Implementation of EU legislation in Iceland

Iceland, through its membership in the European Free Trade Association (EFTA), is a party to the EEA Agreement, an agreement between the EU member states and Iceland, Norway and Liechtenstein, which entered into force on 1 January 1994. The EEA Agreement’s aim is to create a single market between these states by including EU legislation covering the four freedoms and certain other areas in the EEA Agreement. Thus, EU legislation with EEA relevance shall generally be incorporated into the EEA Agreement and interpreted and applied uniformly in the EEA.

In order for any EU legislation with EEA relevance to be implemented and applied in Iceland, the legislation in question must first be incorporated in the EEA Agreement by means of a decision by the EEA Joint Committee. The legislation can thereafter be implemented into Icelandic law by the Icelandic parliament.

The GDPR and ePrivacy Directive

In accordance with the procedure described above, Iceland has implemented both the General Data Protection Regulation (GDPR) and the ePrivacy Directive into Icelandic law. The GDPR was incorporated into the EEA Agreement by the EEA Joint Committee’s decision No 154/2018 on 6 July 2018 and implemented into Icelandic law by the Act on Data Protection and the Processing of Personal Data No 90/2018 (Icelandic Data Protection Act), which entered into force on 15 July 2018. The ePrivacy Directive was incorporated into the EEA Agreement by the EEA Joint Committee’s decision No 80/2003 on 20 June 2003 and subsequently implemented into Icelandic law by the Icelandic Telecommunications Act No 81/2003.

The use of cookies can fall within the scope of both the GDPR and the ePrivacy Directive. According to Article 95 of the GDPR, the GDPR shall however not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the EU/EEA in relation to other matters for which they are subject to specific obligations with the same objective set out in the ePrivacy Directive. In other words, Article 95 of the GDPR establishes the lex specialis/lex generalis relationship between the ePrivacy Directive and the GDPR. This provision was implemented into Icelandic law by Article 5(1) of the Icelandic Data Protection Act, which states that “special provisions of other acts on the processing of personal data, adopted within the framework of the Regulation, prevail over the provisions of this Act.”

Article 5(3) of the ePrivacy Directive provides that cookies may only be stored on a user’s equipment if the user concerned is provided with information in accordance with Directive 95/46/EC (now the GDPR) and is offered to refuse such processing by the data controller. This shall however not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary for providing an information society service explicitly requested by the subscriber or user. Article 5(3) of the ePrivacy Directive was implemented into Icelandic law by Article 47(5) of the Telecommunications Act in 2007. Pursuant to the Telecommunications Act’s article, the use of equipment such as cookies is only permitted for lawful purposes and with the user’s knowledge. Furthermore, the user may object to the use of such equipment.

The Cookie Directive

Directive 2009/136/EC (also known as the “Cookie Directive”), which was adopted in 2011, included amendments to Article 5(3) of the ePrivacy Directive, which was replaced to state the following:

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.” [Emphasis added]

As can be seen from the above, following the Cookie Directive’s entry into force, the formerly applicable opt-out mechanism for the use of cookies was replaced with an opt-in requirement. According to the Cookie Directive, cookies, other than the exceptions listed in the article’s last sentence, may only be used if the user or subscriber concerned has given his or her consent thereto.

We see website providers apply the cookie consent requirement in different forms, however a pop-up window appearing when a website is visited for the first time asking users to consent to the use of cookies is likely the one most commonly used.  

The situation in Iceland

The Cookie Directive is marked as an EEA-relevant act by the EU, which implies that it should be incorporated into the EEA Agreement. However, the EEA EFTA states did not consider it relevant for incorporation into the EEA Agreement. Its incorporation therefore has not taken place and it is to this day not a part of the EEA Agreement. As a result, the Cookie Directive, including its amendment of Article 5(3) of the ePrivacy Directive, which establishes the cookie consent requirement, has not been implemented into Icelandic law.

The fact that the Cookie Directive has not been implemented into Icelandic law is especially interesting following the implementation of the GDPR in Iceland, given the fact that Article 95 of the GDPR specifically refers to the ePrivacy Directive. In EU member states, this is a reference to the ePrivacy Directive as amended by the Cookie Directive. In Iceland however, it is a reference to the ePrivacy Directive without the Cookie Directive’s amendments, as the latter does not apply in Iceland.

The rules of Article 47(5) of the Icelandic Telecommunications Act, which incorporated the ePrivacy Directive’s Article 5(3) therefore remain unchanged. As a result, in Iceland, unlike in EU member states who must implement the Cookie Directive, it is not a prerequisite for placing cookies on a user’s terminal equipment, that the user has given his/her consent, provided that the use of cookies falls within the scope of the Telecommunications Act. According to Icelandic law, it is sufficient that the user has received all the required information and is given a chance to refuse the use of such cookies.

It should be borne in mind, that if the use of cookies includes the processing of a user’s personal data, such processing must, in addition to the Telecommunications Act, comply with the Icelandic Data Protection Act. The data controller must therefore have a legal basis for processing personal data, such as consent or legitimate interests. If a data controller is not able to use legitimate interests as a legal basis for data processing, the data controller may have to obtain the data subject’s consent which then must fulfil the Icelandic Data Protections Act’s conditions for consent in order for the processing of personal data through the use of cookies to be lawful. According to the Icelandic Data Protection Authority, a data subject’s consent must be obtained concerning third party cookies, whereas first party cookies may be subject to consent or legitimate interests, depending on the purpose of the processing.

Conclusion

Through its participation in the EEA Agreement, Iceland, as well in the other EEA EFTA states, is generally required to implement EU legislation that has EEA relevance. In order for an EU act to be implemented into Icelandic law, the act must first be incorporated into the EEA Agreement and subsequently adopted by the Icelandic parliament. This has for example been done in the case of the ePrivacy Directive and the GDPR. The so-called Cookie Directive has however not been incorporated into the EEA Agreement, and amendments to the ePrivacy Directive made by the Cookie Directive are therefore not a part of Iceland’s legislation. As a result, unlike in the EU, it is not a condition for the use of cookies in Iceland that a user has given his or her consent for their use. It should however be borne in mind that if the use of cookies entails the processing of personal data, the data controller may have to seek the data subject’s consent, depending on the type of cookie and the purpose of the data processing.

Perhaps we can expect a more streamlined approach to the use of cookies throughout the EEA in the future, following the implementation of the anticipated ePrivacy Regulation.