Telecommunications companies

Axiata Group Berhad

Rank: 9th
Score: 16%

Headquartered in Malaysia, Axiata Group Berhad provides telecommunications and related services to 150 million mobile users in nine countries across Asia.

Axiata’s overall performance in 2020 remained poor compared to most of its peers, but it did make improvements to its governance of human rights issues. Following demands from the Sri Lankan government in the wake of deadly terror attacks, Axiata's Dialog subsidiary shut down social media in the South Asian country three times in April and May 2019. The Malaysian government prosecutes users for online speech that is deemed insulting to Islam or the monarchy, and legal protections for digital privacy in the country are poor. Although there are no laws preventing Axiata’s Malaysian operating company, Celcom, from expanding its transparency in this area, the company disclosed nothing in 2020 about how it responds to government or private requests to block content or carry out network shutdowns.

Key Takeaways

  • Axiata did not publicly commit to protect freedom of expression or privacy as human rights.
  • Axiata disclosed nothing about how it responds to government or private requests to block content or restrict accounts.
  • While Axiata made minor improvements to its privacy policies, its security policies remained scant.

Key recommendations

  • Increase transparency and push back on network shutdown orders. Axiata should clarify how it handles government orders to shut down networks and commit to push back against these demands.
  • Publish information about censorship and user information demands. Axiata should fully explain how it responds to government and private demands for web content censorship, account restriction, and user information.
  • Commit to human rights. Axiata should publish an explicit commitment to protect users’ freedom of expression and privacy rights.

Services evaluated:

  • Operating company evaluated: Celcom (Malaysia)For telecommunications companies, the RDR Index evaluates relevant policies of the parent company, the operating company, and selected services of that operating company.
  • Market cap: $7.68 billion (as of February 4, 2021)
  • KLSE: AXIATA
  • Website: https://www.axiata.com

The 2020 RDR Index covers policies that were active between February 8, 2019, and September 15, 2020. Policies that came into effect after September 15, 2020 were not evaluated for this Index.

Scores reflect the average score across the services we evaluated, with each service weighted equally.

  • Lead researchers: Zak Rogoff, Jie Zhang

Changes since 2019

  • Axiata published materials that provided its users with guidance on how to protect themselves from cybersecurity risks.
  • Axiata published a commitment to privacy and clarified management-level oversight over that commitment.
  • Axiata improved its disclosure of its process for responding to government demands for user information, including a limited commitment to perform due diligence on those types of demands.
+ 6.58 points

Gained 6.58 points on comparable indicators since the 2019 RDR Index.

Governance22%
Freedom of expression7%
Privacy19%

We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.

Governance 22%

Axiata strengthened its governance and oversight over privacy issues, although it made no similar progress on freedom of expression.

  • Commitment to human rights: Axiata published a new commitment to privacy, but fell short of framing privacy as a human right. It made no commitment to freedom of expression (G1).
  • Human rights due diligence: Though it offered a vague suggestion that it conducts privacy impact assessments on some of its activities, Axiata disclosed no comprehensive process to identify the human rights risks of its actions, such as discrimination in targeted advertising or freedom of expression and information harms resulting from company policy enforcement (G4).
  • Stakeholder engagement: Axiata disclosed no evidence of systematically engaging with stakeholders that represent, advocate on behalf of, or are people whose privacy and freedom of expression and information are directly impacted by the company (G5).
  • Remedy: Axiata offered a mechanism for users to file complaints related to privacy. However, it was not clear that users could file a complaint if they believed the company harmed or threatened their freedom of expression. Axiata did not explain its process for providing remedy for the grievances it receives (G6a).

Freedom of expression 7%

Axiata disclosed little about policies affecting freedom of expression, though it slightly outperformed América Móvil, Ooredoo, and Bharti Airtel in this category.

  • Content blocking and account restrictions: Though Axiata improved the readability of its Fair Usage Policy, some terms of service documents were still available only in English and not offered in Malay (F1). Axiata only vaguely explained the rules users must follow (F3a) and provided no data about actions taken to remove content or restrict accounts that violate these rules (F4a, F4b).
  • Advertising content and targeting: Axiata published limited information about its ad content rules (F1b), but nothing about ad targeting rules (F1c). It revealed no data about the volume and nature of the advertising content it restricted (F4c).
  • Censorship demands: The company did not disclose a policy for responding to government and private requests to block content or restrict accounts (F5). It also failed to provide data showing how many requests it received and how many it complied with (F6, F7). The Official Secrets Act of 1972 may prohibit reporting the content of government requests, but it should not bar Axiata from disclosing its process for addressing them.
  • Network management: The company made no commitment to net neutrality (F9) and offered a zero-rating program with cost-free access to selected news sources and services. It did not reveal a process for handling government demands to shut down its network (F10), even though it carried out network shutdowns in Sri Lanka, at the behest of government officials, in 2019.

Privacy 19%

Axiata made modest improvements to its overall privacy score.

  • Handling of user data: The company revealed some of the types of information it collects (P3a), infers (P3b), and shares (P4), and it provided some information about why it does this (P5). Yet it provided no option for users to control such data collection (P7) or even to find out what information the company had already gathered about them (P8). The company also had no policies to protect users’ privacy when using their data to develop and train algorithmic systems (P1b).
  • Government and private demands for user data: Axiata released limited information on whether it follows due diligence processes when responding to government demands (P10a), and it said nothing about how it responds to requests submitted through private processes (P10b).
  • Security: The company’s internal team performed security audits, but the company did not state that it commissioned third-party audits (P13). Although Axiata released new materials to educate users about cybersecurity risks (P18), its security policies remained scant. Axiata was silent on how it handles data breaches (P15) and security vulnerabilities (P14).