Introduction – A Context of Elevated Cyber Threats
The rapid evolution of information technologies, combined with the widespread adoption of remote work and the constant interconnection of systems, has significantly reshaped the digital risk landscape.
In this context, web filtering gateways—also known as web proxies—have become essential tools for controlling internet traffic, capable of blocking access to malicious or non-compliant content.
On 28 July 2025, the French Data Protection Authority (CNIL) launched a public consultation on its draft recommendation regarding the use of such systems in professional environments. Open until 30 September 2025, this initiative forms part of the CNIL’s cybersecurity action plan and aims to establish GDPR-aligned, essential cybersecurity standards.
The goal is twofold: ensure the security of information systems while preserving fundamental rights, particularly the right to privacy and personal data protection.
1. Purpose and Scope of the Consultation
The draft recommendation clarifies the legal and technical requirements for implementing web filtering gateways in professional settings. These tools play a pivotal role in controlling and filtering both inbound and outbound internet traffic—potentially down to the level of specific requests and content.
This text primarily addresses:
-
Data controllers, such as private-sector employers, public administrations, and organizations that filter their employees’, contractors’, or visitors’ web access.
-
Filtering solution providers, who must integrate privacy-by-design and security-by-design principles into their offerings.
Notably, the recommendation does not apply to entities that offer open public internet access (e.g., shops, cultural spaces, or public Wi‑Fi providers), which are governed by different regulatory frameworks.
2. Legal Foundations: Balancing Security and Freedoms
This draft draws on several key legal frameworks:
-
Article 32 of the GDPR, which mandates appropriate technical and organizational measures to ensure security proportional to the risks.
-
Article 25 of the GDPR, which enshrines the principles of privacy by design and by default.
-
The French Data Protection Act of 1978 (modified), which governs personal data processing and provides the CNIL with enforcement powers.
The challenge is clear: balance necessary security monitoring with the protection of privacy and freedom of communication. The CNIL seeks to define a precise, operational balance.
3. A Milestone in an Ongoing Trend
This consultation continues a broader CNIL strategy to standardize cybersecurity and data protection practices.
Recent examples include:
-
Mobile applications (2023): public consultation, followed by 2024 recommendations and targeted audits in 2025.
-
Multi-factor authentication (2024): enhanced robustness combined with privacy-by-design.
-
Security of high-risk systems (2023–2024): best practices for processing operations with elevated risk.
These demonstrate the CNIL’s commitment to building a coherent body of guidance covering multiple technical domains to strengthen legal clarity for economic actors.
4. Operational Goals of the Recommendation
The consultation invites stakeholders to comment on key questions such as:
-
How to ensure proportional filtering and avoid excessive data collection?
-
How to clearly inform users about the filtering measures in place?
-
What technical standards should be adopted to prevent misuse or data leaks?
These points aim to carve out a framework that is both technically robust and respectful of fundamental rights.
5. Priority Measures for Companies
While this consultation is not yet binding, it underscores the importance of proactive alignment with existing GDPR and national legal obligations.
Companies should consider:
-
Mapping deployed web filtering gateways or proxies (on-premises, cloud, SASE).
-
Verifying legal bases and user information provisions.
-
Reviewing filtering configurations and log retention policies.
-
Securing device administration (MFA, user rights, logging).
-
Updating internal documents: IS security policy (PSSI), records, and conduct a DPIA if needed.
-
Including web filtering in the broader cyber governance and security processes.
The final recommendation is expected soon and should help harmonize these practices, enhancing legal security for data controllers.
6. Critical Analysis and Future Outlook
This consultation brings a preventive approach—central to the GDPR—into a specific technical field: web filtering gateways, especially relevant in the era of remote work, cloud environments, and SASE architectures.
However, limitations should be acknowledged:
-
The scope is narrow, excluding public access scenarios.
-
Technical complexities arise from diverse network and cloud setups.
-
Over-surveillance risks call for strict adherence to necessity and proportionality principles.
The CNIL has announced that this consultation will be followed by additional work on security tool recommendations in the broader information systems domain.
Conclusion
Though technical by nature, web filtering gateways now sit firmly at the intersection of cybersecurity and personal data protection. This public consultation marks a significant step—not a regulatory revolution, but a crucial milestone in the continued governance of digital tools.
