Some links on Iceland as a data haven, based on research conducted over the winter of 2016/2017.
It has been suggested that Iceland had an appetite for strict privacy laws. It is my view that this is a civic society proposal focused more on Freedom of Information and journalistic privilege and not privacy, although the IMMI declared that they propose to make new privacy law a priority in 2016. The proposals have been very slow in proceeding through parliament. Any forecasts as to the end state require a detailed knowledge of Iceland’s politics and an appetite for controversy. Furthermore as the EU moves from a Directive to a Regulation the room for national differentiation is minimised; it is possible that Iceland will make it hard for their own and foreign law enforcement to access Icelandic hosted data because this is one area where member states still have room to determine their own laws. However one purpose of the Regulation is to create a level playing field for commercial entities in the single market, the Commission will have an interest in ensuring that no members of the EEA differentiate their privacy regimes.
The Regulation covers fines and financial penalties. The Icelandic fines are currently ~£750/day for failure to implement a notice. I don’t think I’d want to say that they’re high; this is certainly lower than the Regulation proposed fines.
I have looked to see if there is any evidence that the Icelandic DPA is more aggressive in pursuit of law breakers. There is no easily discoverable European comparison table. What evidence there is suggests that their authorities are more aggressive than the UK, but the scale of the problem is in a different league and because they are a much smaller society the number of prosecutions and fines is tiny.
The bottom line is that the Regulation makes, and is designed to make a level playing field, and there is no usable evidence that Iceland has stronger privacy laws nor a more aggressive enforcement regime in terms of either appetite or penalties.