Iceland

Summary

Iceland is an EEA member but NOT an EU member state; EU regulations and directives are not directly applicable and require separate EEA Joint Committee incorporation and Althingi (parliamentary) adoption. General Penal Code No. 19/1940 art. 228 criminalises unlawful access to data or programs in machine-readable form by using another's credentials or circumventing a technical protection; public pages without technical barriers carry no criminal risk. The sui generis database right (Dir. 96/9/EC) has been incorporated into the EEA Agreement and implemented in Icelandic copyright law (Höfundalög, Act No. 73/1972 as amended); database protection is operative. GDPR applies through Act No. 90/2018 on Data Protection (Persónuvernd is the supervisory authority). The DSM Directive (2019/790) — which introduces TDM exceptions with a machine-readable commercial opt-out — was approved by the EEA Joint Committee on 8 December 2023, but as of May 2026 Iceland has not yet notified completion of its constitutional requirements, and no enacted Althingi amendment to the Höfundalög implementing DSM Arts. 3-4 has been identified. A deepfake/AI-reproduction bill reached the Althingi General and Education Committee in February 2024 but this addresses reproductions of persons, not TDM. Until the implementing Höfundalög amendments are enacted, Iceland lacks a statutory TDM exception with commercial opt-out mechanism; commercial TDM relies only on pre-existing closed-list exceptions or contractual permissions, and commercial risk is higher than in EU member states. The EU AI Act's EEA incorporation had not been confirmed as of May 2026. Posture: treat Iceland as pre-TDM-exception for commercial crawling purposes until Höfundalög DSM amendments are enacted.