WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Country Reports >Republic of Iceland

Republic of Iceland

Constitutional Privacy Framework

The Icelandic Constitution recognizes the right of privacy. Article 71 of the Constitution states, “Everyone shall enjoy freedom from interference with privacy, home, and family life. Bodily or personal search or a search of a person's premises or possessions may only be conducted in accordance with a judicial decision or a statutory law provision. This shall also apply to the examination of documents and mail, communications by telephone and other means, and to any other comparable interference with a person's right to privacy. Notwithstanding the provisions of the first paragraph above, freedom from interference with privacy, home and family life may be otherwise limited by statutory provisions if this is urgently necessary for the protection of the rights of others.”[2770]

Data Protection Framework

As a member of the European Free Trade Association (EFTA), Iceland is obliged to ensure that its laws, in certain fields, are compatible with those of the European Union (EU). On January 1, 2001, the Act on the Protection of Privacy as regards the Processing of Personal Data came into force. The Act replaced the Registration and Processing of Personal Data of 1989 (as amended) and was adopted to bring Iceland's data protection regime into compliance with the EU Data Protection Directive (1995/46/EC).[2771] It covers both automated and manual processing of personal information. It distinguishes between sensitive and non-sensitive data and includes specific restrictions on the use of video surveillance and national identification numbers. It instructs the Statistical Bureau of Iceland to maintain a registry of individuals not willing to allow the use of their names for marketing purposes.[2772]

Data Protection Authority

The Act established a new independent Data Protection Authority (Persónuvernd or DPA) to replace the former Data Protection Commission.[2773] Persónuvernd supervises implementation and compliance with the Act and any pursuant regulations or orders. It maintains the registry of activities and can investigate and issue rulings. It can impose fines for non-compliance and can seek criminal sanctions. The DPA is also responsible for supervising the handling of personal information in the Schengen Information System.[2774] Persónuvernd also has the authority to issue public guidelines and regulations. Over the last few years it has issued rules on consent, notification, security assessments, and systematic safety measures.[2775]

In September of 2006, the DPA’s rule on Electronic Surveillance came into force. The rule prohibits discreet surveillance “in the workplace, in schools, and in other areas generally traversed by a limited number of people” unless the surveillance is based on a legal act or a court order. In addition, the surveillance activity must meet the requirements of the rule, which include notice to individuals, collection and use limitations, storage, disclosure and erasure provisions, and the right of individuals to access collected data relating to him or her. The DPA must be notified of all surveillance activities, and can order cessation of electronic surveillance that violates the rule.[2776]

Persónuvernd handled 764 new cases in 2006.[2777] Altogether Persónuvernd handled 820 cases of which 685 were solved. Out of these 820 cases, 331 were complaints and questions from individuals, data controllers and institutions that were either solved with an opinion or a decision, some of them concerning bills or administrative regulations. During this time, Persónuvernd was involved in 29 investigations. There was in increase in cases concerning foreign collaboration and processing of personal data that requires a permit from the Icelandic Data Protection Authority. As of 2006, there are eight full-time staff.[2778]

National ID System

Every individual's identity (ID) number is publicly available and widely used, along with names, addresses and other personal information. For instance, day-to-day activities such as video rental are based on the personal ID numbers. This has implications for the privacy of sensitive data, which registration is based on the same personal ID numbers, facilitating the task of intruders and abusers of the data. The open access to personal ID numbers requires stronger privacy protections. Instead, several recent laws have been enacted that allow the creation of databases including sensitive personal information. Privacy advocates have criticized this trend, and said that the government has prioritized corporate interests over those of individuals concerned about the use of their personal data.

Medical and Genetic Privacy

In December 1998, the Parliament approved the Health Sector Database Act to create a nationwide centralized database of medical records to be used for genetic research.[2779] In January 2000, the Minister of Health granted an exclusive 12-year license to operate that database to Íslensk Erfðagreining ehf, the Icelandic subsidiary of American bio-tech company deCODE Genetics, Inc.[2780] The database would incorporate non-personally identifiable data derived from the medical records held by Iceland's health services. Patients were granted a right to opt-out of the database by notifying the Director General of Public Health, and over 20,000 had chosen to opt-out of the database by June 2001.[2781] The database is to be used to "develop new or improved methods of achieving better health, prediction, diagnosis and treatment of disease, to seek the most economic ways of operating health services, and for making reports in the health sector." Measures to ensure security and privacy in the operation of the database must meet standards and conditions set out by the DPA. In 2000, the DPA issued regulations on the general security terms.[2782]

This proposal has been very controversial and is hotly debated both in Iceland and with medical and privacy experts around the world. In Iceland, the Association of Icelanders for Ethics in Science and Medicine (Mannvernd) led the opposition to the project. The Icelandic Medical Association is also opposed the effort and many doctors refused to hand over their patients' records without consent.[2783] In April 1999, the World Medical Association supported the Icelandic Medical Association's opposition to the database,[2784] and adopted in 2002 a Declaration on Health Databases[2785] that protects patients' interests with regard to the creation of central health databases.[2786] At their annual meeting in Santiago de Compostela, Spain, in September 1998, the European Data Protection Commissioners recommended that the Icelandic authorities reconsider the project in light of the fundamental principles laid down in the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Council of Europe's Convention No. 108) and its Recommendation (97) 5 on Medical Data, and the EU Data Protection Directive. In 1998, at the request of the Icelandic Medical Association, security expert Dr. Ross Anderson evaluated the proposed system. He concluded that the privacy and ethical implications of the proposed database were "outside the boundaries of what would be acceptable elsewhere in Europe" and advised the association to oppose its establishment.[2787]

Since 2002, development on the database has been postponed, as the company has been unable to come to an agreement with the Icelandic DPA or Iceland's National Bioethics Committee about proposed uses of the data, and the company has been unable to establish who would fund the project.[2788]

In November 2003, the Icelandic Supreme Court issued a key ruling[2789] that transfer of a dead patient's health data to the proposed database would infringe the privacy rights of the deceased's descendants, casting further doubt over the feasibility of the Health Sector Database. The court ruled in favor of an 18-year old who sought to prevent the transfer of her dead father's health records, ending her 4-year fight for this right. Even though the data would be anonymous and encrypted, information about the child could be inferred from data related to the father's hereditary characteristics. The court also noted that linkage with other genetic and genealogical databases increased the possibility of improper identification.[2790] In its judgment, the court noted that it was unclear what information in the HSD would be encrypted, and that persons could be identified from medical record data other than names and adresses. Futhermore, the law did not adequately ensure that health information in the database would not be personally identifiable, in spite of the law repeatedly claiming so. The court concluded that: "even though individual provisions of Act No. 139/1998 repeatedly stipulate that health information in the Health Sector Database should be non-personally identifiable, it is far from adequately ensured under statutory law that this stated objective will be achieved." In light of these circumstances, and taking into account the principles of Icelandic law concerning the confidentiality and protection of privacy, the Court concluded that the right of the 18-year-old in this matter must be recognized, and her court claims, therefore, upheld.

The court's ruling suggests that the 1998 Health Sector Database Act may be unconstitutional, being contrary to the Constitution's privacy clause, and killed whatever was left of deCODE's original project to create a country-wide computerized database of medical records.[2791] It also sets a precedent for the privacy rights of the deceased.

While the law and the license are still in effect, the Health Sector Database (HSD) has not been created, i.e. data has not been entered into the database. The licensee, deCODE Genetics, does not expect to operate the database and has therefore reversed the license fee in its accounts in the annual report.[2792] DeCODE puts the blame on the Data Protection Authority (DPA) for lack of security clearance, and on the main Icelandic hospital, the Landspítali National University Hospital for the lack of agreement about access to medical records therein. The DPA, on the other hand, claims that deCODE repeatedly changed the design of the database, requiring revision of the security requirements. The hospital doctors actively opposed the transfer of medical record data without patient consent. In its annual report to the U.S. Security and Exchange Commission,[2793] deCODE explained that it had not obtained a data transfer agreements with the National University Hospital (NUH). DeCODE stated, "No such agreement with the NUH has been consummated, and the IHD has not been commercialized primarily because the Icelandic Data Protection Authority has not issued the required security certification."

In May 2000, the Government enacted the Act on Biobanks.[2794] This Act sets rules for the "collection, keeping, handling and utilization of biological samples from human beings" to ensure confidentiality and prohibit discrimination. The Act requires informed consent from the person for the collection of samples. However, this requirement does not apply to samples in biobanks that already exist. In certain cases, the specimens can even be used for research in spite of the donor's opposition.[2795] The Act came into force in January 2001.

In 2003, the Parliament passed a bill on prescription databases, permitting the State Health Insurance Institution (the Institution) to register data from all doctors' prescriptions of medicines. The purpose of creating such a database is to prevent abuse of prescription drugs and to give an overview of the nation's drug consumption. The Director of Public Health will control access to personal data. As a result of the DPA's opposition to the draft bill, the bill was modified to implement encryption means to protect the personal data. Mannvernd pointed out that the Director of Public Health had no need to have access to information about most of the medicines and prescriptions covered by the Act, since there was no potential of abuse or threat to the health of the population, and that the collection of sensitive information by the State Health Insurance Organization would compromise the integrity of that establishment, thereby endangering the trust of their clients. Mannvernd additionally argued that there was a danger that the database could be used later for different purposes than the original ones, as this had already been the case in the past. It recommended that sensitive information only be collected in case of absolute necessity.

In April 2005, the Institution announced it was going to increase surveillance, both of disability payment recipients and of their doctors.[2796] The medical director of the Institution claimed in the media that recipients lie and pretend to live alone or not to work, in order to receive higher disability payments. The same director also demanded access to doctors' medical records, in order to verify patient contact as a basis for doctors' claims for reimbursement.[2797] Patients complain that they find it difficult to rely on the institution for disability payments when it also has a triple surveillance role (monitoring the disabled, the doctors and prescriptions) in addition to the health insurance role. In addition to Mannvernd, the Icelandic Federation of Lawyers has worked as an advocate for privacy interests in Iceland in certain instances.

Travel and Immigration Surveillance

In June 2001, Keflavik International Airport began incorporating facial recognition software, FaceIT, into its video surveillance system. A police spokesperson said that the surveillance was being used to "identify known criminals and false asylum seekers" without disturbing European citizens' rights to travel freely under the Schengen Agreement.[2798]

In 2003, the Minister of Justice passed a Regulation on Foreigners, No. 53/2003, requiring lodging businesses such as hotels, hostels, or camps to maintain registers of their guests. These registers are to be retained for two years and may be accessed by the police at any time. This provision is based on Article 54 of the Act on Foreigners, No. 96/2002, authorizing the Minister of Justice to pass rules governing the duties of lodgers. The rule might also be construed to apply to private homes, lodging foreign guests, requiring notification to the Directorate of Immigration. Persónuvernd offered criticism of this provision prior to its enactment.

Like many countries in Europe in 2003 and 2004, Iceland has had to respond to requests by the United States Department of Homeland Security's Bureau of Customs and Border Protection (CBP) for airline passenger data, including Advanced Passenger Information System (APIS) and Passenger Name Record (PNR) data. As a party to the European Economic Area Agreement, Iceland was bound by the May 2004 agreement and the subsequent 2006 interim agreement between CBP and the European Commission governing the scope of data to be transferred and the protections afforded to the data. Persónuvernd sought to ensure that data from Iceland and Icelandair would not be processed or retained differently than data from other European airlines.

Two major security-related bills were presented to the Parliament by the Minister of Justice in 2004. One bill, which became law (No. 20/2004), amended the Act on Foreigners, No. 96/2000, allowing significant governmental intrusions based on suspicion of sham or forced marriages. The act allows body and house searches where there is suspicion that the sole aim of a marriage is to give one spouse the right to stay in Iceland, or where there is suspicion that the marriage is forced. The act also allows genetic testing of foreigners claiming kinship to Icelandic citizens as the basis for their right to reside in Iceland, and it creates a presumption of a sham or forced marriage where there is reasonable suspicion of such a condition. Although the DPA offered significant criticism of the act, it was only able to effect a change to the standard for allowing body and house searches for suspect marriages, requiring that it be absolutely beyond doubt that the search would be allowed by a judge.

Wiretapping and Surveillance Rules

Under the Law on Criminal Procedure, wiretapping, tape recording or photographing without consent requires a court order and must be limited to a short period of time. After the recording is complete, the target must be informed and the recordings must be destroyed after they are no longer needed.[2799] Complaints against the orders can be submitted to the Supreme Court. Chapter XXV of the Penal Code also penalizes violations of privacy such as violating the secrecy of letters and revealing secrets to the public.

Throughout 2003 and 2004, there was significant debate regarding the retention of network traffic data, including the retention of IP numbers in computer logs, to facilitate investigation of crimes such as child pornography. The State Police Chief proposed requiring retention of network traffic data for at least six months, claiming concordance with European legislation providing exceptions to the general rule requiring disposal of such data after billing and transmission purposes have been fulfilled. The DPA responded that such data retention would need to be narrower in scope and limited in time.

An amendment to the Telecommunications Law was introduced in April 2005. The bill provided the police with the access to IP numbers, phone numbers, as needed for investigation purposes, up to one year after their use, without obtaining a court order.[2800] This was opposed by many, and led to the amendment of the bill. In the version enacted in May 2005, telecommunication firms shall only store data such as IP numbers for 6 months, but the police still have access to such data without a court order.[2801] The original bill also proposed that the provider should store the time and length of a call and the amount of data transferred to and from the user should be registered. The new law however, stipulates that the providers shall only store the date of the call and the amount of data sent to the user. In addition, the final version of the bill did not require users to present their personal identification document when purchasing phone cards, as proposed by the original bill, but instead the law now permits officials to collect information on users of such cards.[2802]

Open Government

The Freedom of Information Act of 1996 (Upplysingalög) governs the release of documents.[2803] Under the Act, individuals (including non-residents) and legal entities have a legal right to official documents without having to show a reason for the request. There are exceptions for national security, commercial and personal information. Copyrighted material can be provided to requestors but it is then their responsibility if they republish the materials in a manner inconsistent with the copyright. Denials can be appealed to the Information Committee. There are often delays in the release of documents. Recently, the government refused to release a memorandum on a court case on the grounds that it was an internal government document. The Supreme Court ordered its release, because it had previously been shown to non-official parties.

International Obligations

Iceland is a member of the Council of Europe (CoE) and has signed and ratified the CoE Convention No. 108.[2804] It has signed and ratified the ECHR.[2805] On January 29, 2007, it ratified the CoE Convention on Cybercrime (ETS No.185).[2806] It is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[2770] Constitution of the Republic of Iceland, No.33, June 17, 1944, as amended May 30, 1984, May 31, 1991, June 28, 1995 and June 24, 1999, available at <> (official English translation from Icelandic).

[2771] Act on the Protection of Privacy as regards the Processing of Personal Data No. 77/2000, available at
[2772] Id. at art. 28.

[2773] Homepage <>.
[2774] Act on the Participation of Iceland in the Schengen Co-operation, No. 15/2000, and Act on the Schengen Information System, No. 16/2000.
[2775] See <>.

[2776] Rule on Electronic Surveillance, No.837/2006, September 19, 2006, available at <>.

[2777] Persónuvernd handled 720 new cases in 2005. The institution handled a total of 804 cases of which 748 were solved. During this period, it received 417 complaints and questions and engaged in 14 investigations of data processing by certain data controllers of which 4 were solved formally with a decision or an opinion. The most extensive investigations were conducted within three life, accident and disease insurance companies. See e-mail from Thordur Sveinsson, Legal Counsel, Icelandic Data Protection Authority (Persónuvernd) to Allison Knight, Director, Privacy and Human Rights Project, Electronic Privacy Information Center, May 30, 2007 (on file with EPIC).

[2778] See e-mail from Thordur Sveinsson, Legal Counsel, Icelandic Data Protection Authority (Persónuvernd) to Allison Knight, Director, Privacy and Human Rights Project, Electronic Privacy Information Center, May 30, 2007 (on file with EPIC). See also e-mail from Arnhildur Gumundsdottir, Legal Counsel, Icelandic Data Protection Authority (Persónuvernd) to Allison Knight, Director, Privacy and Human Rights Project, Electronic Privacy Information Center, June 5, 2007 (on file with EPIC).

[2779] Act on a Health Sector Database No. 139/1998, December 17, 1998, available at
[2780] Operating License issued to Íslensk erf agreining ehf, State Reg. No. 691295-3549, for the Creation and Operation of a Health Sector Database, Ministry of Health and Social Security, January 2000.
[2781] David Winickoff, “Genome and Nation: Iceland’s Health Sector Database and its Legacy,” 1 Innovations 80, 90 (2006), available at <>.
[2782] General Security Terms of the Icelandic Data Protection Commission, Document No. 1, January 19, 2000, available at <>.

[2783] See <>.
[2784] "World Medical Association Opposes Icelandic Gene Database," EBMJ, April 24, 1999.
[2785] Declaration on Ethical Considerations Regarding Health Databases October 6, 2002, available at <>.

[2786] The Guidelines lay down a policy on confidentiality, against which the creation of national health databases should be judged: they establish controls over the use and disclosure of personal health information; require patients' consent if the inclusion of their health information on a database involves disclosure to a third party; and allow patients to withdraw their health information from databases. Press release of the World Medical Association, General Assembly, Washington, USA, October 2-6, 2002 <>.

[2787] Ross Anderson, "The deCODE Proposal for an Icelandic Health Database," March 1998, available at <>.

[2788] Alison Abbott, "Icelandic Database Shelved as Court Judges Privacy in Peril," Nature, May 13, 2004, at 118.

[2789] Icelandic Supreme Court, November 27, 2003, judgment No. 151/2003.

[2790] Abbott, supra

[2791] Annas GJ, Family Privacy and Death - Antigone, War, and Medical Research, New England Journal of Medicine 352: 501-5 (2005).

[2792] deCODE Annual Reports for 2003, 2004 and 2005, available at <>.

[2793] 10-K form, page 73, 16 March 2005, available at <>.

[2794] Act on Biobanks No. 110/2000, May 2000, available at
[2795] David Winickoff, Biosamples, Genomics, and Human Rights: Context and Content of Iceland's Biobanks Act, 4 Journal of BioLaw and Business, 11 (2000).

[2796] "The State Health Insurance Institution is substantially increasing its surveillance of whether people on insurance payments break the rules they have to comply with in order to receive those payments," according to Sigurður Thorlacius, medical director of the Institution. "It is not only the illicit work which is said to occur among individuals on disability payments," Thorlacius said. "Many are lying to us. Individuals with children claim they are not in cohabitation. That means they receive much higher payments from us. That leads to suffering for those in dire need, relying solely on our payments, because of those who lie to us about their situation." The newspaper Fréttablaðið, April 28, 2005, p. 1. Similar accusations were made by the director of the Institution in other media.
[2797] Law 154/2001, paragraph 8, amending Law 117/1993, paragraph 47 provides: "The Institution's doctors, or dentists if relevant, are permitted to examine the part of the medical record that forms the basis of the invoice to the Institution," available at <>.

[2798] "Icelandic Airport Installs New Surveillance Software," Airline Industry Information, June 20, 2001.

[2799] Articles 86-87, Law on Criminal Procedure.

[2800] Draft amendment 1102 April 2005 to the Telecommunication Act. Article 7 provides: "Minimum registration shall ensure that the telecommunication firm can provide information regarding which of its customers had a specific phone number, IP number or user name, and provide information on all of the user’s connections, the time, length, who the link was to, amount of data transferred, both to and from the user." See <>.
[2801] Amendment to the 1993 Telecommunications Act, No.78/2005, Article 7, available at <>.
[2802] Telecommunication Act, No. 81/2003 with amendments, available at <>.

[2803] Act No. 50/1996, available at <>.

[2804] Signed September 27, 1982; enacted March 3, 1991; entered into force July 1, 1991 <>.
[2805] Signed November 4, 1950; enacted June 29, 1953; entered into force September 3, 1953 <>.
[2806] Signed November 30, 2001; enacted January 29, 2007; entered into force January 5, 2007 <>.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback