Implementation of EU legislation in Iceland
Iceland, through its membership in the European Free Trade Association (EFTA), is a party to the EEA Agreement, an agreement between the EU member states and Iceland, Norway and Liechtenstein, which entered into force on 1 January 1994. The EEA Agreement’s aim is to create a single market between these states by including EU legislation covering the four freedoms and certain other areas in the EEA Agreement. Thus, EU legislation with EEA relevance shall generally be incorporated into the EEA Agreement and interpreted and applied uniformly in the EEA.
In order for any EU legislation with EEA relevance to be implemented and applied in Iceland, the legislation in question must first be incorporated in the EEA Agreement by means of a decision by the EEA Joint Committee. The legislation can thereafter be implemented into Icelandic law by the Icelandic parliament.
The GDPR and ePrivacy Directive
In accordance with the procedure described above, Iceland has implemented both the General Data Protection Regulation (GDPR) and the ePrivacy Directive into Icelandic law. The GDPR was incorporated into the EEA Agreement by the EEA Joint Committee’s decision No 154/2018 on 6 July 2018 and implemented into Icelandic law by the Act on Data Protection and the Processing of Personal Data No 90/2018 (Icelandic Data Protection Act), which entered into force on 15 July 2018. The ePrivacy Directive was incorporated into the EEA Agreement by the EEA Joint Committee’s decision No 80/2003 on 20 June 2003 and subsequently implemented into Icelandic law by the Icelandic Telecommunications Act No 81/2003.
Article 5(3) of the ePrivacy Directive provides that cookies may only be stored on a user’s equipment if the user concerned is provided with information in accordance with Directive 95/46/EC (now the GDPR) and is offered to refuse such processing by the data controller. This shall however not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary for providing an information society service explicitly requested by the subscriber or user. Article 5(3) of the ePrivacy Directive was implemented into Icelandic law by Article 47(5) of the Telecommunications Act in 2007. Pursuant to the Telecommunications Act’s article, the use of equipment such as cookies is only permitted for lawful purposes and with the user’s knowledge. Furthermore, the user may object to the use of such equipment.
The Cookie Directive
Directive 2009/136/EC (also known as the “Cookie Directive”), which was adopted in 2011, included amendments to Article 5(3) of the ePrivacy Directive, which was replaced to state the following:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.” [Emphasis added]
The situation in Iceland
The Cookie Directive is marked as an EEA-relevant act by the EU, which implies that it should be incorporated into the EEA Agreement. However, the EEA EFTA states did not consider it relevant for incorporation into the EEA Agreement. Its incorporation therefore has not taken place and it is to this day not a part of the EEA Agreement. As a result, the Cookie Directive, including its amendment of Article 5(3) of the ePrivacy Directive, which establishes the cookie consent requirement, has not been implemented into Icelandic law.
The fact that the Cookie Directive has not been implemented into Icelandic law is especially interesting following the implementation of the GDPR in Iceland, given the fact that Article 95 of the GDPR specifically refers to the ePrivacy Directive. In EU member states, this is a reference to the ePrivacy Directive as amended by the Cookie Directive. In Iceland however, it is a reference to the ePrivacy Directive without the Cookie Directive’s amendments, as the latter does not apply in Iceland.