Legal news
The CNIL publishes its recommendation on web filtering proxies
On 13 March 2026, the French Data Protection Authority (hereinafter "the CNIL") published its recommendation on the deployment of a web filtering proxy server [1], adopted by deliberation no. 2026-022 of January 29, 2026 [2], following a public consultation conducted in 2025 that received fourteen contributions.
A web filtering proxy server is a device interposed between the user’s workstation and the remote web server, whose main function is to block access to certain websites or categories of content, detect malicious payloads (in particular through HTTPS traffic decryption) and log browsing activity. While these functions usefully contribute to the security obligation set out in Article 32 of the GDPR [3], they also involve the processing of personal data, the compliance of which must be ensured.
The recommendation is addressed to data controllers, whether public or private employers, deploying such a system for professional Internet access for their employees, agents, contractors or visitors. However, it does not, cover public internet access open to everyone.
On the substance, the CNIL provides the following clarifications :
The applicable legal basis is the legitimate interest of the data controller within the meaning of Article 6(1)(f) of the GDPR, subject to a documented balancing exercise. The CNIL explicitly rules out that Articles 5(1)(f) and 32 of the GDPR, which establish a general security obligation, are sufficient in themselves to ground a legal obligation to deploy such a system.
A Data Protection Impact Assessment (DPIA) is required where the processing meets at least two of the following criteria :
- collection of sensitive or highly personal data ;
- large-scale collection of personal data ;
- vulnerable data subjects ;
- systematic monitoring.
On data minimisation, the CNIL recalls that the data collected must be strictly limited to what is necessary for each specific purpose. It identifies the categories that may in principle be processed : user identity, IP address, all or part of the URL visited, timestamp, category of site visited and action applied. As regards data transmitted to the solution provider for categorisation purposes, these must be limited to the domain name and not the full URL.
Particular attention is drawn to HTTPS decryption, which may provide access to highly sensitive information contained in URLs. The CNIL recommends configuring exception lists excluding banking, healthcare and public service websites from decryption, refraining from retaining request content unless a malicious payload is detected, and allowing employees to request that specific URLs be added to these lists.
Regarding log retention, the CNIL refers to its logging recommendation and sets a retention period of between six months and one year, any longer period requiring specific justification.
Finally, the recommendation addresses deployment modalities, emphasising that the use of a SaaS solution entails entering into a data processing agreement compliant with Article 28 of the GDPR, controlling any transfers of data outside the EU, and implementing pseudonymisation mechanisms for data transmitted to the provider.
[1] https://www.cnil.fr/sites/default/files/2026-03/recommandation_serveur_mandataire_web_filtrant.pdf