Telecommunications (Interception Capability and Security) Bill

  • not the latest version

Explanatory note

General policy statement

This Bill repeals and replaces the Telecommunications (Interception Capability) Act 2004.

The main objectives of the Bill are to ensure—

  • that the interception obligations imposed on the telecommunications industry are clear and reflect the changing telecommunications industry structure, do not impose unnecessary compliance costs, and are sufficiently flexible to match today’s operational needs and future technology developments; and

  • that network operators are obliged to engage with the Government on network security matters where they may raise a risk to New Zealand’s national security or economic well-being, inform the Government of network decisions that may be of particular national security interest, and work with the Government to apply any required risk-based and proportionate security measures.

These objectives will be achieved by introducing a range of measures designed to help network operators understand their obligations for interception capability, and make it easier for them to comply with their obligations. The Bill will also set up a new framework for network operators and the government to work together on matters of network security where this intersects with New Zealand’s national security and economic well-being.

Both the lawful interception and the network security frameworks will be underpinned by a compliance and enforcement framework. This will give the Government the ability to make a graduated response to non-compliance, and thereby support ongoing compliance across the telecommunications industry.

The two-tiered enforcement regime for non-compliance distinguishes between minor non-compliance and serious non-compliance. Minor non-compliance will be dealt with by way of a notice requiring that the breach be remedied within a specified period of time. Serious non-compliance will be dealt with through the High Court.

The Bill proposes to—

  • Interception capability

  • reduce the obligations on some network operators by—

    • removing and reducing obligations to pre-invest in interception capability, in areas where capability is unnecessary for operational reasons, or duplicated, or disproportionately expensive:

    • creating less onerous requirements for specified types of service or company, as follows:

      • network operators with fewer than 4 000 customers: a new “interception readiness” obligation:

      • wholesale network services (which are then on-sold by a retail operator to the end-user): an obligation to help ensure interception equipment can access the network, if required:

      • infrastructure-level services: no capability obligation (but there is an obligation to report customer names):

  • clarify obligations and duties by—

    • putting beyond doubt that the duty to assist is relevant to companies whether based in New Zealand or based overseas, and whether or not they have made prior investment in interception capability:

    • specifying that network operators may share resources (for example, equipment or staff) in order to meet their obligations under the Act:

  • allow flexibility by—

    • allowing interception capability obligations to be extended, if needed, to telecommunications service providers that do not have any capability obligations today:

    • allowing the Minister to partially or fully reinstate capability obligations on a company with reduced obligations as referred to above, if more onerous obligations are justified for operational reasons:

    • creating a faster and more flexible exemption process through which capability obligations on particular operators, or on whole classes of operators or services, can be reduced:

  • increase enforcement options by providing for a new ministerial power to direct that an off-shore telecommunications service must not be resold in New Zealand if there is insufficient interception capability on that service, and the direction is required to address a significant risk to national security or law enforcement:

  • Network security

  • encourage partnership between network operators and the Government by—

    • emphasising that network operators and the Government Communications Security Bureau (GCSB) are to work co-operatively and collaboratively on identifying and addressing network security risks:

    • obligating network operators to engage in good faith with the Director of the GCSB on the design, build, and operation of networks where those may pose a risk to New Zealand’s national security or economic well-being:

    • obligating network operators to notify the Director of the GCSB about proposed procurement decisions being made in relation to areas in the network of particular national security interest:

  • enable risk identification and response by—

    • setting out a specific risk identification and response process:

    • providing for a ministerial direction power where a significant risk to national security is raised and either the Director of the GCSB is not satisfied with the network operator’s proposal to address a security risk, or a network operator has breached one of the requirements in the Act and has proceeded with a decision or course of action that gives rise to a significant risk to national security:

  • Compliance and enforcement

  • increase compliance with the Act by—

    • requiring network operators to register basic information with the Government:

    • enabling the surveillance agencies (the New Zealand Police, the New Zealand Security Intelligence Service, and the GCSB) to request information from network operators:

    • providing ability for the surveillance agencies to require network operators to have a staff member with an appropriate security clearance:

    • enabling surveillance agencies to initiate compliance testing and require the chief executive of a network operator to certify compliance with the Act after checking compliance with interception obligations:

  • provide a graduated enforcement regime by—

    • enabling minor non-compliance to be dealt with by way of a breach notice:

    • enabling serious non-compliance to be dealt with in the High Court.

The Bill brings a number of provisions into force at 3 months and 6 months after the date of the Royal assent. This reflects the anticipated implementation period for each initiative.

Regulatory impact statements

Two regulatory impact statements have been prepared by the Ministry of Business, Innovation, and Employment. Telecommunications industry—Updating interception capability obligations was approved by the Treasury on 12 March 2013 and Telecommunications industry—New framework for network security was approved by the Treasury on 13 March 2013. These regulatory impact statements have yet to be publicly released on the Ministry's website www.mbie.govt.nz .

Clause by clause analysis

Clause 1 is the Title clause.

Clause 2 is the commencement clause. Most of the provisions of this Bill come into force 6 months after the date on which the Bill receives the Royal assent. Provisions relating to exemptions and registration (and associated enforcement provisions) come into force 3 months after the date on which the Bill receives the Royal assent.

Part 1
Preliminary provisions

Part 1 (clauses 3 to 8) relates to preliminary matters and sets out the purposes and principles of this Act relating to interception capability and network security.

Part 2
Interception duties

Part 2 (clauses 9 to 42) sets out the interception capability duties that apply to network operators and service providers under this Bill. The primary duty, which is the duty to have full interception capability, remains substantially the same as in the Telecommunications (Interception Capability) Act 2004 (the current Act).

Subpart 1Duty to have interception capability

This subpart (clauses 9 and 10) sets out the primary duty that applies to network operators, which is the duty to have full interception capability in respect of every public telecommunications network that the network operator owns, and every telecommunications service that the operator provides in New Zealand.

Subpart 2Reduced duties

This subpart (clauses 11 to 20) provides for a reduction of the full interception capability duty by introducing lesser duties that will apply to certain classes of network operators and services. The new duties are the duty to be intercept ready and the duty to be intercept accessible.

The range of interception capability duties are ranked according to the level of capability required to fulfil the duty as follows:

  • the duty to comply with clauses 9 and 10 (full interception capability):

  • the duty to be intercept ready:

  • the duty to be intercept accessible.

Network operators with an average of less than 4 000 customers over a 6-month period will not be required to have full interception capability as long as certain criteria are met and they maintain that average.

Network operators that provide infrastructure-level services will not be required to have full interception capability for those services.

Network operators that provide wholesale network services will not be required to have full interception capability for those services, but will be subject to the duty to be intercept accessible.

The level of interception capability required from network operators may, in certain circumstances, be increased by the Minister responsible for the administration of this Act (but not to a level greater than full interception capability). For example, a network operator that is subject to a duty to be intercept accessible may be required to have full interception capability in relation to a network or service. The Minister may impose the higher duty only at the application of a surveillance agency, and only if satisfied that the current level of interception capability on the network or service adversely affects national security or law enforcement. The affected network operator may make submissions to the Minister. The Minister may make a direction requiring a higher interception capability duty to apply only after certain consultation has occurred and applicable criteria have been taken into account by the Minister.

Regulations may be made that impose a higher interception capability duty on a class of network operators or in relation to a class of services.

Subpart 3Related duties

The provisions in this subpart (clauses 21 to 28) fall within 2 broad groups. The first group relates to assisting surveillance agencies and the Registrar to perform their functions; the second group clarifies and limits the application of interception capability duties under this Act.

The duty to assist, which requires all network operators and telecommunications service providers to assist surveillance agencies when presented with appropriate authorisation, is substantially the same as in the current Act.

Providers of infrastructure-level services will be required to provide the Registrar with the names of all their customers, whereas network operators will be required to notify the Director when making any arrangement (contractual or otherwise) with any person for the provision of services required for compliance with this Part. Network operators must also ensure that any person who provides services under such an arrangement complies with any applicable provisions of this Part.

Clauses 21, 22, and 26 largely reinstate sections 9 (certain facilities excluded from scope of duty), 10 (design of networks) and 14 (duty to minimise impacts of interception on third parties) of the current Act.

Subpart 4Exemptions

This subpart (clauses 29 to 34) provides for exemptions that may be granted by a designated officer. Full or partial exemptions may be granted in relation to the full interception capability duty, and in relation to specified provisions in subpart 2 that impose a lesser duty on a network operator. The designated officer must take into account specified criteria and consult with each of the surveillance agencies and the applicant (if any). An applicant whose application for exemption has been declined may apply to the Minister for a decision.

Subpart 5Ministerial directions

This subpart (clauses 35 to 39) enables the Minister, on the application of a surveillance agency, to direct a telecommunications service provider to comply with an interception capability duty, and to have the same rights and obligations as those of a network operator under Parts 1, 2, and 4. Regulations may also be made to the same effect in relation to a class of telecommunications service providers.

This subpart also enables the Minister, at the application of a surveillance agency, to direct that telecommunications services provided from outside New Zealand and resold in New Zealand must not or must no longer be provided in New Zealand.

Both ministerial direction powers under this subpart may be exercised only after consultation has taken place and relevant criteria have been applied.

Subpart 6Formatting

This subpart (clauses 40 to 42) relates to the formatting of call associated data and telecommunications obtained under an interception warrant or any other lawful interception authority. The Minister may determine the standards for formatting by notice in the Gazette, and that notice may incorporate by reference all or part of any standard, specification, or requirement that is published by a body or person in any country. Provision is made for the effect of any change to a standard, specification, or requirement that has been incorporated by reference.

The Gazette notice that the Minister issues under clause 40 in relation to the formatting is legislative in nature because it regulates a class of persons (network operators) and prescribes obligations (that is, the format in which call associated data and content of telecommunication). Consequently, it is appropriate for the instrument to be subject to disallowance under the Legislation Act 2012. It is not appropriate, however, for the instrument to be published in the SR series because the instrument will contain technical matters relevant to a particular group and publication in the SR series would be impracticable for reasons such as the size and complexity of the instrument.

Part 3
Network security

This Part (clauses 43 to 54) relates to network security. The purpose of this Part is to prevent, mitigate, or remove security risks arising from public telecommunications networks and interconnections between networks.

A network security risk is an actual or potential security risk to New Zealand’s national security or economic well-being arising from—

  • the design, build, or operation of a telecommunications network; or

  • interconnections between public telecommunications networks or to networks overseas.

Part 3 (clauses 43 to 54) requires network operators to engage with the Director of the Government Communications Security Bureau as soon as practicable after becoming aware of a network security risk, or a proposed decision, course of action, or change that may raise a network security risk.

Areas of specified security interest are listed in clause 46, and regulations may be made that add to that list. Network operators must notify the Director of any proposed decision or changes that fall within an area of specified security interest. A process is established to provide for the prevention or mitigation of any network security risk that has been identified in advance. The network operator must provide a proposal to prevent or mitigate the network risk identified by the Director (in relation to the proposed decision, course of action, or change). If the proposal does not prevent or mitigate a significant network security risk, the Director may refer the matter to the Minister for direction.

The Minister may make a direction under clause 54 that requires a network operator to take steps to prevent, mitigate, or remove a significant network security risk if—

  • the network operator (despite being notified by the Director that a proposed decision, course of action, or change raises a network security risk) enters into a binding legal arrangement, or implements a decision, or commences a course of action or change that gives rise to a significant network security risk; or

  • the network operator fails to comply with a requirement under this Part and implements a decision, or commences a course of action or change, that gives rise to a significant network security risk.

Part 4
Registration, enforcement, and miscellaneous provisions

Subpart 1Registration

This subpart (clauses 55 to 66) requires all network operators to register on a register of network operators. All existing network operators must register within 3 months of commencement of clause 55, while new network operators must register within 3 months after becoming such an operator.

The register will contain various information that will assist surveillance agencies to exercise or perform powers, functions, or duties under the Bill (for example, information about the number of an operator's customers).

The subpart provides for—

  • the register to be established by the New Zealand Police and to be maintained by a Registrar appointed by the Commissioner of Police:

  • the operation of the register. In particular, the register is only available for access and searching by designated officers and the surveillance agencies:

  • the network operators to notify the Registrar of important changes and to provide an annual update of information on the register.

Subpart 2Registrar and other designated officers

This subpart (clauses 67 to 69) provides for the appointment of 1 or more suitable persons as designated officers by the Commissioner of Police. The designated officers perform various functions under the Part relating to compliance (for example, gathering information to assist the surveillance agencies and requiring network operators to engage in compliance testing). One of the designated officers must be appointed as the Registrar.

Subpart 3Secret-level government-sponsored security clearance

This subpart (clauses 70 and 71) allows a designated officer to require network operators to nominate a suitable employee to apply for a secret-level government-sponsored security clearance if the operator has 4 000 or more customers across all telecommunications services and all public telecommunications networks.

Subpart 4General information-gathering powers

This subpart (clauses 72 to 76)—

  • allows a designated officer to require a network operator to supply information or documents for the purpose of assisting a surveillance agency to enforce compliance with the duties under the Bill relating to interception capability or to execute an interception warrant or any other lawful interception authority:

  • allows the Director of the GCSB to require a network operator to supply information or documents for the purpose of assisting the Director to enforce compliance with the duties under the Bill relating to network security.

A network operator must comply even if compliance involves a disclosure of commercially sensitive information or a breach of an obligation of confidence.

Subpart 5Compliance testing

This subpart (clauses 77 and 78) allows a designated officer to require a network operator to test its equipment and procedures to ensure that the equipment and procedures comply with the operator's interception capability duties, and to identify any deficiencies in the equipment and procedures in terms of that compliance.

Subpart 6Certification

This subpart (clauses 79 to 81) allows a designated officer to require the chief executive of a network operator to certify that, after due inquiry, the chief executive is satisfied that the operator is maintaining and operating interception capability in compliance with the Bill.

Subpart 7Enforcement

This subpart (clauses 82 to 94)—

  • allows a surveillance agency to issue a breach notice for a minor non-compliance with the Bill. The notice can require a person to comply with its duties. The breach notice can contain a request to enter and inspect a place in connection with interception capability duties:

  • allows a surveillance agency to issue an enforcement notice for a serious non-compliance (including a failure to comply with a breach notice). An enforcement notice informs a person that a surveillance agency may make an application to the High Court in relation to the matter:

  • allows a surveillance agency to apply to the High Court for a compliance order or a pecuniary penalty order, or both. A compliance order may require a person to do a specified thing or to cease a specified activity. A pecuniary penalty order may require a person to pay a penalty of up to $500,000 (and up to $50,000 for each day of a continuing contravention).

Subpart 8Protecting classified information

This subpart (clauses 96 to 98) provides for procedural matters in any proceedings involving classified security information. The subpart allows a court, on a request by the Attorney-General and if it is satisfied that it is desirable to do so for the protection of classified security information, to receive or hear the classified security information in the absence of 1 or more of the defendant, the defendant's lawyers, journalists, and members of the public.

Subpart 9Miscellaneous provisions

This subpart (clauses 99 to 110) and the Schedule deal with miscellaneous matters, including—

  • matters relating to costs:

  • protecting network operators, service providers, and surveillance agencies from liability for an act done or omitted to be done in good faith in the performance of a duty imposed, or the exercise of a function or power conferred, by this Bill:

  • the service of notices:

  • the repeal of the Telecommunications (Interception Capability) Act 2004:

  • consequential amendments.