transferring data to US without Schrems II protections
• Total of five municipalities investigated and fined for Google services in schools

Digital Gift Card Case (2021)

In 2021, Persónuvernd issued fines in a digital gift card case involving collection of personal data without legal basis:^[25]

• Ministry of Industries and Innovation: €50,800 fine
• YAY ehf: €27,100 fine
• Violations: Collecting personal data without legal basis, processing without consent

Other Notable Enforcement (2023)

Persónuvernd issued several significant fines in 2023:^[26]

• Creditinfo Lánstraust hf (July 2023): €253,400 fine for insufficient legal basis for data processing
• Íþrótta- og sýningahöllin hf (October 2023): €23,400 fine for insufficient legal grounds for electronic surveillance of sensitive personal data (sports hall)
• eCommerce 2020 ApS: €50,200 fine for sending default/personal data to credit agency without sufficient terms and conditions provisions (loan company)

Supreme Court Judgment 18/2024

In a significant ruling, Iceland’s Supreme Court held that a controller cannot fulfill accountability obligations by relying on inconsistent processor information, especially when data concerns children. The case involved student personal data transferred to the US despite the controller believing otherwise.^[27]

Surveillance and Intelligence

Intelligence Agencies – Modest Apparatus

Iceland maintains a modest intelligence capability compared to larger nations:^[28]

• National Security Agency (GRLS): Greiningardeild Ríkislögreglustjóra, established 2007. Responsible for internal intelligence activities and monitoring threats to constitutional order (terrorism, organized crime).
• Military Intelligence Service (GVSÍ): Greiningardeild Varnarmálastofnunar Íslands.

Historical context: In 1939, a State Police security department was founded to monitor Nazi scientists and communists under Prime Minister Hermann Jónasson.

As noted in the Overview, current legal powers severely limit police ability to counter espionage.^[29] The National Commissioner of Police is in charge of state security matters concerning constitutional order, government agencies, and public safety.

Data Retention

The Electronic Communications Act (2003, amended 2005) requires telecommunications providers to retain user data for 6 months. Retained data includes:^[30]

• Browsing history
• Telephone numbers
• IP addresses
• Usernames
• Connection data
• Data transfer amounts

Access to retained data is restricted to police and public prosecutors, only for criminal cases or public safety matters, and requires a court order or legal authorization.

Note: Expert committees have drafted bills to remove data retention requirements entirely, in line with IMMI goals, but these have not been implemented as of early 2026.

International Intelligence Cooperation

As noted in the Overview, Iceland is not part of the Five Eyes, Nine Eyes, or Fourteen Eyes alliances, though it participates in Tier B focused cooperation on computer network exploitation as a third-party contributor.^[31] Other Tier B participants include: Austria, Belgium, Czechia, Denmark, Germany, Greece, Hungary, Italy, Japan, Luxembourg, Netherlands, Norway, Poland, Portugal, South Korea, Spain, Sweden, Switzerland, and Turkey.

Iceland is among nations where the NSA has authority to intercept communications of overseas targets through US companies.^[32]

Iceland’s law enforcement cooperates regularly with Europol requests, consistent with EU/EEA cooperation frameworks.

Privacy Jurisdiction Analysis

Origins of the “Data Haven” Concept

As described in the Overview, the data haven concept originated with John Perry Barlow in 2008 and was implemented through IMMI’s legislative approach beginning in 2010.^[33]

Iceland’s privacy framework differs from Switzerland’s in several respects: criminal penalties up to 3 years imprisonment, full GDPR implementation through EEA membership, constitutional privacy guarantees under Article 71, the IMMI framework for press freedom and whistleblower protection, and non-membership in the Fourteen Eyes alliance. However, these protections are subject to the same foreign traffic limitations common to other jurisdictions, as detailed elsewhere in this directory.

WikiLeaks Connection – Mixed

WikiLeaks had organizational ties to Iceland but did not host servers there:^[34]

Organizational Connection (Verified): Julian Assange and Kristinn Hrafnsson registered “Sunshine Press Productions ehf” as a business in Iceland in 2010. WikiLeaks was described as a project of Sunshine Press, a non-profit based in Iceland. WikiLeaks helped propose IMMI legislation in February 2010.

Server Hosting (not in Iceland): As noted in the Overview, WikiLeaks servers were hosted in Sweden, not Iceland.

Legal Framework Characteristics

Key characteristics of Iceland’s privacy framework include:^[35]

• Full GDPR implementation despite non-EU status
• Criminal penalties up to 3 years imprisonment for violations
• IMMI protections for journalists and whistleblowers
• Constitutional privacy protections (Article 71)
• Not part of Five/Nine/Fourteen Eyes surveillance alliances
• No MLAT (mutual legal assistance treaty) sharing of user data without valid Icelandic court order

Recent Developments

Legislative Changes (2024-2025)

Act No. 55/2024 on Free Flow of Non-Personal Data: Implemented Regulation (EU) 2018/1807 into Icelandic law. Entered into force in 2024.^[39]

Police Surveillance Powers Bill (2024–2025): Justice Minister Guðrún Hafsteinsdóttir introduced a bill granting police warrantless surveillance authority over individuals suspected of connections to criminal organizations, even if they have not committed a crime. Surveillance would be permitted in public places but not inside private homes, and a special internal steering group—rather than a court—would approve each measure. Pirate Party MP Arndís Anna Kristínardóttir criticized the bill for lacking independent oversight, stating “the police are being given authority to monitor ordinary citizens who have done nothing wrong.” The bill also proposes a parliamentary monitoring group and regular reporting to the Althing.^[41]

Crime Bill – Organized Crime Funding and Asset Seizure (2025): The government secured funding for 50 new police positions to combat organized crime and gang violence, with over ISK 1 billion in total funding allocated across police strengthening, special investigation teams, and operational improvements. A separate bill introduced in March 2025 by the Minister of Justice seeks to provide clearer legal authority for confiscating the proceeds of crime, including seizing and freezing funds connected to criminal activity. These measures respond to organized crime groups in Iceland roughly doubling in recent years.^[42]

NIS2 Implementation – Amending the Cyber-Security Act: Iceland plans to implement the NIS2 Directive by amending its existing Cyber-Security Act 78/2019 (Öryggi net- og upplýsingakerfa mikilvægra innviða) rather than drafting new legislation. The EEA Joint Committee is expected to incorporate NIS2 into Annex XI of the EEA Agreement in autumn 2025. The scope expansion is significant: from approximately 350 critical infrastructure operators today, Iceland anticipates 3,000 to 4,000 entities will fall under NIS2 regulations, including medium-sized manufacturers, cloud services, and public administration bodies. Essential entities face fines of up to €10 million or 2% of global turnover; important entities up to €7 million or 1.4%. Supervisory authorities will also gain powers to impose daily penalties of up to ISK 10 million, publicly name non-compliant entities, and ban directors.^[43]

AI Action Plan 2024–2026 (Finalized July 2025): The Ministry of Culture, Innovation and Higher Education published the final version of Iceland’s AI Action Plan on July 2, 2025. The plan contains 25 targeted measures across five pillars: AI for Society, Competitive Business Landscape, Modernized Education, Efficient Public Services, and Future-Ready Healthcare. It projects annual GDP growth between 0.8% and 6% by 2029 depending on adoption speed, potentially adding ISK 174 billion to ISK 1.45 trillion to the economy. The plan also notes that 55% of jobs are expected to undergo changes due to automation. Stakeholder consultation closed August 13, 2025, and implementation is now underway.^[44]

DORA (Digital Operational Resilience Act): A draft legal framework was published in Iceland’s government consultation portal to implement Regulation (EU) 2022/2554 for the financial sector. While DORA entered application in the EU on January 17, 2025, Iceland as an EEA member is still completing national legislative proceedings. The Central Bank of Iceland intends to comply once legislation is enacted, with expected entry into force in the second half of 2025.^[45]

Cyber Resilience Act (CRA): The CRA entered into force in the EU on December 10, 2024. Key EU-wide milestones include: vulnerability and incident reporting obligations from September 11, 2026, conformity assessment body rules from June 11, 2026, and main product security obligations from December 11, 2027. The CRA applies across the EEA, including Iceland, though specific national implementation timelines have not yet been published.^[46]

DSA and Data Act – EEA Review Ongoing: The Digital Services Act (Regulation (EU) 2022/2065) and the Data Governance Act (Regulation (EU) 2020/868) both remain under review by the EEA and EFTA countries as of early 2026. Neither has been incorporated into the EEA Agreement, and Iceland’s national implementation process has therefore not yet begun for either regulation. Iceland, Liechtenstein, and Norway previously submitted a joint EEA EFTA Comment on the DSA during its legislative development phase. The implementation timeframe for both acts remains uncertain.^[47]

National Security

First National Defense and Security Policy (November 2025): Iceland presented its first formal defense and security policy to the Althing in November 2025, a landmark for a country that has historically lacked a standing military. The policy addresses Iceland’s shifting geostrategic position, acknowledging that its North Atlantic location—once a source of security—is now its primary vulnerability. Key surveillance-relevant measures include the deployment of an unmanned surveillance submarine in cooperation with the Coast Guard to monitor submarine cables and ports, reflecting growing international concern about threats to undersea communications infrastructure. NATO Secretary General Mark Rutte welcomed the policy during a November 2025 visit, highlighting Iceland’s role in transatlantic security.^[48]

Digital Infrastructure Boom

Data Centers and Submarine Cables: Iceland’s data center colocation market was valued at USD 170 million in 2024 and is projected to reach USD 375 million by 2030 (CAGR of 14.09%), driven by AI workloads and 100% renewable energy. Utilization grew by nearly 20% in 2025, with average facility occupancy exceeding 95.5%. The IRIS submarine cable (operational 2023, 145 Tbps capacity, 1,800 km to Ireland) has significantly enhanced connectivity. In 2025, Borealis Data Center and Modularity announced a partnership to build a new 100% renewable-powered AI data center with an associated submarine cable system, targeting first-phase operations by 2026. This infrastructure expansion increases both the volume of data transiting Iceland and the privacy implications of its regulatory framework.^[49]

Enforcement Activity

Persónuvernd Healthcare Fine – 450,000 Medical Records: Persónuvernd imposed an administrative fine of ISK 5 million (€33,854) on Heilsugæsla höfuðborgarsvæðisins (Primary Health Care of the Capital Area), which operates 15 health care centers in the Reykjavík area. The institution managed a joint medical record system containing approximately 450,000 medical records and had entered agreements with multiple parties—including the Icelandic Transport Authority—regarding integration of medical record systems without fulfilling the authorization requirements of the Medical Register Act. Persónuvernd found that the controller could not demonstrate that processing had been authorized, that the violations concerned sensitive health information, and that the unlawful processing had been ongoing for numerous years, all of which aggravated the violation. The DPA additionally found the legal obligation so clearly stipulated that it presumed intent on the part of the controller.^[50]

Persónuvernd has seen a considerable increase in new cases in recent years and continues to focus on:^[40]

• Google services in schools (ongoing investigations)
• Enforcement of Schrems II requirements for US data transfers
• Protection of children’s data
• Financial services compliance

As noted in the Data Protection Authority section, Persónuvernd announced procedural changes in November 2023 to streamline complaint-handling and reduce processing times.

Sources