Key findings
- Axiata was one of the lowest-scoring telecommunications companies in the Index, disclosing limited information on policies affecting freedom of expression and privacy.
- Axiata disclosed no information about its processes for responding to government or private requests to block content or user accounts or to hand over user information, although there are no legal obstacles preventing the company from disclosing some information about how it handles these types of requests.
- Axiata disclosed minimal information about its network management policies and practices, or how it handles government demands to shut down networks.
Analysis
Axiata ranked eighth out of 10 telecommunications companies evaluated, disclosing less than most of its peers about policies and practices affecting freedom of expression and privacy. It made no substantive improvements in the 2018 Index. The company operates in a challenging regulatory environment: the 2017 Freedom on the Net report by Freedom House rated Malaysia’s internet environment as “Partly Free,” and Celcom, Axiata’s operating company in Malaysia, must comply with directives from the Malaysian Communications and Multimedia Commission (MCMC) and other authorities, many of which are not publicly available. However, there are no laws preventing Celcom from making basic commitments to respect freedom of expression and privacy rights, nor are there any legal obstacles preventing Axiata from improving its disclosure of how it handles user information. Axiata could also be more transparent about how it handles government and private requests to hand over user information. While Malaysia’s Official Secrets Act may prohibit some disclosure of government requests, nothing prevents Celcom from publishing at least some information about third-party requests for user information.
- Be more transparent about external requests. Axiata should disclose information about its processes for responding to government and private requests to block content and accounts and to hand over user information.
- Improve disclosure about network shutdowns. Axiata should disclose more about how it handles government orders to shutdown networks, including making a clear commitment to push back against these types of demands.
- Communicate more clearly about security. Axiata should disclose information about its processes for keeping user information secure, including how it responds to data breaches.
Axiata Group Berhad provides telecommunications and network transmission-related services to almost 300 million mobile subscribers in markets across Asia.
Governance
Axiata received the second-lowest score of all companies evaluated in the Governance category, ahead of only Ooredoo. It received some credit on just two of the six indicators in this category. It disclosed that its board of directors has oversight over privacy issues (G2), and offered some information about ways users can submit privacy-related grievances (G6).
Freedom of expression
Axiata received the second-lowest freedom of expression score among telecommunications companies, disclosing more about these policies and practices than only Bharti Airtel.
Content and account restriction requests: Like most of its peers, Axiata lacked clear disclosure of how it handles government and private requests to block content or accounts (F5-F7). It disclosed nothing about its process for responding to these types of requests (F5) nor did it publish any data about the number of these types of requests it receives or with which it complies (F6, F7).
Network management and shutdowns: Like most telecommunications companies evaluated, Celcom provided insufficient information about its network management and shutdown policies (F9, F10). It disclosed that it may block or delay certain types of traffic and applications (F9), but had minimal disclosure of why it may shut down access to the network for a user or group of users (F10).
Identity policy: Celcom disclosed that pre-paid mobile users must provide identification (F11), in accordance with Malaysian law.
F8. User notification about content and account restriction
The company’s score declined due to a change in notification policies for prepaid users, with the terms of service stating that the company can restrict an account without prior notice.
Privacy
Axiata placed sixth out of the 10 telecommunications companies evaluated in the Privacy category, on par with Bharti Airtel, and ahead of MTN, Etisalat, and Ooredoo.
Handling of user information: Celcom provided more information than MTN South Africa, Etisalat UAE, and Ooredoo Qatar about how it handles user information (P3-P8), but its disclosure of what information it collects (P3), shares (P4), and why (P5) still fell short. Like most of its peers other than AT&T and Vodafone UK, Celcom provided no information about how long it retains user information (P6). It also offered users no information about options to control what information the company collects about them (P7), or options to obtain the information the company holds on them (P8). Malaysian law does not prevent companies from fully disclosing the information addressed in these indicators.
Requests for user information: Axiata was among three other telecommunications companies, including Etisalat and Ooredoo, to disclose nothing about how it handles requests from governments and private parties to hand over user information (P10-P12). It did not reveal any information about its processes for responding to these types of requests for user information, nor did it publish any data on the volume and nature of these requests it receives or complies with (P10, P11). It also did not commit to notify users if their information is requested (P12). There are no laws preventing the company from being more transparent about these processes.
Security: Celcom disclosed little about its security policies, scoring better than only MTN South Africa, Etisalat UAE, and Ooredoo Qatar on these indicators (P13-P18). Its disclosure about conducting security audits improved, but its disclosure of its policies for monitoring employee access to user information was less transparent than in the 2017 Index. The company did not disclose policies for addressing security vulnerabilities (P14) or for responding to data breaches (P15).
P13. Security oversight
While new company disclosure makes it less clear how Axiata restricts employees' access to prepaid users’ data, the company improved its disclosure for both prepaid and postpaid mobile users regarding security audits it conducts on the company’s products and services.
