Icelandic society is characterised by trust and respect for fundamental values such as human rights and individual freedom. Internationally, Iceland stands for the basic values of democracy, human rights, equality, and welfare when discussing the development and use of artificial intelligence.

The most relevant provisions of the Icelandic constitution that must be kept in mind in relation to the deployment and use of AI, are: 

• Article 65, which recognises that everyone shall be equal before the law and enjoy human rights irrespective of sex, religion, opinion, national origin, race, colour, property, birth or other status.
• Article 70, which provides for the right to a fair trial and within a reasonable time.
• Article 71, which recognises everyone’s right to enjoy freedom from interference with privacy, home, and family life. 

In terms of fundamental rights, Iceland is a signatory to several international conventions on human rights, in particular the United Nations Universal Declaration of Human Rights and the Council of Europe’s European Convention on Human Rights. The Ministry of Justice ensures legislative amendments to meet international obligations and reports to relevant committees overseeing human rights agreement implementation (see www.government.is/topics/human-rights-and-equality/).

The Icelandic Prime Minister’s Office has suggested, in its AI Policy for Iceland, that Iceland adopts pan-European ethical standards for AI, emphasising legality, ethics, reliability, and adherence to human rights. These guidelines aim for transparent, fair, and accountable AI systems, promoting human well-being and environmental sustainability. Iceland actively participates in international discussions on AI, aligning policies with ethical norms while considering adaptation to local contexts (see www.stjornarradid.is/library/01--Frettatengt---myndir-og-skrar/FOR/Fylgiskjol-i-frett/08.04.21_Stefna%20%C3%8Dslands%20um%20gervigreind_loka.pdf).

Iceland’s Intellectual Property (IP) regime, like those of other EU Member States, is adapting to challenges posed by AI in patents, copyright, and trade secrets. Questions arise regarding the eligibility for protection of creative and original content by non-human entities and the appropriate allocation of relevant rights. In Iceland, the Icelandic Intellectual Property Office (ISIPO) is a government agency responsible for issues relating to various IP rights, ensuring compliance with laws, regulations, and international agreements on the protection of intellectual property rights in the field of industry.

In Iceland, the essence of IP law is to ensure creators are compensated for their work, encouraging creativity and benefiting society. Icelandic copyright emphasises both economic rights, allowing creators to profit from their work, and moral rights, protecting creators’ personal connections to their creations. This legal framework aims to foster innovation, respect creators’ efforts and promote cultural development.

Although Iceland has a solid foundation for protecting traditional IP forms, such as patents, trademarks, and copyrights, the emergence of AI introduces complexities regarding the ownership and legal protection of AI-generated content. The implementation of Directive (EU) 2019/790, aimed at modernising copyright laws for the digital era and promoting innovation and exchange within the EU digital market, is pending in Iceland as it seeks to integrate this directive in line with the EEA Agreement. This directive aims to ensure fair remuneration for authors and creators, foster innovation, and enhance the availability and cross-border exchange of works in the EU digital market. This step reflects Iceland’s ongoing effort to adapt its legal framework to contemporary challenges while upholding the rights of creators and advancing cultural development.

Patents in Icelandic law are governed by the Icelandic Patents Act No. 17/1991. Under Article 1, a patent is granted for inventions that can be industrially applied, offering exclusive rights to exploit the invention commercially. All technical fields are eligible. However, discoveries, scientific theories, mathematical methods, artistic works, mere presentation of information, plans, rules or methods for mental activities and computer programs, are not considered patentable. As for computer programs, the Icelandic Patents Act stipulates that only those programs which are merely representations of mental activity and lack technical features are excluded from being considered patentable inventions. Computer programs that are essential to a specific production process and involve technical features may be patentable if they meet other necessary conditions. Iceland’s legislation on the patentability of computer software aligns with the Nordics and EU.

Iceland’s copyright regime is contained in the Icelandic Copyright Act No. 73/1972. According to Article 1, authors of literary or artistic works have copyright, granting them exclusive rights within specified legal limits. Literature and artistic works include spoken and written language, stage works, compositions, art, architecture, films, photography, applied art and other corresponding arts, in whatever way and in whatever form the work appears. Plans, drawings, models, and other such data, which provide information on issues or clarify them, are protected in the same way as literary works. The same applies to computer programs.

It shall be noted that the EU Directive 2019/790 on copyright and related rights in the Digital Single Market (“DSM Directive”) has not yet been incorporated into the EEA Agreement and thus not implemented into Icelandic law. The Icelandic copyright law is still adapting to challenges posed by AI, and it has in most cases yet to be amended to address such challenges. The Icelandic Copyright Act does not for instance, specifically address exceptions and limitations of copyright for text and data mining, such as the DSM Directive does. Further, the Icelandic Copyright Act does not provide for general fair use or general fair dealing exceptions. It shall be noted that the DSM Directive has been approved by the EEA Joint Committee and it can therefore be expected that the act will be incorporated into the EEA Agreement in the near future (see www.efta.int/eea-lex/32019l0790), after which the act will ultimately be implemented into Icelandic law.

The ISIPO has not yet published any guidelines on copyright and AI.

The Icelandic Act on Trade Secrets No. 131/2020 implemented Directive (EU) 2016/943 on the protection of undiscovered know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. 

The Icelandic Act on Trade Secrets comprehensively provides for trade secrets and legal remedies for their protection. Trade secret protection is very relevant for technology companies, as their value is often intangible, and behind it is an abundance of ingenuity and secrecy. It is common that everyone involved with the relevant companies signs special declarations of confidentiality. 

Under the Icelandic Act, there are three criteria for information to be considered trade secrets. Information that:

• is a secret in the sense that it is not generally known or easily accessible among members of groups that normally deal with the type of information in question;
• has commercial value because it is a secret; or
• a person or legal entity is legally in control of and has taken reasonable measures depending on the circumstances to keep it a secret.

Under the Icelandic Act, the legal remedies for the protection of trade secrets are: 

• injunction;
• measures by a national court;
• compensation for financial loss;
• compensatory damages; and
• penalties and daily fines.

As at the date of writing, there have been no cases in Iceland where the courts have assessed whether or not AI has disclosed trade secrets as part of any machine generated outputs.

As of now, there have been no cases in Iceland involving the interaction between IP and AI.

Enjoying the right to privacy concerning one’s private life, e.g. with regard to the treatment of personal data, is considered a basic human right in Iceland. It is protected under the Icelandic Constitution and also in human rights conventions. 

At domestic level, personal data is covered by a comprehensive set of rules under the Icelandic Act on Data Protection and the Processing of Personal Data No. 90/2018. This Act is intended to promote handling of personal data in accordance with the basic principles and rules of personal data protection and the right to privacy. The Act is also intended to ensure the reliability and quality of such information and its free flow within the single market of the European Economic Area (EEA).

The Icelandic Act No. 90/2018 was enacted to implement the provisions of Regulation (EU) 2016/679 (GDPR). A special authority in Iceland, The Data Protection Authority, monitors the implementation of the GDPR, Act No. 90/2018 and rules laid down pursuant to it.

The idea that data collections should be accessible as public goods is widely recognised. Neighbouring countries to Iceland have already seen the benefits of making public data available, including improved services, increased transparency, and better decision-making. Open data enhances scientific research, environmental protection, societal benefits, and economic value creation. Data is deemed open when free of legal restrictions, authorised for use and modification, and made digitally accessible in a common format, fostering research and innovation across various sectors.

Iceland has been actively working towards enhancing the accessibility and reuse of open data through legislative efforts and proposals aimed at aligning with European Union standards. The Icelandic Act No. 45/2018 on the Reuse of Public Information, which came into effect on 26 May 2018, marked a significant step towards promoting open data in Iceland. This Act was designed to increase the reuse of public information for the benefit of society, encouraging innovation and economic development by making public sector information more accessible for use and reuse by private entities, under conditions that ensure compliance with existing laws, including intellectual property and privacy regulations.

Following the EU’s adoption of Directive 2019/1024 on open data and the reuse of public sector information in June 2019, Iceland has initiated efforts to further align its national legislation with this Directive. An Icelandic bill (1621/154 lög í heild: endurnot opinberra upplýsinga | Þingtíðindi | Alþingi (www.althingi.is/altext/154/s/1621.html)) which has recently been passed, updates the existing framework established by Act No. 45/2018, directly addressing the requirements and standards set forth by the EU Directive. This bill aims to enhance the utilisation of data collected by public entities by establishing minimum rules for data sharing, promoting the economic, societal, and environmental benefits of open data. The bill reflects Iceland’s commitment to adopting the principles of the EU Directive, focusing on making valuable datasets available without charge and with minimal legal and technical restrictions. It emphasises the importance of providing access through Application Programming Interfaces (APIs) and highlights the need for timely availability of dynamic data. By passing these amendments, Iceland demonstrates its ongoing efforts to promote open data, encouraging the development of a digital economy that supports innovation, transparency, and public engagement.

Compared to other European countries, Iceland is significantly lacking in supply on open data, ranking at the bottom alongside Liechtenstein. For small countries like Iceland, which may not have as extensive data resources as larger nations, collaboration with other countries is crucial. The Nordic Council of Ministers on Digitalisation’s issuance of the Digital North 2.0 declaration, which aligns with their “Our Vision 2030”, underscores the importance of such cooperation. 

As part of Iceland’s Action Plan for the Fourth Industrial Revolution from May 2020, it was decided that all data collected with public funds should be open and free, provided it does not conflict with privacy and national security concerns (see www.stjornarradid.is/library/04-Raduneytin/ForsAetisraduneytid/A%C3%B0ger%C3%B0aa%CC%81%C3%A6tlun%20um%20fjo%CC%81r%C3%B0u%20i%C3%B0nbyltinguna.pdf). In the context of Iceland, although the decision of the joint committee has approved the adoption of Directive (EU) 2019/1024, it has not yet entered into force (see gagnagrunnur.ees.is/32019l1024). This situation means that while Iceland is moving towards the EU’s standards for open data and the reuse of public sector information, there is still work to be done to fully implement the directive’s requirements into national law. 

Biometric data, including voice data and facial recognition data, is subject to the Icelandic Data Protection Act No. 90/2018, which aligns with GDPR. Due to its sensitive and personal nature, biometric data is classified as a special category of personal data, “sensitive personal data”, under the Icelandic Data Protection Act.

The processing of sensitive personal data, including biometric data, such as facial recognition and voice data, is generally prohibited unless it meets one of the conditions outlined in Articles 9 and 11 of the Act. 

The goal of the Icelandic AI policy is to make sure Iceland has a strong and shared ethical foundation for the development and utilisation of AI, based on good knowledge of the technology and the security challenges it entails. In order to achieve this, human rights must always be a guiding light in the development, implementation, and use of AI (see www.stjornarradid.is/library/01--Frettatengt---myndir-og-skrar/FOR/Fylgiskjol-i-frett/08.04.21_Stefna%20%C3%8Dslands%20um%20gervigreind_loka.pdf).

Article 65 of the Icelandic Constitution is the foundation for Icelandic law on prohibition of discriminatory practices. There it is stated that everyone shall be equal before the law and enjoy human rights irrespective of sex, religion, opinion, national origin, race, colour, property, birth, or other status.

Iceland has implemented Act No. 150/2020 on Equal Status and Equal Rights Irrespective of Gender. It focuses on fostering gender equality, promoting equal opportunities, and ensuring that individuals — regardless of gender — can fully benefit from their initiatives and skill development.

Further, Iceland has implemented Act No. 85/2018 on Equal Treatment of individuals with the aim to combat discrimination and establish and maintain equal treatment of individuals regardless of race, national origin, religion, outlook on life, disability, age, sexuality, gender identity, gender characteristics or gender expression in all areas of society, outside of the labour market. The Icelandic Act No. 86/2018 focuses on establishing and maintaining equal treatment of individuals on the labour market regardless of race, national origin, religion, outlook on life, disability, age, sexuality, gender identity, gender characteristics or gender expression. In addition, there are various provisions in other Icelandic legislation that have the goal of promoting equal treatment in society.

It should be noted that Iceland has ratified international agreements intended to promote equal treatment in society. These include the European Convention on Human Rights, the United Nations International Covenant on Civil and Political Rights, the United Nations International Covenant on Economic, Social and Cultural Rights and the European Social Charter. 

In the evolving landscape of internet security, Iceland has taken proactive steps to fortify its cyber defences. Internet security and cybersecurity have been a focus in Icelandic politics, with authorities adapting to changing needs and emphasising efforts in this field (see www.stjornarradid.is/library/04-Raduneytin/ForsAetisraduneytid/A%C3%B0ger%C3%B0aa%CC%81%C3%A6tlun%20um%20fjo%CC%81r%C3%B0u%20i%C3%B0nbyltinguna.pdf). Government ministries, in collaboration with various stakeholders such as universities, businesses, and Nordic partners, have assessed and enhanced cybersecurity in Iceland. In 2017, Oxford University was hired to conduct a comprehensive assessment, shedding light on the strengths and weaknesses of Iceland’s cybersecurity framework.

The subsequent report from Oxford University outlined 120 recommendations for improvement, prompting a shared responsibility among relevant agencies. The assessment also highlighted Iceland’s clear legal framework but underscored the need for improved cybersecurity education. Consequently, in February 2022, Iceland established and published the Icelandic National Cybersecurity Strategy 2022-2037 (“the Cybersecurity Strategy”). In the Cybersecurity Strategy, one can find the government’s vision and objectives regarding the state of cybersecurity in Icelandic society, along with indicators and emphases related to achieving defined objectives. The Cybersecurity Strategy articulates Iceland’s vision for a secure online environment, emphasising reliable cybersecurity and law enforcement, active cooperation, national and international, and comprehensive legislation that supports innovation and progress in Internet service (see www.stjornarradid.is/library/04-Raduneytin/ForsAetisraduneytid/A%C3%B0ger%C3%B0aa%CC%81%C3%A6tlun%20um%20fjo%CC%81r%C3%B0u%20i%C3%B0nbyltinguna.pdf).

Iceland’s cybersecurity strategy emphasises two main goals: enhancing cybersecurity skills and creating a secure online environment. The first goal aims to boost public awareness and expertise in cybersecurity through education, research, and international collaboration. This includes employing advanced technology and global partnerships to better prevent and mitigate cyberthreats. The second goal focuses on establishing a safe internet space by strengthening legal measures, aligning laws with global standards, and prioritising the protection of children online. It also involves improving the security and resilience of critical infrastructures.

Oxford University undertook a comprehensive assessment of Iceland’s cybersecurity using a model featuring five dimensions: Cybersecurity Policy and Strategy, Cyber Culture and Society, Cybersecurity Education, Training and Skills, Legal and Regulatory Framework, and Standards, Organisations, and Technologies. While the assessment identified a relatively clear legal framework, it underscored the necessity for cybersecurity laws specifically targeting the security of network and information systems within critical infrastructure. Iceland responded inter alia by enacting Act No. 78/2019 (implementing the NIS Directive), aimed at promoting the security and resilience of these systems (see www.stjornarradid.is/library/04-Raduneytin/ForsAetisraduneytid/A%C3%B0ger%C3%B0aa%CC%81%C3%A6tlun%20um%20fjo%CC%81r%C3%B0u%20i%C3%B0nbyltinguna.pdf).

Article 7 of Act No. 78/2019 stipulates minimum requirements for risk management and preparedness. It mandates the creation of documented policies and processes for assessing, managing, and reducing risks to network and information system security, including from rare but serious incidents. Essential practices include security policies, regular risk assessments, and continuous evaluation of security measures covering both technical and organisational areas. Access control and regular testing according to international best practices are required. Critical infrastructures also need comprehensive contingency and operational plans to mitigate damage during disruptions, detailing work processes, incident response and recording, alongside an active internal control system that complies with relevant laws for key operations.

Looking ahead, a strategy for network and information security has also been formulated until the year 2026. Cybersecurity responsibilities are distributed among four ministries, each overseeing specific aspects. The Cyber Security Council, formed in 2015, supervises policy implementation and disseminates information, reinforcing inter-ministerial coordination.

The CERT-IS cybersecurity team, under the Electronic Communications Office, coordinates responses to serious incidents affecting critical infrastructure. Recognising the vital role of education, the Ministry of Education is also actively involved in cybersecurity initiatives.

In Iceland’s Action Plan for the Fourth Industrial Revolution from May 2020, the focus is on sharpening cybersecurity management for clear policies and guaranteed implementation. To enhance coordination, ministries must strengthen ties for clearer responsibilities. Increasing the powers of the Cyber Security Council is deemed essential for heightened preventive measures, and efforts are underway to broaden the role of the cybersecurity force beyond telecommunications companies (see www.stjornarradid.is/library/04-Raduneytin/ForsAetisraduneytid/A%C3%B0ger%C3%B0aa%CC%81%C3%A6tlun%20um%20fjo%CC%81r%C3%B0u%20i%C3%B0nbyltinguna.pdf).

Iceland stands out in various fields, such as the seafood industry, ocean sciences, geosciences, health sciences, and biotechnology, among others, presenting unique opportunities to build on this distinctiveness. In Iceland, it’s considered important that Icelandic companies are encouraged and supported in the development and implementation of AI technology, on appropriate terms.

The Icelandic government acknowledges that most AI technology used is likely to come from abroad. However, the country aims to establish a strong foundation for domestic research to adapt these technologies to Icelandic needs and conditions. This includes addressing specific challenges such as incorporating the Icelandic language into AI technologies and overcoming the issue of data shortage due to the country’s small population size. Iceland plans to develop custom solutions through applied basic research driven by the needs of the business sector, facilitating the transfer of technology and ideas into practical applications. This approach is particularly important for Iceland’s economy, dominated by small and medium-sized enterprises, which may lack the resources for extensive specialisation and investment in new technologies (see www.stjornarradid.is/library/01--Frettatengt---myndir-og-skrar/FOR/Fylgiskjol-i-frett/08.04.21_Stefna%20%C3%8Dslands%20um%20gervigreind_loka.pdf).

Antitrust issues concerning AI in Iceland largely revolve around ensuring that the development and deployment of AI technologies do not lead to unfair market practices or concentrations of market power that could stifle competition. Given the data-driven nature of AI, there’s a risk that companies with access to vast amounts of data could dominate certain markets, making it hard for smaller players to compete. 

However, as of today, no decision by the national competition authorities or courts addresses AI-related issues in this regard.

No domestic competition rules or regulations specifically addressing AI exist in Iceland. However, the Icelandic AI policy’s second pillar is to promote the competitiveness of Iceland’s private sector. The policy suggests methods for supporting and incentivising increased digitisation of industry. AI technologies can enable solutions to complex problems that have previously been uneconomical to solve using manpower in countries with a low population, such as in Iceland. It is acknowledged in the policy that by using AI, Iceland’s contribution can increase, for example in the field of energy, health care, food cultivation and climate. 

In the AI policy, Iceland’s position in the world of AI is explained and the main opportunities and challenges associated with the technology of AI are discussed. The policy is intended to maximise social and economic benefits from AI and minimise costs and risks. Responsible authorities must ensure that the technological revolution benefits as many people as possible and that value does not accumulate in the hands of a few.

Currently there is no proposed legislation in Iceland that solely regards artificial intelligence. However, there is a bill in progress to amend the Icelandic Copyright Act, No. 73/1972 (artificial intelligence and automatic data analysis). The bill proposes the following be added to Article 2 of the copyright law: “Reproduction of a person that can be assumed to be real, whether it is a picture, video, sound recording or other material, is not permitted without the consent of the person concerned and his descendants if the person is deceased”. The bill mainly addresses so-called deepfakes as there has been a huge development in the production of all kinds of content in recent months, with the introduction of powerful digital neural networks that create text, sound and images where it is very difficult to distinguish whether they have been produced by a human or a computer. Deepfakes are already used for political purposes. It is therefore important that it is clear in the law that such reproductions are not permitted without the permission of the person from whom the reproduction is made. It is also vital that all restorations be specifically marked as such, so that there is no doubt that it is a restoration. The proposed bill went to the General and Education Committee on 2 February 2024.

Additionally, as previously mentioned, an amendment bill on Icelandic Act on the Reuse of Public Information No. 45/2018 is in the works. That bill aims to refine the legal framework, aligning it with EU Directive standards. It focuses on improving public data use by setting basic sharing rules and highlighting open data’s economic, social, and environmental perks. This showcases Iceland’s dedication to open data principles, fostering a digital economy geared towards innovation, transparency, and community involvement.

Furthermore, it is also worth mentioning that the Icelandic General Penal Code No. 19/1940 was recently amended in relation to sexual privacy. A new Article 119A has been added, stating that anyone who creates, obtains for themselves or others, distributes, or publishes images, texts, or similar materials, including falsified content, depicting another person’s nudity or sexual behaviour without their consent is subject to fines or imprisonment for up to four years. This provision explicitly prohibits the falsification of content depicting another person’s nudity or sexual behaviour. This amendment is a crucial update to the general criminal law, reflecting technological advancements that have made it easier to create convincing fake content, such as deep fakes. By addressing these issues, the legislation aims to protect individuals’ sexual privacy in an era where such violations have become increasingly commonplace.

Finally, it should be noted that Iceland, as a member of the EEA, will implement the AI Act accordingly.

As previously mentioned, Iceland has established a strategy for artificial intelligence. The goal of the AI strategy is to ensure that Iceland has a strong and shared ethical foundation for the development and utilisation of AI, based on a solid understanding of the technology and the security challenges associated with it. To achieve this, the following conditions must be met: residents of the country need to be prepared to act in an environment where AI is utilised; the pillars of democracy must be strong; human rights must always be the guiding principle in the development, implementation, and use of AI; and technical challenges related to AI, especially those concerning security, must be carefully addressed.

Iceland’s April 2021 artificial intelligence strategy is structured into four key sections. Initially, it defines AI and its socio-economic impact, clarifying its capabilities and limitations. The second section delves into ethical, social, and legal considerations of AI within the Icelandic context, identifying crucial challenges to tackle. The third section evaluates Iceland’s global AI standing, detailing opportunities and government policies that align with the strategy’s objectives, assuming these initiatives are executed fully. The final section prioritises short-term (one to three years) strategic focuses.

The strategy is built on three main pillars: ensuring AI benefits all through ethical development and usage frameworks; supporting competitive business by aiding digital transformation in the public sector with a focus on digital skills and technology transfer; and modernising education to foster ethical AI use and development, emphasising literacy, specialisation, increasing the number of people educated in technology, and the possibilities of using AI in teaching.

The AI strategy is accessible here: www.stjornarradid.is/library/01--Frettatengt---myndir-og-skrar/FOR/Fylgiskjol-i-frett/Stefna%20%c3%8dslands%20um%20gervigreind.

8.1. Can I use personal data for AI training purposes?

According to Icelandic law, it is not expressly prohibited to use personal data to train an AI model/application. However, any such processing of personal data needs to be in line with the data protection Acts and their principles. There needs to be a legal basis for the processing, such as explicit consent from the data subjects, and the data subjects need to be informed of any such processing and its purpose. In addition, the appropriate organisational and technical measures need to be in place in order to protect the personal data. Usually, a Data Protection Impact Assessment (DPIA) is necessary before carrying out such processing.

8.2. How do we know if our AI training methods are in line with the law?

As there is no legislation specifically on AI in Iceland (yet), it can be helpful to scrutinise sector specific legislation as applicable, in addition to data protection, equality and anti-discrimination laws. Performing an impact assessment based on the applicable laws can provide an important overview of possible risks and help to mitigate potential harms with the appropriate measures. This can also be crucial once the AI regulation enters into force as it can provide the necessary overview of the AI model in question and its possible risks, going forward. 

Lára Herborg was assisted by LEX associates Auður Lára Bjarnfreðsdóttir and Svava Sól Matthíasdóttir.