Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Legal Majority Act no. 71/1997 provides that a person under the age of 18 is a minor for the purposes of Icelandic law.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
The UNCRC Act no. 19/2013 incorporated the UNCRC into Icelandic law. Therefore, the rights set out in the UNCRC can be directly lied upon by children before domestic courts.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Ombudsman for Children is established by the Ombudsman for Children Act no. 83/1994.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
Yes.
The Ombudsman for Children is responsible for the promotion of the rights and welfare of children and promoting awareness of the UNCRC rights and principles, amongst other things.
The Ombudsman can make suggestions for improvements or bring attention to shortcomings in relation to children’s rights. He has the power to collect all relevant information from authorities, individuals and legal entities.
Although not clearly stipulated in the Act, the Ombudsman has interpreted its responsibility as also covering children’s rights in the digital world.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
No national law requirements in this regard; see more information on the GDPR-level requirements here. The requirement to collect parental consent under Article 8(1) of the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
(13 for digital services)
Children under the age of 18 cannot give their consent to the processing of their personal data under Article 6(1)(a) GDPR.This has been confirmed in practice as well as it is stipulated in the draft for the Icelandic Personal Data Protection Act no. 90/2018. However, the age of digital consent for the purposes of Article 8(1) GDPR is an exception to this general rule. In these circumstances, the age of consent is 13 years of age.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
No.
No national law requirements beyond those set out in Article 8(2) of the GDPR; see more information on the GDPR-level requirements here.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
No national law requirements beyond those set out in Article 12(1) of the GDPR; see more information on the GDPR-level requirements here.
However, this requirement is interpreted by the Icelandic Data Protection Authority (the DPA), along with Ombudsman and the Media Committee, in their guidance on processing children’s data (Protection of children in the digital world – instructions for controllers, hereafter referred to as The Guidance).
The Guidance states that, when processing children's data, it is important to offer transparency both to the child and to their parents. For the child, the text needs to be clear, short and comprehensive. Language barriers should be kept in mind, and the information should be available to the child in a language understood by the child.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
The Icelandic Data Protection Authority (the DPA) and the Ombudsman and the Media Committee’s guidance on processing children’s data (Protection of children in the digital world – instructions for controllers) states that a child may exercise their rights on their own behalf, if they have the capacity to do so, considering their age and maturity. This was also confirmed in the DPA’s case no. 2014/656.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
Children can exercise their rights directly if they have the capacity to do so, considering their age and maturity. That includes making complaints to the Icelandic Data Protection Authority.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
There are no national-specific laws in this regard, but requirements arise from the Icelandic Data Protection Authority’s instructions and their and the Ombudsman and the Media Committee’s guidance on processing children’s data (Protection of children in the digital world). The following are non-exhaustive examples of such requirements.
a) processing specific types of children’s personal data
Data on children’s location should not be processed unless it is necessary, considering what is best for the child. When publishing photos of children on the Internet, any information on location should be removed.
b) carrying out specific processing activities involving children’s personal data;
Schools and after-school centres should not use mainstream social media, like Facebook, as a platform for processing children’s data.
c) using children’s personal data for specific purposes
Organisations need to show extra caution when processing children’s data for marketing purposes or other purposes that are based on legitimate interests.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The following cases concluded with orders from the Icelandic Data Protection Authority (DPA) for certain measures within a set timeframe:
- Case no. 202210805 regarding an investigation by the Minister of social affairs on treatment homes. The DPA commanded that the ministry remove the report of the investigation from their website within one month from the publishing of the decision.
- Case no. 2020010402 regarding electronic monitoring around a school and a preschool in the municipality Hafnarfjörður. The DPA ordered that the municipality notify the children’s parents of the processing withing 19 days of the publication of its decision.
- Case no. 2020010647 regarding a preschool’s processing and transmission of data on a child. The transparency requirement was not fulfilled. The DPA ordered that proof of improvements to be submitted within one month of the decision.
- Case no. 2022061098 regarding a preschool’s processing of data on a child’s behaviour. The transparency requirements were not fulfilled. The DPA ordered that the preschool erase the data on the child’s behaviour within one month.
- Case no. 2020010730. Transparency requirements not fulfilled. The DPA ordered improvements be made within a month.
- Case no. 2018/839 regarding transmission of sensitive data of children to the media. The DPA held that there was no lawful basis for such processing and ordered improvements be made.
- Case no. 2006/135 regarding a school’s use of students’ attendance data for deciding on whether a child could buy a ticket for a dance. The DPA held that there was no lawful basis for such processing and ordered that improvements be made and written proof of such improvements be provided within a month.
- Case no. 2014/1365 regarding a questionnaire about children’s feelings put forward in connection with mandatory coordinated national exams. The DPA held that there was no lawful basis for the processing and ordered the erasure of the children’s answers.
- Case no. 2017/1566 involving a security breach at a high school. The DPA ordered that improvements be made with regard to the processor’s security measures.
The following cases concluded with the DPA imposing fines:
- Case no. 2021071520 regarding electronic monitoring (camera surveillance) of an arena. Fine of ISK 3.5 million.
- Case no. 2020010355 regarding a security breach in a system used by schools and preschools. Fine of ISK 3.5 million ISK.
- Case no. 2021040879 regarding the processing of children’s personal data through an online platform. The privacy impact assessment was not sufficient, the processing contract was not sufficient, transparency was insufficient as well as the security measures. The grounds for the processing were lacking and data was transmitted outside the EEA. Furthermore, the processing did not align with GDPR’s principles. The processor was fined ISK 5 million and the other processor was fined ISK 4 million - The decision regarding the first processor was appealed to the District Court which annulled the decision due to inadequate procedures of the DPA. That ruling has now been appealed to the Supreme Court.
- Case no. 2020010382 regarding a security breach at a high school, where a teacher accidentally emailed personal data about one student to other students and their parents. Fine of ISK 1.3 million.
- Case no. 2020010545 regarding electronic monitoring (camera surveillance) at a workplace. The employees were mainly minors. Fine of ISK 5 million.
- Case no. 2022020414 regarding a municipality use of an online search engine for elementary schools. Fine of ISK 3 million.
- Case no. 2022020416 regarding a municipalities use of an online search engine for elementary schools. Fine of ISK 2.5 million.
- Case no. 2022020418 regarding a companies use of an online platform for elementary schools. Fine of ISK 2.5 million.
- Case no. 2022020415. Same as the above. Fine of ISK 2.8 million.
- Case no.2022020363. Same as the above. Fine of ISK 2 million.
Are there specific rules concerning electronic direct marketing to children?
Yes.
According to regulation no. 160/2009, it is considered intrusive marketing to market products or services to children, and therefore such marketing is prohibited, as using children to influence their parents to buy products is considered to be intrusive.
Although marketing towards children in this manner is prohibited, this does not mean that children cannot be exposed to marketing materials. Where children are likely to encounter marketing materials, it is important that such materials consider their limited understanding and naivety. Where unsolicited marketing to any person is carried out through the sending of electronic email (i.e. any text, voice, sound or image massage including SMS text message) the Icelandic Act on telecommunication no. 70/2022 applies to such communications. The Act transposes the ePrivacy Directive into Icelandic law which requires the consent of the individual recipient, with some strictly applied exceptions. Children cannot give consent and therefore the consent must be acquired from their parents.
The Consumer Agency has instructed advertisers not to send direct marketing material to children, but rather to their parents, who can then decide on whether the children should be exposed to the material.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
No.
There are no national-specific laws in this regard. Nevertheless, extra caution should be taken when the data subjects are children. The Icelandic Data Protection Authority and the Ombudsman and the Media Committee’s guidance on processing children’s data (Protection of children in the digital world) says that the processing must meet the requirements laid out in GDPR. The controller’s obligation to inform the data subject is especially important when profiling. Controllers must also notify the data subject of the profiling and the impact it may have on them. When the data subjects are children, it is important that this information is presented in a way that is clear and comprehensible, taking into account their age and maturity.
Are there specific rules concerning online contextual advertising to children?
No.
No national law requirements.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
Decision no. 58/2011 of the Consumer Agency. An advertisement for a children’s movie was directed at children. The advertisement was banned.
Decision no. 15/2005 of the Consumer Agency. Advertisement where a child was portrayed in dangerous scenarios was banned.
Decision no. 5/2021 of the Media Committee. The National Public Broadcaster (RÚV) broadcasted an advertisement while an award ceremony for children was on the agenda. This is prohibited according to the Media Act. RÚV was fined ISK 500.000.
Decision no. 1/2021 of the Media Committee. RÚV broadcasted an advertisement right after a children’s TV show. Fine of ISK 1 million.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
Until the age of 18, the parents are legal representatives of their children but there are certain exemptions, for example:
- A child can spend money that it has earned or been given, unless these are large sums.
- A child over 10 can go to a swimming pool alone.
- A child over the age of 12 must consent to an adoption.
- A 13 – 14-year-old child is allowed to have an “easy job”.
- A child can be prosecuted at the age of 15.
- At 15 a child can acquire the licence to drive certain vehicles, but at 17 a child can acquire a driver’s licence.
- At 16 children start paying taxes of their income.
- Children over 16 are allowed to get an abortion without their parent’s permission.
- Children over 16 are allowed to make decisions regarding health care services.
- Children over the age of 16 can join religious communities.
- Children over 15 are subject to a certain participation in a child protection case involving themselves.
- According to the Act no. 90/2018 of Personal Data Protection, specific rules apply to entering into an agreement to use digital services providing contractual capacity to children at the age of 13.
Do consumer protection rules apply to children?
Yes.
N/A
Are there any consumer protection rules which are specific to children only?
Yes.
According to the Act no. 58/2005 on Business Practices and Marketing, children and teenagers’ naivety should be considered when creating advertisements. If children appear in marketing material, they should not be participating in dangerous behaviour, which could encourage other children to engage in such behaviour.
According to regulation no. 160/2009 it is considered intrusive marketing to market products or services to children, to get them to persuade their parents to buy a product or service. Therefore, such marketing is prohibited.
It is also prohibited to make available to children audio or video material which can be physically, mentally or morally harmful to children, especially if such material has pornography or violent content, according to the Media Act no. 38/2011.
Product placement of harmful products in material meant for children is prohibited according to the Media Act.
According to Act no. 62/2006 on children’s access to video games and movies, it is prohibited to display, sell or disseminate in any other way violent movies or violent video games to children under the age of 18. From the age of 14, children are permitted to watch or use such content under parental supervision.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
Decision no. 1/2020 of the Media Committee. The National Public Broadcaster (RÚV) made available to children, using a streaming platform, episodes that were not suitable for children under 16 years of age due to their pornographic and violent material. Fine of ISK 1.2 million.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
Act no. 38/2011 imposes restrictions on audio and video material made available to children.
There are also some national-specific laws in Iceland which implement age-related restrictions for the access of certain goods and services. The following is a non-exhaustive list of goods and services to which such restrictions apply:
- Alcohol
- Cigarettes
- Pornography
To the extent such goods and services are accessed online by children, such restrictions will generally also apply.
Are there any specific requirements relating to online/ digital safety for children?
No.
N/A
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
No.
Reasonable technical measures must be taken, but those measures have not been specified further in Icelandic law.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
No.
If such controls are implemented it is important to inform the children of such monitoring/controls.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any existing requirements relating to children and AI in your jurisdiction?
No.
There are no existing requirements specifically covering children and AI in Iceland. However, due regard should be taken of data protection principles of GDPR and the United Nations Conventions on the Rights of the Child (UNCRC) apply.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
No.
While Iceland will implement the AI Act (EU) 2024/1689 the implementation date is yet to be determined.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
In the national cybersecurity plan for 2022-2037, it is stipulated that measures must be taken to further ensure children’s safety in the digital world.
Contributors
Hjördís Halldórsdóttir
