Axiata Group Berhad
Domicile: Malaysia
Website: www.axiata.com
Operating company evaluated: Celcom (Malaysia)
Download company report: English
Key findings
- Axiata made modest improvements but remained one of the lowest-ranking companies in the entire Index.
- Axiata disclosed nothing about how it responds to government or private requests to block content, restrict accounts, or hand over user information.
- While Axiata made minor improvements to its privacy policies, it was less transparent than previously about its security policies.
- Celcom (Prepaid mobile)
- Celcom (Postpaid mobile)
Analysis
Axiata ranked tenth out of 12 telecommunications companies evaluated, disclosing less than most of its peers about policies and practices affecting freedom of expression and privacy.1 The company strengthened its disclosure of governance and oversight over privacy issues and improved its disclosure across a number of policies affecting users’ privacy.2 However, despite these improvements, Axiata’s overall score remained the same because of declines to its disclosure of its security policies. The company operates in a challenging regulatory environment, and Celcom, Axiata’s operating company in Malaysia, must comply with regulations from the Malaysian Communications and Multimedia Commission (MCMC) and other authorities.3 But there are no laws preventing Celcom from making basic commitments to respect users’ freedom of expression and privacy, nor are there any legal obstacles preventing Axiata from improving its disclosure of how it handles user information. While Malaysia’s Official Secrets Act may prohibit some disclosure of government requests, nothing prevents Celcom from publishing at least some information about these types of third-party requests for user information.4
Axiata Group Berhad provides telecommunications and network transmission related services to almost 300 million mobile subscribers in markets across Asia.5
Market cap: USD 8.9 billion6
KLSE: AXIATA
- Be more transparent about external requests: Axiata should be clear about how it responds to government and private requests to block content, restrict accounts, or hand over user information.
- Communicate more clearly about security: Axiata should disclose details about how it secures user information, including how it responds to data breaches.
- Improve disclosure about network shutdowns: Axiata should clarify how it handles government orders to shut down networks, including by committing to push back against these types of demands.
Governance
Despite some improvements, Axiata disclosed less about its governance and oversight over freedom of expression and privacy issues within the company than all other telecommunications companies evaluated, aside from Etisalat and Ooredoo. It did not publish a commitment to respect users’ freedom of expression and privacy as human rights (G1). Axiata improved its disclosure of executive-level oversight over privacy issues (G2) and clarified that employees can report privacy-related concerns under its whistleblowing policy (G3), although it was not clear whether the policy covered all types of privacy-related issues. The company did not publish any information about conducting human rights impact assessments (G4). It offered mechanisms for users to submit complaints related to privacy (G6), but did not provide any information on how it responds to these complaints.
G2. Governance and management oversight
Axiata in 2018 appointed a Group Chief Information Security Officer and Group Head of Privacy and improved its management oversight over its privacy policies and commitments.
G3. Internal implementation
Axiata disclosed it has a whistleblowing program for employees to report privacy concerns.
Freedom of Expression
Axiata disclosed minimal information about its policies affecting freedom of expression and tied with Ooredoo for the second-lowest score among telecommunications companies, ahead of MTN and Bharti Airtel. The operating company, Celcom, offered terms of service that were easy to find but not so easy to understand (F1), and it failed to commit to notify users in cases of changes to the terms (F2).7 Like most telecommunications companies evaluated, Celcom provided insufficient information about its network management and shutdown policies (F9, F10). It disclosed that it may block or delay certain types of traffic and applications for the purpose of minimizing the impact of heavy usage on its networks (F9). Notably, Axiata disclosed almost nothing about how it handles government demands to shut down its networks: it failed to provide any information about its process for responding to such demands, including whether it commits to push back against inappropriate demands or notify users when it shuts down service (F10).
Axiata otherwise earned no credit on any of the other indicators in the Freedom of Expression category. It was among seven telecommunications companies that disclosed nothing about processes for responding to third-party requests for content and account restrictions (F5) and published no data about the number of requests it received or with which it complied (F6, F7).
F1. Access to terms of service
Celcom made its prepaid terms of service easier to understand.
Privacy
Axiata failed to disclose sufficient information about policies and practices affecting the privacy and security of its users, outperforming only MTN, Etisalat, and Ooredoo. Celcom published a privacy policy that was easy to locate and easy to understand (P1); however, unlike in previous years, it was no longer available in the primary languages of the company’s home market. It provided less information than most telecommunications companies evaluated about how it handles user information (P3-P8). It offered users no information about how long it retains user information (P6), options to control what information the company collects about them (P7), or options to obtain the information the company holds on them (P8), and its disclosure of what information it collects (P3), shares (P4), and why (P5) fell short. Celcom improved its disclosure by stating that it may combine user information across different services (P5), although it did not specify which types of user information.
Axiata disclosed nothing about how it handles third-party requests to hand over user information, nor did it publish any data on the requests it received or with which it complied (P10, P11). Like all other telecommunications companies, it failed to commit to notify users if their information is requested by third parties (P12). There are no laws that prevent Axiata from being more transparent about these processes. Celcom also disclosed little about its security policies. It provided less detail than in the previous year about limiting employee access to user information (P13) or about how users can protect themselves from security risks (P18). It did not publish anything on how it addresses security vulnerabilities (P14) or how it responds to data breaches (P15).
P1. Access to privacy policies
While Celcom made its privacy policy easier to understand, it was no longer available in the primary languages of the company’s home market.
P2. Changes to privacy policies
Celcom improved its commitment to notify users of changes to its privacy policy.
P5. Purpose for collecting and sharing user information
Celcom disclosed more information about the purposes for collecting and sharing user information and clarified that it may share personal information with subsidiaries and the group, which suggests that this information may be combined.
P13. Security oversight
Celcom no longer disclosed whether it monitors employee access to users’ data.
P18. Inform and educate users about potential risks
Celcom did not publish information that helped educate users about security issues.
Footnotes
[1] The research period for the 2019 Index ran from January 13, 2018 to February 8, 2019. Policies that came into effect after February 8, 2019 were not evaluated in this Index.
[2] For Axiata’s performance in the 2018 Index, see: rankingdigitalrights.org/index2018/companies/axiata
[3] “Freedom on the Net,” (Freedom House, November 2018), freedomhouse.org/report/freedom-net/2018/malaysia
[4] “Official Secrets Act 1972,” Act 88 (1972), www.agc.gov.my/agcportal/uploads/files/Publications/LOM/EN/Act%2088.pdf
[5] “Key Highlights,” Axiata Group Berhad, Accessed January 15, 2019, www.axiata.com/corporate/key-highlights/
[6] Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/AXIATA:MK
[7] For most indicators in the Freedom of Expression and Privacy categories, RDR evaluates the operating company of the home market, in this case Celcom.