Iceland's Act on the Protection of Privacy as regards the Processing of Personal Data, No. 77/2000, incorporates a partial exemption for national security and law enforcement activities, limiting the applicability of certain provisions of the law in these contexts.

Text of Relevant Provisions

Act No 77/2000 Art.3(2):

"Articles 16, 18–21, 24, 26, 31 and 32 of the Act do not apply to processing of personal data that concern public security, national defence, State security and the activities of the State in areas of criminal law. The Act does not apply to the processing, by an individual, of personal data that only relates to the individual himself or is purely intended for personal use."

Analysis of Provisions

The National Security and Law Enforcement Exemption in Iceland's data protection law is implemented through a partial exclusion of specific articles for certain types of data processing. According to Article 3(2), several provisions of the Act do not apply to the processing of personal data related to "public security, national defence, State security and the activities of the State in areas of criminal law."

This exemption covers a broad range of state activities, including:

1. Public security
2. National defense
3. State security
4. Criminal law activities of the State

It's important to note that this is not a blanket exemption from the entire Act. Instead, it specifically excludes the application of Articles 16, 18–21, 24, 26, 31, and 32 for these types of data processing. This approach suggests that the Icelandic lawmakers aimed to strike a balance between national security interests and data protection rights.

The rationale behind this exemption is likely rooted in the recognition that certain state activities, particularly those related to national security and law enforcement, may require greater flexibility in data processing. These activities often involve sensitive information and may need to operate under different rules to effectively protect public safety and national interests.

Implications

The implications of this exemption for data controllers and processors are significant:

1. Limited applicability: Organizations involved in processing personal data for public security, national defense, state security, or criminal law activities on behalf of the state may be exempt from certain obligations under the Act.
2. Partial compliance: While exempt from specific articles, these entities are still bound by the other provisions of the Act. This means they must comply with the remaining data protection requirements.
3. Scope of exemption: The exemption is limited to specific types of data processing. Regular business activities not related to these state functions would still be fully subject to the Act.
4. Balancing interests: Data protection officers and privacy professionals working in sectors related to national security or law enforcement must carefully navigate the balance between operational needs and data protection requirements.
5. Oversight considerations: While certain provisions don't apply, there may be alternative oversight mechanisms in place for these sensitive areas of data processing.