Iceland Recording Laws: One-Party Consent, NCII, and Penalties (2026)

---

title: "Iceland Recording Laws: One-Party Consent, NCII, and Penalties (2026)" meta_description: "Iceland follows one-party consent for participant recordings under Art. 228. GDPR via EEA, Art. 199a NCII and deepfake rules, penalties up to 4 years." slug: "world-laws/world-recording-laws/iceland-recording-laws" last_updated: "2026-05-15"

Quick Answer: Is Iceland a One-Party Consent Country?

Iceland is a one-party consent jurisdiction for participant recordings. A person who is part of a conversation may record it without telling the other party. This position flows from two sources read together. Article 228 of the General Penal Code (Almenn hegningarlög nr. 19/1940) criminalizes unlawful intrusion into another person's private affairs, but does not prohibit a conversation participant from recording their own exchange. The GDPR household exemption under Article 2(2)(c) then shields purely personal recordings from data protection obligations entirely. Persónuvernd confirmed this framework in Decision 2021101915, holding that a woman who secretly recorded threatening calls from an abusive ex-partner for her own safety acted outside the GDPR's scope. The critical qualifier is that "one-party consent" governs the act of recording. The moment that recording leaves your personal sphere, whether shared with a lawyer, posted online, or submitted to police, the GDPR applies and you need a lawful basis under Article 6 of Act No. 90/2018.

Jurisdiction scope: This article addresses recording law in Iceland under the General Penal Code No. 19/1940 (Arts. 228, 229, 199a), the Electronic Communications Act No. 70/2022, and Act No. 90/2018 (Iceland's GDPR implementation via the EEA Agreement). It does not address US state recording laws; for those, see our US recording laws hub. For EU member state rules, see our world recording laws hub.

The Article 228 and 229 Criminal Framework

Article 228 of the General Penal Code is the foundational criminal-law provision governing unauthorized access to private information and recordings in Iceland. It prohibits a person from unlawfully prying into, obtaining, copying, displaying, disclosing, publishing, or distributing documents, data, images, or other comparable material relating to another person's private affairs. The offense carries a penalty of fines or imprisonment of up to one year under the General Penal Code.

The word "unlawfully" is the operative qualifier. A participant who records their own conversation does not commit an unlawful act under Article 228 because they are a party to the communication. A third party who secretly records a conversation between two other people, or who intercepts a phone call in which they have no part, commits the unlawful act that Article 228 targets.

Article 229 extends this protection to data stored in digital form. It prohibits unauthorized access to data or computer programs, with the same penalty of fines or up to one year in prison. This provision is relevant to anyone who gains unauthorized access to another person's device to retrieve recordings or intercepts communications at the network level.

Public Interest Defense

Articles 228 and 229 do not apply where conduct is justified based on public or private interests. This exception is most relevant in journalism and accountability contexts: recording a public official engaged in abuse of power, for example, may be protected even if the recording occurs without the official's knowledge, provided the conduct genuinely serves a public interest and is proportionate. Courts weigh this against the constitutional privacy guarantee in Article 71 of the Icelandic Constitution and the freedom of expression protection in Article 73.

Relationship to the Electronic Communications Act

Article 228 governs the criminal dimension of unauthorized access to private content. The Electronic Communications Act No. 70/2022 separately governs the confidentiality of electronic communications in transit. Both statutes can apply simultaneously to a single act of interception: intercepting a phone call in progress triggers both the Electronic Communications Act (communications security) and, if the intercepted content is then disclosed, Article 228 (privacy invasion).

Article 199a: Image-Based Abuse and Deepfakes

Article 199a was inserted into the General Penal Code by Act No. 8/2021, enacted unanimously (49 votes) by the Althingi on February 22, 2021. It created a distinct criminal offense addressing digital sexual violence as a form of privacy invasion separate from and more serious than Article 228.

What Article 199a Prohibits

Article 199a criminalizes creating, acquiring, sharing, or publishing images, video, text, or comparable content that depicts another person's nudity or sexual behavior without that person's consent. The provision explicitly covers falsified material ("falsað efni"), meaning AI-generated deepfakes and synthetic intimate content fall squarely within its scope. The law is also format-neutral: it applies to images, video, audio, text, and any other comparable medium.

Penalties Under Article 199a

The standard penalty for creating or distributing non-consensual intimate content is fines or imprisonment of up to four years. A narrower offense exists for threats: threatening to create or distribute such material, in a way likely to cause fear, carries a penalty of up to one year. The four-year maximum makes this offense significantly more serious than the standard Article 228 privacy violation, reflecting Parliament's view that intimate image abuse causes distinct and severe harm.

Legislative Context

The accompanying report to the 2021 bill stated that the previous criminal code "did not account for the possibility of contactless sexual privacy infringements." The law was developed in response to documented cases where intimate images circulated following relationship breakups, as well as growing awareness that synthetic deepfake technology could create such material without any prior physical contact. Team Manager Ragna Björg Guðbrandsdóttir of the relevant government unit noted that such abuse commonly follows relationship dissolution, causing serious interference with victims' daily functioning.

Watch out: Article 199a applies to producing as well as distributing non-consensual intimate content. A person who creates a realistic deepfake depicting someone in sexual conduct without that person's consent commits an offense even if the material is never shared. The production itself is the crime.

The Electronic Communications Act No. 70/2022

The Electronic Communications Act replaced Iceland's older telecommunications legislation and took effect on September 1, 2022. It transposed Directive (EU) 2018/1972, the European Electronic Communications Code, into Icelandic law.

Confidentiality of Communications

Chapter XIII of the act addresses privacy in electronic communications. The law prohibits the processing of electronic communication data, including storage, listening, recording, and interception, unless one of two conditions is met: the user has given informed consent, or the activity is authorized by law.

This prohibition applies broadly. It covers telecommunications providers, internet service providers, and anyone else who might intercept or record electronic communications passing through Iceland's networks.

Lawful Interception by Authorities

Article 8(d) of the act requires that telecommunications operators make it possible for competent authorities to intercept calls and obtain related data in accordance with Icelandic law. Police must obtain a court order under the Code of Criminal Procedure No. 88/2008 before tapping any phone line or intercepting digital communications.

Between 2008 and 2015, Icelandic police requested 720 wiretap warrants. Courts approved 715 of them, a 99.3% approval rate that drew criticism from the Pirate Party in parliament. Roughly 65% of those wiretaps were connected to drug investigations. In 2020, police made 388 total surveillance requests, with 92 specifically for phone usage data.

Data Retention

Telecommunications providers must retain user data, including browsing history, for six months. That retained data may only be delivered to police or prosecutors in criminal cases or matters of public safety.

Recording Phone Calls in Iceland

Notification Requirement

Official Icelandic government guidance published on island.is states that the other party to a phone call must be notified at the beginning of the call that recording will take place. One narrow exception exists: notification is not required when the other party is "undoubtedly aware" of the recording. That exception applies to call centers where automated systems play a required disclosure at the start of every call, but it does not apply to ordinary conversations between individuals.

The guidance also warns that saying "a call may be recorded" is not sufficient under data protection fairness principles. The language must be definitive: the call is being recorded, not that it might be.

The Personal Use Exemption

The personal use exemption under GDPR Article 2(2)(c) and the Persónuvernd 2021101915 decision establishes a clear principle: recording a phone call for your own private use does not trigger data protection obligations. But sharing that recording with anyone outside your household does, and requires a lawful basis under GDPR Article 6 as implemented in Act No. 90/2018.

Persónuvernd's decision in 2021101915 found that sharing recordings of threatening calls with police and lawyers was justified under the legitimate interests basis, given the documented safety concerns. The balance between the recording subject's privacy rights and the recorder's personal safety weighed in favor of the disclosure.

Recording In-Person Conversations

Iceland's Data Protection Act applies to audio recordings of in-person conversations whenever a person can be identified from the recording, whether by their voice, name, or the subject matter discussed.

When Recording Becomes Electronic Monitoring

Persónuvernd has stated that when recording is "ongoing or repeated regularly and involves some kind of monitoring of individuals," it qualifies as electronic monitoring. Electronic monitoring triggers additional obligations under Rules No. 50/2023 on Electronic Surveillance, including signage, access restrictions, and documentation requirements.

A one-time recording of a conversation for personal reference is treated differently than a device set to continuously capture activity in a space. The former may fall under the household exemption. The latter almost certainly requires a legal basis, notice, and full GDPR compliance.

Secret Recording

Covert recording is not outright banned for individuals acting in a private capacity for personal use. The Persónuvernd 2021101915 ruling confirmed that a person can secretly record their own conversations without violating data protection law, as long as the recordings stay private.

Secret electronic monitoring in any institutional, commercial, or public context is explicitly prohibited. Official island.is guidance states: "Monitoring in secrecy is strictly prohibited, unless it is based on legal authority or a judge's order."

Recording the Police and Public Officials

Iceland's capital area police confirmed in May 2015 that there is no legal prohibition on the public recording police work in a public setting. The confirmation came via an official Facebook statement following an incident in which an officer incorrectly told a member of the public that recording was illegal. The police department apologized and clarified: "Nothing in the law forbids the general public from recording police work in a public setting."

The constitutional framework supports this position. Article 73 of the Icelandic Constitution protects freedom of expression and prohibits censorship. Article 71 protects the privacy of individuals, but privacy interests carry less weight for public officials acting in their official capacity in public spaces.

The practical position is that a citizen may record a police officer performing duties in a public place. What that person may not do is obstruct the officer's work, enter a restricted area to obtain the recording, or publish the recording in a way that discloses personal information unrelated to the official conduct (for example, capturing and publishing bystanders who are not relevant to the incident). The GDPR's proportionality requirement applies to publication even when the initial recording is lawful.

Workplace Recording and Surveillance

Employee Consent Is Not Valid

Iceland takes the position that employees generally cannot give valid consent for workplace monitoring. The power imbalance between employer and employee means that consent cannot be considered voluntary in the way GDPR Article 7 requires. Employers must find a different lawful basis, most commonly legitimate interests under Article 6(1)(f), but any legitimate interest must be proportionate and necessary.

Employer Obligations Under Rules No. 50/2023

Employers who conduct monitoring must meet strict requirements:

• Employees must be informed about the monitoring, its purpose, who has access to collected data, and retention periods.
• Clear warning signs must be posted before anyone enters a monitored area.
• Only authorized personnel with a specific operational need may access recordings.
• Employees have the right to examine recordings containing their personal data through an oral or written request.
• Secret workplace monitoring is banned unless a judge orders it.

Enforcement Cases

Ice cream parlour case (2021): An underage employee complained that the changing area where staff put on work uniforms was under constant video surveillance. Persónuvernd confirmed employees had no camera-free area to change. The company was fined ISK 5 million (roughly EUR 34,000), ordered to stop the surveillance, delete all recordings from the changing area camera, and implement proper employee notification procedures.

Subway case (2021): Stjörnuna ehf., the Icelandic Subway franchise operator, was fined ISK 1.5 million (roughly EUR 10,900) after a manager was found watching employees from home via remote monitoring. The company justified the surveillance by citing "fear of running out of bread." Persónuvernd found this rationale insufficient and ruled the monitoring violated GDPR Articles 5, 6, 12, and 13.

Íþrótta- og sýningahöllin hf. sports venue (2023): Following media coverage, Persónuvernd inspected a large sports and entertainment venue in Reykjavík and found approximately 50 active surveillance cameras, including cameras in areas where teenagers slept and changed clothing during a sports tournament and in a mass COVID-19 vaccination area. The authority fined the company ISK 3,500,000 (approximately EUR 23,820) on October 17, 2023 for violations of GDPR Articles 5(1)(a), 5(1)(b), and 6.

University of Iceland (2023): The Háskóli Íslands was fined ISK 1,500,000 (approximately EUR 10,289) for operating a CCTV system without providing adequate notice to data subjects, violating GDPR Articles 5(1)(a), 12, and 13.

GDPR and EEA Framework in Iceland

Iceland is not an EU member state, but it is part of the European Economic Area (EEA). The GDPR applies to Iceland through EEA Joint Committee Decision 154/2018, incorporated into domestic law as Act No. 90/2018. Persónuvernd functions as Iceland's supervisory authority with the same enforcement powers as data protection authorities in EU member states.

How GDPR Applies to Recordings

The GDPR applies to any processing of personal data, which includes audio recordings where individuals can be identified. The six lawful bases for processing under Article 6 apply in full: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For recordings specifically, the most commonly used bases are consent (for explicit business call recording) and legitimate interests (for safety-related personal recordings, as confirmed in Persónuvernd 2021101915).

The Household Exemption

GDPR Article 2(2)(c) exempts processing by a natural person in the course of purely personal or household activities. This covers personal audio recordings made for private use. It does not cover recordings made in any professional, commercial, or organizational capacity.

The Court of Justice of the European Union established geographic limits on this exemption in Rynes (C-212/13, 2014): a surveillance camera that captures areas beyond your own private property does not qualify, even if installed for personal security reasons. This principle applies in Iceland as it does across the EEA.

Age of Consent for Data Processing

Iceland set the age of digital consent at 13, lower than the GDPR default of 16. This is relevant for platforms or applications that record interactions with minors, as parental consent requirements differ depending on the user's age.

Voyeurism and Non-Consensual Intimate Imagery

Iceland's legal response to voyeurism and NCII operates through two provisions working in parallel. Article 228 of the General Penal Code covers unauthorized intrusion into private affairs generally, including secret filming in private spaces. Article 199a (Act No. 8/2021) addresses the more specific offense of creating and distributing intimate content without consent, with significantly higher penalties.

The distinction matters for charging: a person who secretly films someone in a changing room violates Article 228 (up to 1 year). If they then share that footage, Article 199a applies (up to 4 years). If they threaten to share it, that threat is itself an Article 199a offense (up to 1 year).

Iceland's Article 199a also protects against content that focuses on the lack of consent of the victim rather than requiring proof of the offender's intent to cause harm, making it a victim-centred provision consistent with ECHR Article 8 principles.

Deepfake and AI-Generated Content

Article 199a Already Covers Synthetic NCII

Iceland's 2021 law explicitly covers "falsified material" ("falsað efni"), meaning AI-generated deepfakes depicting someone in intimate or sexual situations are already criminalized under Article 199a without any further legislative action. This is one of the broader NCII provisions in Europe on this specific point.

EU AI Act: Not Yet in Force in Iceland

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) entered into force on August 1, 2024, with the first prohibited-practices obligations applying from February 2025 across EU member states. However, as of May 2026, no EEA Joint Committee decision has formally incorporated the EU AI Act into the EEA Agreement. Iceland, Norway, and Liechtenstein participate as observers in EU AI Board meetings but are not directly bound by the Regulation.

Standard EEA Joint Committee incorporation can take several months to over a year where national legislative steps are required. Until formal incorporation occurs, Icelandic businesses and individuals are not subject to the EU AI Act's obligations or penalties directly, although they may face extraterritorial application if they offer goods or services to EU residents.

Council of Europe Framework Convention

Iceland signed the Council of Europe's Framework Convention on Artificial Intelligence on September 5, 2024. This treaty, the first binding international instrument on AI, establishes requirements for human rights compliance, democracy, and the rule of law in AI systems. It supplements Iceland's existing AI governance rather than replacing it.

Proposed Copyright Act Amendment

Iceland has a bill in progress that would amend the Copyright Act No. 73/1972 to prohibit reproduction of a person in any format that can be assumed to be real, including pictures, video, sound recordings, and AI-generated content, without the person's consent. The bill specifically targets deepfakes. As of May 2026 this amendment is pending passage; it would add a civil-law layer to the criminal-law protection already provided by Article 199a.

Public Spaces and Recording

Taking photos or video of crowds at public events does not typically require individual consent. If a specific person becomes the focus of the recording, consent is "normally a condition" under official island.is guidance on data protection and online publication.

Publishing audio or video recordings online triggers data protection obligations whenever individuals can be identified. The Data Protection Act requires a lawful basis for processing. Children receive heightened protection: Persónuvernd recommends obtaining consent before posting images or recordings of children on social media, taking into account the child's age and development. Recordings showing children in vulnerable situations should never be posted.

Official guidance warns that photographs and recordings often contain embedded GPS coordinates and other metadata. Anyone publishing recordings should strip this data before sharing, as location metadata attached to identifiable individuals constitutes additional personal data processing.

Cross-Border Recording

When Iceland's GDPR Applies

GDPR Article 3 gives the regulation extraterritorial reach in two directions. First, any controller or processor established in Iceland that records a call with a non-EEA party must comply with Iceland's GDPR obligations for that recording. Second, a controller not established in Iceland but targeting Icelandic residents or monitoring Icelandic residents' behaviour is also subject to the regulation.

Recording Calls from Outside Iceland

A person in the United States recording a call with an Icelandic resident triggers GDPR obligations if that person is directing services at Icelandic residents or monitoring their behaviour. For casual individual calls, the analysis depends on whether the activity is genuinely personal (household exemption) or commercial. A US-based company recording customer service calls with Icelandic customers must comply with Iceland's GDPR obligations.

Transferring Recordings Outside the EEA

Any transfer of recordings from Iceland to a country outside the EEA requires compliance with GDPR Chapter V transfer mechanisms: adequacy decisions, standard contractual clauses, or other approved safeguards. Iceland implemented specific transfer protocols under Advertisement No. 1155/2022.

One-Party vs. Two-Party Consent in Cross-Border Calls

If an Icelandic resident calls someone in California, Iceland's one-party consent framework permits the Icelandic caller to record. California's two-party consent law (Cal. Penal Code s. 632) requires all parties to consent. The safer practice for any commercial caller is to notify all parties at the start of the call, satisfying both Iceland's notification requirement and California's two-party consent standard.

Penalties for Illegal Recording in Iceland

Criminal Penalties Under the General Penal Code

Administrative Fines from Persónuvernd

Persónuvernd can impose administrative fines under the GDPR's tiered system as implemented in Act No. 90/2018:

Lower tier (Art. 83(4) violations): Up to ISK 1.2 billion (approximately EUR 7.9 million) or 2% of annual global turnover, whichever is higher.

Upper tier (Art. 83(5)-(6) violations): Up to ISK 2.4 billion (approximately EUR 15.85 million) or 4% of annual global turnover.

Daily fines of up to ISK 200,000 (roughly EUR 1,320) may be imposed for each day of ongoing non-compliance with a Persónuvernd order.

Real-World Enforcement

Persónuvernd has demonstrated consistent enforcement across sectors:

• Ice cream parlour employee surveillance (2021): ISK 5,000,000 (EUR 34,000)
• Subway remote monitoring of employees (2021): ISK 1,500,000 (EUR 10,900)
• University of Iceland CCTV without notice (2023): ISK 1,500,000 (EUR 10,289)
• Sports venue cameras in sleeping/changing areas (2023): ISK 3,500,000 (EUR 23,820)
• Credit agency Creditinfo Lánstraust insufficient legal basis (2021): EUR 253,400
• Multiple municipalities fined in 2024 for Google Workspace education data misuse

Business Compliance Requirements

Businesses that record phone calls must provide clear, definitive notice at the start of each call. The notice must state that the call is being recorded, not that it "may" be. Businesses must document the lawful basis for recording, typically consent or legitimate interests, and must be prepared to respond to data subject access and erasure requests within GDPR timeframes.

Data Protection Impact Assessments are required for recording activities that involve systematic monitoring of publicly accessible areas, large-scale processing, or new technologies, under Advertisement No. 828/2019 before recording begins.

Any transfer of recordings outside the EEA requires compliance with GDPR Chapter V transfer mechanisms under Advertisement No. 1155/2022.

How Iceland Compares to Other Nordic Countries

All Nordic nations implement the GDPR, so the baseline framework is similar. Iceland's personal use exemption, as interpreted by Persónuvernd in Decision 2021101915, is notably broad: allowing secret recording of abusive calls for personal safety goes further than some other Nordic authorities have stated explicitly. Iceland's position that employee consent is inherently invalid for workplace monitoring is also more protective than the approach taken in some EU member states.

On government surveillance, Iceland has no SIM card registration requirement, no obligation to decrypt communications, and a court order requirement for all wiretaps. These factors place Iceland among the more privacy-protective jurisdictions in Europe.

Last updated: 2026-05-15. Statutes cited reflect their in-force versions as of May 15, 2026.