Iceland - Octopus Cybercrime Community

Back Iceland

Status regarding Budapest Convention

Status : Party See legal profile

Cybercrime policies/strategies

The Ministry of Interior of Iceland published in 2015 the Icelandic National Cyber Security Strategy for 2015 – 2026 together with the Plan of action for the 2015 – 2018 period. The main strategy aims are:

1. Capacity building - Increased capacity to prevent and respond to cyber security threats

2. Increased resilience

3. Improved legislation in line with international commitments

4. Tackling cybercime / reliable law enforcement as regards cyber security: which aims for the police to have, or have access to, the professional knowledge, skills and equipment needed to resolve issues concerning cyber crime.

A Cybersecurity Capacity Review Undertaken by the Global Cyber Security Capacity Centre, University of Oxford provides 6 recommendations related to the 2015-2026 National Cyber Security Strategy:

Explicit links to national risks, priorities, objectives, business development, raising awareness, mitigating cybercrime, and protecting critical infrastructure;
Encourage promotion and implementation of the strategy across government and other sectors;
Discrete cybersecurity line item in the budget to allocate/manage resources;
Conduct regular simulations and exercises that provide picture of national cyber resilience;
Collect and evaluate relevant metrics, monitoring processes, and data;
Include provision for protection against insider threats.

The same study provides 16 detailed recommendations for the Legal and Regulatory Framework dimension.

Cybercrime legislation

State of cybercrime legislation

Although there is no specific law on cybercrime in Iceland, the country ratified in 2007 the Budapest Convention on cybercrime whose provisions are consistently implemented into domestic legislation. (Source:Cybersecurity Capacity Review)

Both substantive and procedural criminal law framework of Iceland, as amended by the General Penal Code, No. 19/1940 (and related amendments), the Act on Criminal Procedures and the Telecommunications Act of 2006 is largely in line with the Convention requirements.

Act on the Post and Telecom Administration, No. 69, 24 March 2003 amended by Act No 172/2006 of 20 December 2006 is intended to fully implement into national legislation the Budapest Convention on Cybercrime.

Substantive law

General Penal Code, No. 19/1940 contains substantive cybercrime legal provisions since its amendment in 1998, in addition to latter amendments to the GPC and the Act on Criminal Procedures which are related to the implementation of the BC (Source: Cybersecurity Capacity Review )

General Penal Code, No. 19/1940 criminalizes the following offences:

Article 158: Misrepresentation and use of information and data stored in machine-readable form;
Article 228: Unlawfully obtaining access to other persons' data or programs stored in a machine-readable format;
Article 249a: Unlawfully modifying, adding to or destroying computer software, or data or programs stored in machine-readable form, or taking other measures designed to influence the outcome of computer processing;
Article 257; Sending, altering, adding to, deleting or destroying in some other way, without authorisation, data or programs that are stored in machine-readable form and are intended for use in computer processing.
Article 210

Specific legislation on child online protection has been enacted through:

General Penal Code, No. 19/1940 Article 210 bans the production, distribution, and possession of child pornography of the criminal Code

Act on the Monitoring of Children’s Access to Films and Computer Games Article 1(5)

Electronic Communications Act No. 81, 26 March 2003 Applies to electronic communications, electronic communications service and electronic communications network and aims to ensure cost-efficient and secure electronic communications.

Procedural law

The Act on Collection of Evidence Relating to Alleged Violations of Intellectual Property Rights, No. 53/2006 contains comprehensive provisions for the investigation of cybercrime and evidentiary requirements, e.g. for electronic evidence (Article 4, 12) and cases have been brought to Court.

The Act on Criminal Procedures allows for requesting electronic information from ISPs for the purpose of an investigation (Article 70)

Related laws and regulations

Information Act No. 140/2012 - Government of Iceland

Act no. 90/2018 on Data Protection and the Processing of Personal Data

Act on the Monitoring of Children’s Access to Films and Computer Games

Specialised institutions

Ministry of Justice, National Commissioner of the Icelandic Police: The main functions of the Office of the National Commissioner of Police include handling international contacts in the field of law enforcement.

Ministry of Justice - Department of Public Security and Criminal Justice: The department is responsible for public administration in major areas of the justice system, i.e. policing, public prosecution and enforcement of sentences, and public safety, including civil protection and search-and-rescue operations. Its Functions and principal tasks include handling Organised crime, International legal assistance in criminal cases, including letters rogatory and extradition and Monitoring, cybersecurity and protection of key social infrastructure

Director of Public Prosecutions handles international relations on behalf of the prosecution authority as well as requests on legal assistance from authorities in other countries and cases regarding a demand for the extradition/delivery of foreign and Icelandic citizens

Post and Telecom Administration (PTA) is responsible for the administration of electronic communications and postal affairs in Iceland.

CERT-IS

The Icelandic Data Protection Authority