Iceland Recording Laws: Privacy Rules and Penalties (2026)

---

title: "Iceland Recording Laws: Privacy Rules and Penalties (2026)" meta_description: "Learn Iceland's recording and wiretapping laws, including GDPR consent rules, Electronic Communications Act 70/2022, workplace surveillance, and penalties." slug: "world-recording-laws/iceland-recording-laws"

Overview of Iceland's Recording Laws

Iceland does not fit neatly into the American framework of "one-party" or "all-party" consent states. Instead, the country operates under a layered European model where the legality of recording depends on the context, the medium, and what you do with the recording afterward.

Three primary statutes govern recording in Iceland. The Electronic Communications Act No. 70/2022 sets the rules for phone and digital communications. The Data Protection and Processing of Personal Data Act No. 90/2018 implements the GDPR across Icelandic law. And the General Penal Code No. 19/1940, as amended, criminalizes certain invasions of private life under Chapter XXV.

Iceland is not an EU member state, but it is part of the European Economic Area (EEA). That distinction matters because the GDPR applies to Iceland through the EEA Agreement, giving Persónuvernd (the Icelandic Data Protection Authority) the same enforcement powers as its counterparts in EU nations.

The practical effect of this framework is that recording a conversation is not automatically illegal in Iceland. But the moment you share, publish, or otherwise distribute that recording, the full weight of European data protection law kicks in.

The Electronic Communications Act No. 70/2022

The Electronic Communications Act replaced Iceland's older telecommunications legislation and took effect on September 1, 2022. It transposed Directive (EU) 2018/1972, the European Electronic Communications Code, into Icelandic law.

Confidentiality of Communications

Chapter XIII of the act addresses privacy in electronic communications. The law prohibits the processing of electronic communication data, including storage, listening, recording, and interception, unless one of two conditions is met: the user has given informed consent, or the activity is authorized by law.

This prohibition applies broadly. It covers telecommunications providers, internet service providers, and anyone else who might intercept or record electronic communications passing through Iceland's networks.

Lawful Interception by Authorities

Article 8(d) of the act requires that telecommunications operators make it possible for competent authorities to intercept calls and obtain related data in accordance with Icelandic law. This provision does not give authorities blanket surveillance power. Police must obtain a court order under the Code of Criminal Procedure No. 88/2008 before tapping any phone line or intercepting digital communications.

Between 2008 and 2015, Icelandic police requested 720 wiretap warrants. Courts approved 715 of them, a 99.3% approval rate that drew criticism from the Pirate Party in parliament. Roughly 65% of those wiretaps were connected to drug investigations.

In 2020, police requested phone usage data or other surveillance techniques 388 times, with phone usage data specifically requested 92 times.

Data Retention

Telecommunications providers must retain user data, including browsing history, for six months under a 2005 amendment to Iceland's earlier electronic communications law. That retained data may only be delivered to police or prosecutors in criminal cases or matters of public safety.

Recording Phone Calls in Iceland

The rules around phone call recording in Iceland depend on who is recording, why, and what happens to the recording.

Notification Requirement

According to guidance published by Persónuvernd on the official island.is portal, the other party must be notified at the beginning of a call that recording will take place. There is one narrow exception: notification is not required when the other party is "undoubtedly aware" of the recording. That exception might apply in call center environments where automated systems play a disclosure message, but it would not apply to a casual phone conversation between two individuals.

The guidance also warns that saying "a call may be recorded" is likely not sufficient under data protection fairness principles. The language should be definitive: the caller should be told that the call is being recorded, not that it might be.

The Personal Use Exemption

The most significant nuance in Icelandic recording law comes from the household exemption under Article 2(2)(c) of the GDPR. In a 2023 ruling by Persónuvernd, the authority drew a clear line between making a recording and sharing one.

The case involved a woman who recorded phone calls from an abusive ex-partner without his knowledge. She later shared those recordings with police, lawyers, and prosecutors. The ex-partner filed a complaint.

Persónuvernd dismissed the complaint. It held that the act of recording fell outside the scope of the GDPR because it was processing by an individual solely for private or family purposes. The sharing of those recordings with law enforcement, however, did fall under the GDPR. But the authority found that sharing was justified under the legitimate interests basis, given the safety concerns involved.

This ruling establishes an important principle: you can record a phone call for your own personal use without triggering data protection obligations. But the moment you share that recording with anyone outside your household, you need a lawful basis under the GDPR to do so.

Recording In-Person Conversations

Iceland's Data Protection Act applies to audio recordings of in-person conversations the same way it applies to phone recordings. If a person can be identified from a recording, whether by their voice, name, or the subject matter discussed, the recording constitutes the processing of personal data.

When Recording Becomes Electronic Monitoring

Persónuvernd has stated that when recording is "ongoing or repeated regularly and involves some kind of monitoring of individuals," it qualifies as electronic monitoring. Electronic monitoring triggers additional obligations under Rules No. 50/2023 on Electronic Surveillance, including signage, access restrictions, and documentation requirements.

A one-time recording of a conversation for personal reference is treated differently than setting up a device to continuously record interactions in a space. The former may fall under the household exemption. The latter almost certainly requires a legal basis, notice to recorded parties, and compliance with the full suite of GDPR obligations.

Secret Recording

Covert recording is not outright banned for individuals acting in a private capacity for personal use. The 2023 Persónuvernd ruling confirmed that a person can secretly record their own conversations without violating data protection law, as long as the recordings stay private.

However, secret electronic monitoring in any institutional, commercial, or public context is explicitly prohibited. The official island.is guidance states: "Monitoring in secrecy is strictly prohibited, unless it is based on legal authority or a judge's order."

Workplace Recording and Surveillance

Workplace surveillance is one of the most heavily regulated areas of Icelandic recording law. The rules reflect a strong presumption against employer monitoring of employees.

Employee Consent Is Not Valid

In a significant departure from many other countries, Iceland takes the position that employees generally cannot give valid consent for workplace monitoring. The reasoning is straightforward: the power imbalance between employer and employee means that consent cannot be considered voluntary in the way the GDPR requires.

This means employers cannot rely on employee consent as a legal basis for surveillance. They must instead find another lawful basis under the Data Protection Act, such as a legitimate interest that is proportionate and necessary.

Employer Obligations

Employers who do conduct monitoring must meet strict requirements under Rules No. 50/2023:

• Employees must be educated about the monitoring, its purpose, who has access to collected data, and how long the data is retained.
• Clear warning signs must be placed in prominent locations before anyone enters a monitored area.
• Only authorized personnel who need the material for their work may access recordings, and only when a specific reason justifies viewing.
• Employees have the right to examine recordings that contain their personal data, either through an oral or written request.
• Secret workplace monitoring is banned outright, unless a judge orders it.

Enforcement Cases

Persónuvernd has actively enforced workplace surveillance rules through several notable cases:

Ice cream parlour case (2021): An underage employee complained that the changing area where staff put on their work uniforms was under constant video surveillance. Persónuvernd inspected the premises and confirmed that employees had no camera-free area to change. The company was fined ISK 5 million (roughly EUR 34,000), ordered to stop the surveillance, delete all recordings from the changing area camera, and implement proper employee notification procedures.

Subway case (2021): Stjörnuna ehf., the Icelandic Subway franchise operator, was fined ISK 1.5 million (roughly EUR 10,900) after a manager was found watching employees from home via remote monitoring systems. The company justified the surveillance by citing "fear of running out of bread." Persónuvernd found this rationale insufficient and ruled the monitoring violated GDPR Articles 5, 6, 12, and 13.

GDPR and EEA Framework in Iceland

Understanding Iceland's position within the European data protection framework is essential for anyone dealing with recording laws in the country.

How GDPR Applies

Iceland incorporated the GDPR into its domestic law through Act No. 90/2018. The Persónuvernd serves as the supervisory authority, with the same powers granted to data protection authorities across the EEA.

The GDPR applies to any processing of personal data, which includes audio recordings where individuals can be identified. The six lawful bases for processing under Article 6 all apply in Iceland: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

Age of Consent for Data Processing

Iceland set the age of digital consent at 13, lower than the GDPR default of 16. This is relevant for applications and platforms that might record interactions with minors, as parental consent requirements differ depending on the user's age.

The Household Exemption

Article 2(2)(c) of the GDPR exempts processing carried out by a natural person in the course of purely personal or household activities. As Persónuvernd confirmed in the 2023 phone recording ruling, this exemption covers personal audio recordings that an individual makes for their own use. It does not cover recordings made in any professional, commercial, or organizational capacity.

The exemption also has geographic limits established by the Court of Justice of the European Union (CJEU) in the Rynes case. A surveillance camera that captures areas beyond your own private property does not qualify for the household exemption, even if you installed it for personal security reasons.

Public Spaces and Recording

Recording in public spaces in Iceland follows the same GDPR principles that apply across the EEA. There is no blanket prohibition on filming or recording in public, but the rules change depending on what you capture and what you do with the material.

General Public Recording

Taking photos or video of crowds at public events does not typically require individual consent. However, if a specific person becomes the focus or subject of the recording, consent is "normally a condition," according to guidance on island.is.

Publishing Recordings

Publishing audio or video recordings online triggers data protection obligations whenever individuals can be identified. The Data Protection Act requires a lawful basis for processing, and publishing personal data to the internet is one of the most invasive forms of processing.

Children receive heightened protection. Persónuvernd recommends obtaining consent before posting images or recordings of children on social media, taking into account the child's age and development. Recordings showing children in vulnerable situations, such as illness, distress, or partial undress, should never be posted.

GPS and Metadata

The official guidance warns that photographs and recordings often contain embedded GPS coordinates and other metadata. Anyone publishing recordings should strip this data before sharing, as location metadata attached to recordings of identifiable individuals constitutes additional personal data processing.

Penalties for Illegal Recording in Iceland

Iceland's penalty structure for recording violations spans both administrative and criminal law.

Administrative Fines

Persónuvernd can impose administrative fines under the tiered system established by the GDPR:

Lower tier (Article 83(4) violations): Fines range from ISK 100,000 to ISK 1.2 billion (approximately EUR 660 to EUR 7.9 million). For corporations, the cap is 2% of annual global turnover, whichever figure is higher.

Upper tier (Article 83(5)-(6) violations): Fines range from ISK 100,000 to ISK 2.4 billion (approximately EUR 15.85 million). For corporations, up to 4% of annual global turnover.

The authority can also impose daily fines of up to ISK 200,000 (roughly EUR 1,320) for each day a data controller or processor fails to comply with its orders.

Criminal Penalties

Act No. 90/2018 includes criminal sanctions in Articles 47 and 48:

• A breach of the confidentiality obligations under Articles 36 and 44 of the Data Protection Act is punishable by fines or imprisonment of up to one year.
• If the violation was committed for the purpose of obtaining unlawful profit, imprisonment of up to three years may be imposed.
• Individuals acting on behalf of a legal entity can face personal criminal liability alongside any administrative fine imposed on the entity.

The General Penal Code No. 19/1940 provides additional criminal penalties under Chapter XXV, which addresses offences against the inviolability of private life. These provisions cover unauthorized intrusion into, obtaining, copying, displaying, disclosing, or disseminating private documents, data, image material, or similar content related to someone's private affairs.

Real-World Enforcement

Persónuvernd has demonstrated a willingness to enforce these provisions. In addition to the workplace cases described above, a sports hall (Ithrótta- og syningahöllin hf.) was fined EUR 23,400 in 2023 for electronic surveillance conducted without sufficient legal grounds, which the authority classified as unlawful processing of sensitive personal data. Credit agency Creditinfo Lánstraust hf. received a EUR 253,400 fine for insufficient legal basis for data processing.

Business Compliance Requirements

Companies operating in Iceland or recording calls involving Icelandic residents face specific compliance obligations.

Call Recording for Businesses

Businesses that record phone calls must provide clear, definitive notice at the start of each call. The notice should state that the call is being recorded, not that it "may" be recorded. Businesses must also document the lawful basis for recording, typically either consent or legitimate interests.

Government agencies have a narrow exemption: they need not report voicemail recording when it is routine and necessary for national or public security purposes. This exemption does not extend to private businesses.

Data Subject Rights

Recorded individuals retain full GDPR rights, including the right to access their recordings, request deletion, and object to processing. Businesses must be prepared to respond to these requests within the timeframes established by the GDPR.

International Transfers

Any transfer of recordings outside the EEA requires compliance with GDPR Chapter V transfer mechanisms, such as standard contractual clauses or adequacy decisions. Iceland implemented specific transfer protocols under Advertisement No. 1155/2022.

Data Protection Impact Assessments

Recording activities that involve systematic monitoring of publicly accessible areas, large-scale processing of sensitive data, or new technologies require a Data Protection Impact Assessment under Advertisement No. 828/2019 before recording begins.

How Iceland Compares to Neighboring Countries

Iceland's approach to recording law shares DNA with the other Nordic countries but has its own distinctions.

All Nordic nations implement the GDPR, so the baseline framework is similar. However, Iceland's personal use exemption, as interpreted by Persónuvernd, is notably broad. The 2023 ruling allowing secret recording of abusive phone calls for personal safety goes further than some other Nordic authorities have been willing to go.

Iceland also stands out for its strong stance against workplace surveillance. The position that employee consent is inherently invalid for monitoring purposes reflects a more protective approach than some EU member states take.

On government surveillance, Iceland maintains relatively robust protections. There is no SIM card registration requirement, and users face no legal obligation to decrypt communications or hand over encryption keys. These protections, combined with the court order requirement for wiretaps, place Iceland among the more privacy-protective nations in Europe.