Is Doxing illegal in Iceland?

Question

While it is my understanding that electronically or postally publishing someone's personal information in an attempt to cause them emotional distress, intimidate them, or place them in reasonable fear of bodily harm (esp. by facilitating others' efforts to surveil them with intent to harass, intimidate, or even injure them) is generally illegal in the United States (per 18 USC § 2261A (2)), what laws (if any) does Iceland have against this?

In particular, if I am a U.S. citizen, and my current ISP and all domestic webhosts have refused service to me due to my continued pursuit of such activity, and I have moved my harassing presence to an Iceland-based webhost that advertises "free speech" and whose ToS does not specifically prohibit doxing, what angles of attack (other than a pure appeal to the abuse team's humanity) might dislodge me?

Answer 1

Tentatively, it appears that the answer is "No; doxxing is legal in Iceland" -- at least according to the legal/PR team of one major hosting provider:

…your customer [per above details and evidence] is using your services to publish full legal names, addresses, license plate numbers, home phones, details of Thanksgiving dinners, employer contact details, etc. of political dissidents -- with the sole purpose to put the named individuals directly in reasonable fear of bodily injury or death and to cause substantial emotional distress.

This is illegal per 18 USC § 2261A (2) in your customer's jurisdiction of residence, and they have already been evicted from multiple domestic providers for their activity.

Your ToS prohibits "other malicious internet activity"; does stalking and harassment qualify?

Hello,

we are not an US company so US law doesent[sic] apply to us and we do not follow it.

Best regards

[Icelandic name]

Answer 2

Since doxxing is a vague meme, it is not specifically illegal. Acquisition of the distributed information is probably illegal, for example in the US, 18 USC 1030. In court, the question would not be whether you "dodded" someone, it would be about actions that you took that violated specific laws, and we don't know the totality of your possibly-actionable actions. But then, the hacking part is about you and not the ISP, so the pertinent question is, what avenues could your victims pursue either against you or your ISP – the ISP is the obvious, most-vulnerable target? And then, what counter-measure would be available to you?

Pursuing a judgment against you or the ISP could be most effectively carried out in US courts, and we're really only concerned with actions against the ISP, since the possibility of legal action against them could motivate a decision to follow path A, vs. B. The evidence indicates that they at least have the contractual right to terminate your service. They could be motivated to do so if they detect a credible threat to their business interests (contract law generally does not obligate a party to legally harm themselves). If US courts find that their actions (of enabling you) violate US law, the courts can take action against the ISP.

Without you doxxing the ISP, we can't assess the vulnerability of the ISP to legal action in US courts. For example, US courts can't direct order the seizure of property in Iceland, but they can order the seizure of property in the US. They can't issue and enforce an injunction in Iceland, but they can do that in the US. So the question is whether the ISP has enough of a business interest in the US that they are unwilling to tell the US courts to take a leap. Or, are they sufficiently persuaded that the case against them under US law is weak enough that it poses no threat to them?

This article is pertinent to the question. Basically, an ISP is not liable for being a passive instrument for a cyber-attack, see for example Zeran v. Am. Online, Inc., 129 F.3d 327 which invokes the infamous section 230. See also Barnes v. Yahoo, 570 F.3d 1096. The article also sketches copyright-based theories of contributory and vicarious liability. The Icelandic ISP can they, at least presently, count on this immunity. Their position that US law does not apply to them is in error, but applying US law to them, they are not liable (under US law).

Icelandic law does apply to them. Then, do they violate the Act on Protection of Privacy? Or the Data Protection act which implements GDPR? Under GDPR, the victim of the attack can request removal of the data. However, this is a "show me the paperwork" situation: the ISP does not have liability just for having been a conduit (Directive 2000/31/EC). There may be various specific directives that assign a pro-active responsibility to the ISP, but nothing as general as GDPR.