Donate
Telecommunications companies

Axiata Group Berhad

Rank: 10th
Score: 20%out of 100

Headquartered in Malaysia, Axiata Group Berhad[1] provides telecommunications and related services to over 190 million users across Asia.

Telefónica1
57%
MTN2
42%
América Móvil3
41%
Deutsche Telekom4
40%
Vodafone5
39%
AT&T6
38%
Telenor6
38%
Orange8
36%
e&9
21%
Axiata10
20%
Bharti Airtel10
20%
Ooredoo12
14%

In December 2022, Axiata and Telenor completed the merger of their Malaysian telecommunications subsidiaries, Celcom and Digi, creating the country’s largest mobile network operator, CelcomDigi. Following the merger, the newly formed entity demonstrated substantially greater transparency in its governance practices than Axiata, its largest shareholder in Malaysia, mainly reflecting Digi’s prior governance transparency. CelcomDigi adopted Digi’s human rights commitment and provided relatively clear disclosures regarding its human rights oversight structure and its approach to conducting human rights due diligence.

Despite these improvements, the merged company did not strengthen its practices or policies related to users’ freedom of expression. Instead, it ranked as the least transparent company in this category, as disclosures in this area declined slightly compared with its performance in the 2022 RDR Index. Notably, the Celcom brand no longer published advertising terms of service.

According to Freedom House, the level of internet freedom in Malaysia was slightly above the global average. While there was no public record of government-ordered national network shutdowns, authorities continued to block, filter, and remove websites and online content on political and religious concerns. For instance, the LGBTQ dating application Grindr has been blocked in Malaysia since April 2024. In a customer notice, CelcomDigi reported that it had blocked all SMS messages containing URL links, personal details, or phone numbers to prevent online fraud, responding to requests from Malaysian authorities. However, neither Axiata nor CelcomDigi published any country transparency reports detailing any government demands leading to website blocking or content restriction.

Meanwhile, Malaysia introduced regulatory changes that affected companies’ obligations related to personal data protection. All amendments to Malaysia’s 2010 Personal Data Protection Act (PDPA) took effect by June 1, 2025. The revised law required data processors to appoint a data protection officer and to notify both regulators and affected users following data breaches. To comply with these requirements CelcomDigi identified a “data protection officer” in its privacy notices to handle user queries, concerns, and complaints. The company also disclosed a crisis management framework for potential data breaches, including procedures for timely notification to regulators and affected parties.

Recent reports indicated that Telenor might divest its 33.1% stake in CelcomDigi by 2027. If the sale takes place, it could raise questions about the continuity of CelcomDigi’s transparency practices.

Key Takeaways

  • Axiata dropped from the 9th to 10th place this year, but its overall transparency score increased by more than five points[2], largely driven by the transparency of CelcomDigi in its governance processes, including its human rights due diligence, and its improvement in privacy protection.
  • Axiata was the least transparent company with respect to its practices and policies affecting users’ freedom of expression. The company did not publish any data on messages, advertisements, or websites blocked, whether to enforce its own policies or to comply with government orders.
  • Axiata pledged to develop AI ethically, however, it did not outline how the development or deployment of AI is governed and processed.

Recommendations

  • Publish information about censorship and demands for user information. Axiata should disclose the number of such demands it receives and complies with, from both governments and private parties.
  • Publish policies governing the use and development of algorithmic systems. Axiata should disclose its rules for the application and development of algorithmic systems or AI.
  • Strengthen transparency around user data management. The company should clarify its processes for collecting and inferring user information, specify data retention periods, and explain how users can better access and control their personal data.

Services evaluated:

  • Celcom (Prepaid mobile)
  • Celcom (Postpaid mobile)
  • Celcom (Fixed-line broadband)
  • Operating company evaluated: CelcomDigi (Malaysia)For telecommunications companies, the RDR Index evaluates relevant policies of the parent company, the operating company, and selected services of that operating company.
  • Market cap: USD 5.08B (as of May 18, 2026)
  • KLSE, based in Kuala Lumpur: AXIATA
  • Read more about how stock structures can be a barrier to shareholder participation
  • Website: https://www.axiata.com

The 2026 RDR Index: Telco Giants Edition covers policies that were active on August 31, 2025. Policies that came into effect after August 31, 2025 were not evaluated for this ranking.

Scores reflect the average score across the services we evaluated, with each service weighted equally.

  • Lead researchers: Jie Zhang, Veszna Wessenauer
Download data and sources

Changes since 2022

  • Axiata recorded double-digit improvement in governance indicators following the merger, as CelcomDigi—the new operating entity—established a relatively comprehensive human rights governance framework. This includes a formal human rights commitment that explicitly covers freedom of expression, a top-down oversight structure for sustainability issues, and the implementation of regular human rights and AI impact assessments.
  • At the service level, however, its policy accessibility declined after the merger. Celcom’s terms of service and privacy policy were available only in English, with the Malay versions removed. In addition, Celcom brand also took down its previous policy on location-based advertising. It no longer provided a public webpage outlining its processes for responding to requests from government enforcement agencies.
  • On security and data protection, CelcomDigi disclosed that it conducts regular internal and external security audits. Meanwhile, the operation company provided some information on the measures and steps it takes to mitigate the harms resulting from data breaches.

Scores since 2017

100%0%20172018201920202022202613%14%14%16%15%20%
Most companies’ scores dropped between 2019 and 2020 with the inclusion of our new indicators on targeted advertising and algorithmic systems. To learn more, please visit our Methodology development archive.
Governance38%
Freedom of expression4%
Privacy24%

We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.

Governance 38%

Axiata recorded a double-digit increase in its governance score, primarily reflecting more comprehensive disclosures of CelcomDigi, the newly merged Malaysian telecommunications operator. Beyond a formal human rights commitment (G1), CelcomDigi established a top-down governance structure to oversee human rights-related issues (G2). The entity also reported conducting human rights due diligence and assessing the risks of “disruptive technologies” (G4a, G4d). At the group level, however, Axiata did not provide comparable disclosures on these issues. In addition, no evidence showed that Axiata provides users with remedies for freedom of expression (G6a).

Freedom of expression 4%

Axiata exhibited minimal transparency in its approach to content governance and freedom of expression. Its services provided limited disclosure on its content restriction processes and lacked public-accessible policies governing advertising content and targeted advertising (F3a, F3b, F3c). The company disclosed no information on its response to government requests for websites or online content blocking, nor did it provide relevant data (F5a, F6). While CelcomDigi indicated that it follows an Authority Request Manual to address communication limitation (shutdown) orders, it did not share any further details on how such orders are implemented in practice (F10).

Privacy 24%

Axiata made notable progress in privacy protection areas, mainly due to its improvement in its security measures. CelcomDigi reported that it undergoes regular internal and external security audits (P13) and disclosed measures for responding to potential data breaches (P15). Despite its improvements, the company continued to lack systematic disclosures about how it manages user information. In particular, Axiata did not commit to data minimization (P3a) and did not clarify whether its services infer user information from data collected (P3b). At the service level, while Celcom provided users with some options to opt out of personalized promotions (P7) and allowed users to access their own data (P8), it did not indicate whether user data is used in the development of algorithmic systems (P7). Moreover, the company remained silent around government requests for user information (P10a, P11a).

Indicators

Footnotes

[1] For the purposes of consistency and comparability across ranking cycles, RDR evaluates Axiata at the group level, CelcomDigi at the operating company level, and the Celcom brand at the service level. This approach reflects the post-merger structure while maintaining continuity with prior assessments conducted before the Celcom–Digi merger. Although Celcom and Digi merged to form CelcomDigi, many customers continue to use legacy Celcom services and plans, making service-level policies and practices under the Celcom brand still relevant for evaluating users’ experiences and rights.

[2] This adjusted score reflects changes in company performance after excluding the effects of reassessments, corrections, and updates to research guidance, and is intended to capture only policy-related developments.