Last review date: 27 December 2023

☒ omnibus – all personal data
☒ sector-specific

E.g., telecoms, public healthcare and welfare, local government, law enforcement, legal procedures, financial, insurance

☒ constitutional

Last review date: 27 December 2023

Act No. 90/2018 on Data Protection and Processing of Personal Data ("Data Protection Act") implementing the GDPR into Icelandic law. 

Rules No. 50/2023 on Electronic Surveillance, established pursuant to the authorization outlined in Paragraph 5 of Article 14 of the Data Protection Act.

Regulation No. 606/2023 on the Processing of Information on Financial Matters and Creditworthiness, established pursuant to the authorization outlined in Paragraph 2 of Article 15 of the Data Protection Act.

Rules No. 1150/2023 on the Procedure for the Icelandic Data Protection Authority, established pursuant to the authorization in Paragraph 3 of Article 38 of the Data Protection Act.

Last review date: 27 December 2023

Act No. 70/2022 on Electronic Communications ("Electronic Communications Act") which implements Directive (EU) 2018/1978 establishing the European Electronic Communications Code into Icelandic law and Act No. 75/2021 on the Electronic Communication Office, which addresses the role of the supervisory authority in Iceland.

Act No. 78/2019 on the Security of Network and Information Systems of Critical Infrastructures (“Network Security Act”) implementing Directive (EU) 2016/1148 concerning Measures for a High Common Level of Security of Network and Information Systems across the Union ("NIS Directive") into Icelandic legislation and Regulation No. 866/2020 on the Security of Network and Information Systems of Operators of Essential Services set on the basis of the provisions of Act No. 78/2019.

Rules No. 720/2023 on the General Authorization to Operate Electronic Communications or Provide Electronic Communications Services, established pursuant to the authorization outlined in Paragraph 4 of Article 7 of the Electronic Communications Act.

Last review date: 27 December 2023

Yes.

On 10 January 2017, the European Commission published a proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (ePrivacy Regulation). In February 2021, after four years of reviews and negotiations, the Council of the European Union has accepted the latest draft of the ePrivacy Regulation to take into trilogue. It is currently unclear how long this trilogue will take after the difficult negotiation process. In any case, once adopted the new regulation will not apply for another two years as the transition period is expected to last until 2025.

Moreover, on 23 February 2022, the European Commission submitted a proposal for a Regulation tailored to harmonize rules on the fair access and use of data generated in the European Union across all economic sectors ("Data Act"). The Data Act is still awaiting a legislative proposal from the Council and the European Parliament. In any case, once adopted the new regulation will not apply for another year.

In addition, on 13 December 2022 the European Commission launched a draft adequacy decision for the EU-U.S. Data Privacy Framework, which will ensure safe trans-Atlantic data flows. The draft adequacy decision, which reflects the assessment by the Commission of the US legal framework and concludes that it provides comparable safeguards to those of the EU, has now been published and transmitted to the European Data Protection Board ("EDPB") for its opinion. The Commission will then seek approval from a committee composed of representatives of the EU Member States. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.

Specific laws regarding certain types of processing of personal data and sectors are also expected.

At national level, no significant changes are anticipated. This fall witnessed the proposal of a bill to amend the Electronic Communications Act. The bill highlights the necessity for a new provision focusing on open access to electronic communications networks that have received state aid. Its objectives include establishing fresh standards for pricing such networks and granting the Electronic Communications Office of Iceland (“ECOI”) the authority to resolve disputes. The bill also seeks to authorize ECOI to exempt cases from the requirement of wholesale access based on price comparison, particularly when the intended use of the electronic communications network does not support such wholesale pricing. Furthermore, an amendment to  Act No. 75/2021 on the Electronic Communication Office is anticipated. The amendment is aimed to incorporate a special duty of confidentiality regarding data and information related to internet security within the field of electronic communications. A similar provision can be found in the Electronic Communications Act and the Network Security Act. However, these bills have not yet been approved and are still in the early stages.

There is also a bill in progress to amend the Data Protection Act, aiming to prohibit the dissemination of information concerning the financial matters and creditworthiness of individuals. However, since it is at an early stage, there is no guarantee that the bill will be approved.