Axiata ranked eighth out of the 10 telecommunications companies evaluated and 19th in the Index overall. The 2016 Freedom on the Net report by Freedom House rated Malaysia’s internet environment as “Partly Free.” Celcom, Axiata’s operating company in Malaysia, is subject to orders and instructions from the Malaysian Communications and Multimedia Commission (MCMC) and other authorities—many of which are not published or otherwise available to the public. However, there are no laws prohibiting Axiata from making basic commitments to respect users’ rights to free expression and privacy. Axiata could, for instance, improve its disclosure of how it handles government and private requests for user information. While Malaysia’s Official Secrets Act may prohibit some disclosure of government requests, nothing prevents Celcom from publishing at least some information about third-party requests for user information.
Axiata Group Berhad provides various telecommunication and network transmission-related services to numerous markets across Asia under various brand names. The company has almost 300 million mobile subscribers in Asia. It operates primarily under the brands of Celcom in Malaysia, XL in Indonesia, Dialog in Sri Lanka, Robi in Bangladesh, Smart in Cambodia, Idea in India, and M1 in Singapore.
Axiata received the third-lowest score of all companies evaluated in the Governance category, scoring higher than only Ooredoo and Baidu. In this category, Axiata received some credit on only one indicator (G2) for disclosing that its board of directors oversees privacy issues across all of the group’s operating companies.
Axiata received the second-lowest score among telecommunications companies in the Freedom of Expression category, on par with MTN, and ahead of only Bharti Airtel.
Content and account restriction requests: Like most of its peers, Axiata’s Malaysian subsidiary Celcom did not clearly disclose information about how it handles or complies with government and other third-party requests to restrict content or accounts (F5-F7). Celcom did not provide any disclosure on its process for responding to third-party requests for content or account restriction (F5), or publish data about the number of these types of requests it receives or complies with (F6, F7).
Network management and shutdowns: Like most telecommunications companies, Celcom provided insufficient information about its network management and shutdown policies (F9, F10). It disclosed that it may block or delay certain types of traffic and applications (F9), but had minimal disclosure of why it may shut down access to the network for a user or group of users (F10).
Identity policy: The Malaysian government requires telecommunications companies to register pre-paid SIM cards with a user’s identity card or passport. Celcom pre-paid mobile users are therefore required to provide their identification (F11).
Axiata placed sixth out of the 10 telecommunications companies evaluated in the Privacy category, ahead of Bharti Airtel, MTN, Etisalat, and Ooredoo.
Handling of user information: While Celcom disclosed less information than most other telecommunications companies on these indicators, it performed better than MTN, Etisalat, and Ooredoo (P3-P8). Celcom only partially disclosed what user information it collects, shares, and why (P3, P4, P5) and—like most telecommunications companies other than AT&T—provided no information about how long it retains user information (P6). Celcom also offered users no information about how they can control what information the company collects about them or options to obtain this information (P7, P8). The Malaysian Personal Data Protection Act (PDPA) states that personal data processed for any purpose should not be kept longer than is necessary for the fulfillment of that purpose; it does not prevent companies from fully disclosing the information addressed by these indicators.
Requests for user information: Axiata, Etisalat, and Ooredoo were the only three telecommunications companies to receive no credit on these indicators (P10-P12). Celcom did not reveal its processes for responding to government and private requests for user information or publish data on the volume and nature of these requests it receives or complies with (P10, P11). It also did not commit to notify users if their information has been requested by a government or other type of third party (P12). The country’s Official Secrets Act should not prevent the company from disclosing its process for responding to government and other third-party requests for user information.
Security: Celcom disclosed little about its security policies, scoring better than only MTN, Etisalat, and Ooredoo on these indicators (P13-P18). It disclosed some information about its internal security policies, such as limiting and monitoring employee access to user information, but did not disclose its policies for addressing security vulnerabilities (P14) or for responding to data breaches (P15).