Employers are increasingly monitoring and filtering the web browsing habits of employees.
The Commission Nationale de l’Informatique et des Libertés (CNIL) recently released new guidance (for public comment) on how employers should perform web filtering. The guidance is helpful not only for EU employers under GDPR, but California employers complying with the California Consumer Privacy Act (CCPA). (This is especially true since the California Privacy Protection Agency (CPPA) is still conducting an employer sweep.)
Some key data protection considerations that we are discussing with clients:
- HTTPS Decryption When HTTPS decryption is necessary to detect malicious files:
- Limit decryption to non-whitelisted domains.
- Do not retain HTTP request contents.
- Follow security guidance from ANSSI.
- Do not go beyond detecting compromise indicators.
- Retention term: CNIL recommends 6 months to 1 year for access logs. Longer durations must be justified and documented.
- DPIA may be required.
- Disclosure: You need to tell the employees that you are doing this through onboarding/employee handbook acknowledgement. But you also need to provide all information required by law, including: the purpose of the processing and consumer rights with the data.
- If you are doing this with the assistance of a service provider:
- Address cross border transfers (for EU employers, this means transfers outside the EU; for U.S. employers, this means watching for countries of concern (e.g. China).
- Make sure you have a compliant DPA (Data Processing Addendum).
- Ensure audit access to logs.
- Verify the provider’s data security (e.g., log breach risk.).
- Apply data minimization — use pseudonymization (e.g., hash IDs, tokenize logs).
- Document data flows and responsibilities between company and SaaS provider.
- Security: Ensure access control; confidentiality clauses and MFA for admins; secure storage of the logs.
[View source.]
