Article 66 of the 1944 Constitution (as amended in 1991) provided: "The home shall be inviolate. Houses may not be searched, nor may any letters or other documents be detained and examined, except by judicial ruling or by a special provision of law."[1434] In 1995 further amendments were made to the Constitution and the personal privacy provision is now contained in Article 72.
As a member of the European Free Trade Association (EFTA), Iceland is obliged to ensure that its laws, in certain fields, are compatible with those of the European Union (EU). On January 1, 2000 the Acton the Protection of Individuals with regard to the Processing of Personal Data came into force. The Act replaces the Registration and Processing of Personal Data of 1989 (as amended) and was adopted to bring Iceland's data protection regime into compliance with the EU Data Protection Directive.[1435] It covers both automated and manual processing of personal information. It distinguishes between sensitive and non-sensitive data and includes specific restrictions on the use of video surveillance and national identification numbers. It instructs the Statistical Bureau of Iceland to maintain a registry of individuals not willing to allow the use of their names in product marketing.
The Act established a new independent Data Protection Authority (Persónuvernd or DPA) to replace the former Data Protection Commission.[1436] Persónuvernd supervises implementation and compliance with the Act and any pursuant regulations or orders. It maintains the registry of activities and can investigate and issue rulings. It can impose fines for non-compliance and can seek criminal sanctions. The DPA is also responsible for supervising the handling of personal information in the Schengen Information System.[1437] Persónuvernd also has the authority to issue public guidelines and regulations. Over the last two years it has issued rules on consent; notification; security assessments and systematic safety measures.[1438] Since its establishment Persónuvernd has received 1,013 notifications of personal data processing, 541 of them in 2002 alone. In 2002 it handled 606 cases,[1439] among them 26 were filed sua sponte by the DPA for public interest reasons.[1440] During the same period, Persónuvernd received 283 complaints and questions from individuals, data controllers and institutions, that were either solved with an opinion or a decision, some of them concerning bills or administrative regulations.[1441] The DPA fulfilled its wishes of reducing the number of cases in 2002 compared to 2001.[1442] The Persónuvernd does not expect to change its work much for next year, although "greater emphasis might be laid on investigations."[1443] As of June 2002, there were eleven full time staff.[1444] In March 2001, the Ministry of Justice issued a new regulation governing the practices of credit reporting agencies.[1445]
Every individual's identity (ID) numbers are publicly available and widely used, along with names, addresses and other personal information. For instance, day-to-day activities such as video rental are based on the personal ID numbers. This has implications for the privacy of sensitive data, which registration is based on the same personal ID numbers, facilitating the task of intruders and abusers of the data. The open access to personal ID numbers requires stronger privacy protections. Instead, several recent laws have been enacted that allow the creation of databases including sensitive personal information. Privacy advocates have criticized this trend, and have pointed out that the government has prioritized corporate interests over those of individuals concerned about the use of their personal data.
In December 1998, the Parliament approved the Health Sector Database Act to create a nationwide centralized database of medical records to be used for genetic research.[1446] In January 2000, the Minister of Health granted an exclusive twelve-year license to operate that database to Íslensk Erf agreining ehf, the Icelandic subsidiary of American bio-tech company DeCode Genetics.[1447] The database will incorporate non-personally identifiable data derived from the medical records held by Iceland's health services. Patients are to be granted a right to opt-out of the database by notifying the Director General of Public Health. The database is to be used to "develop new or improved methods of achieving better health, prediction, diagnosis and treatment of disease, to seek the most economic ways of operating health services, and for making reports in the health sector." Measures to ensure security and privacy in the operation of the database must meet standards and conditions set out by the Data Protection Authority. In 2000, the Data Protection Authority issued regulations on the general security terms.[1448] It is currently evaluating the design of the database system.[1449] The government's National Bioethics Committee reviews DeCode's research protocols while the DPA strips data of all personal identifiers, encrypts all social security numbers using an algorithm, and oversees maintenance of all personalized data.[1450]
The operating company is specifically authorized to use the data in the database for financial profit and, as long as confidentiality is ensured, to link it with other databases containing genealogical or genetic data. The company is reportedly spending USD200 million over the next five years to research the country's gene-pool in order to find the genes related to common illnesses such as cancer, asthma, schizophrenia, Alzheimer's and Parkinson's diseases. According to one estimate presented at the tenth International Congress of Human Genetics in May 2001, the database will be worth approximately USD14 billion.[1451]
In 2002 the Parliament passed a bill allowing the government to issue state bonds as security for a USD200 million loan to DeCODE, showing its support of the company and its business plan, which includes the creation of the Health Sector Database. The bill is still under review by ESA, which has requested specific details, for example about the research the loan will be used to finance.
This proposal has been very controversial and is hotly debated both in Iceland and with medical and privacy experts around the world. In Iceland, the Association of Icelanders for Ethics in Science and Medicine (Mannvernd) is leading the opposition to the project. Mannvernd reports that as of June 30, 2003, 20,426 people had opted out of the database.[1452] The Icelandic Medical Association is also opposing the effort and many doctors are refusing to hand over their patients' records without consent.[1453] In April 1999The World Medical Association supported the Icelandic Medical Association's opposition to the database,[1454] and adopted in 2002 a Declaration on Health Databases[1455] that protects patients' interests with regard to the creation of central health databases.[1456] At their annual meeting in Santiago de Compostela, Spain, in September 1998, the European Data Protection Commissioners recommended that the Icelandic authorities reconsider the project in light of the fundamental principles laid down in the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and its Recommendation (97) 5 on Medical Data, and the EU Data Protection Directive. In 1998, at the request of the Icelandic Medical Association, security expert Dr. Ross Anderson evaluated the proposed system. He concluded that the privacy and ethical implications of the proposed database were "outside the boundaries of what would be acceptable elsewhere in Europe" and advised the association to oppose its establishment.[1457]
In May 2000, the Government enacted the Act on Biobanks.[1458] This Act sets rules for the "collection, keeping, handling and utilization of biological samples from human beings" to ensure confidentiality and prohibit discrimination. The Act requires informed consent from the person for the collection of samples. However, this requirement does not apply to samples in biobanks that already exist, such as the Health Sector Database and the deCODE's biobank, which is expected to be connected to he former. In certain cases, the specimens can even be used for research in spite of the donor's opposition. The Act came into force in January 2001.
In October 2000, the Commission ruled that four researchers in pharmacology and geriatrics, who had been granted a permit for a research project into Alzheimer's disease, had breached the terms of the permit by collecting the medical records of people who were not participants in the Alzheimer project. The research project was financed by, and conducted in association with, Islensk Erf agreining ehf.[1459]
Under the Law on Criminal Procedure, wiretapping, tape recording or photographing without consent requires a court order and must be limited to a short period of time. After the recording is complete, the target must be informed and the recordings must be destroyed after they are no longer needed.[1460] There were forty-two wiretaps authorized between 1992 and February 1996.[1461] Complaints against the orders can be submitted to the Supreme Court. A recent Supreme Court judgment allows news reporters to record telephone interviews, without first informing the interviewee. Chapter XXV of the Penal Code also penalizes violations of privacy such as violating the secrecy of letters and revealing secrets to the public.
In June 2001, Keflavik International Airport began incorporating facial recognition software, FaceIT, into its video surveillance system. A police spokesperson said that the surveillance was being used to "identify known criminals and false asylum seekers" without disturbing European citizens' rights to travel freely under the Schengen Agreement.[1462]
The Freedom of Information Act of 1996 (Upplysingalög) governs the release of documents.[1463] Under the Act, individuals (including non-residents) and legal entities have a legal right to official documents without having to show a reason for the request. There are exceptions for national security, commercial and personal information. Copyrighted material can be provided to requestors but it is then their responsibility if they republish the materials in a manner inconsistent with the copyright. Denials can be appealed to the Information Committee. There are often delays in the release of documents. Recently the government refused to release a memorandum on a court case on the grounds that it was an internal government document. The Supreme Court subsequently ordered its release, as it had previously been shown to non-official parties.
In 2003 the Parliament passed a bill on prescription databases, permitting the State Health Insurance Organization to register data from all doctors' prescriptions of medicines. The purpose of creating such a database is to prevent abuse of prescription drugs and to give an overview of the nation's drug consumption. Access to personal data will be controlled by the Director of Public Health. As a result of the opposition to the draft bill by the Data Protection Authority, the bill was modified to implement encryption means to protect the personal data. Mannvernd pointed out that the Director of Public Health had no need to have access to information about most of the medicines and prescriptions covered by the Act, since there was no potential of abuse or threat to the health of the population, and that the collection of sensitive information by the State Health Insurance Organization would compromise the integrity of that establishment, thereby endangering the trust of their clients. Mannvernd additionally argued that there was a danger that the database could be used later for different purposes than the original ones, as this had already been the case in the past. It therefore recommended that sensitive information only be collected in case of absolute necessity.
Iceland is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[1464] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1465] In November 2001, it signed, but has not ratified, the CoE Convention on Cybercrime (ETS No.185).[1466] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.