Blog
The Blog

CIOs, CISOs, what do you risk if you fail to implement content access management tools (web filtering)?

Cyber news
October 17, 2023

The use of the Internet within companies is becoming more complex year after year with the development of new uses and the new threats associated with them: Shadow IT, SSL decryption, BYOD, Saas, Cloud Act, teleworking, RGPD...

CIOs and CISOs are faced with a number of legal questions in the course of their work to protect the interests of their organizations:

- Is it compulsory to filter access to web content?

- Should or can public web access be filtered?

- Is there a different legal regime for private and public companies?

- How to filter while preserving residual employee privacy and RGPD compliance?

- Can an employee be punished on the basis of the data returned by the filtering tool?

- Is the filtering tool authorized even though it collects a lot of personal data?
data? Should staff, outsiders or both be informed?

Is web filtering mandatory?

Web filtering is the process of controlling the content accessible on the Internet. It aims to block or authorize access to websites according to predefined criteria, such as cybersecurity, compliance with corporate policies, or protection against inappropriate or illicit content. This ensures online security, optimizes productivity and prevents access to malicious sites.

Although it is not mandatory, the competent bodies (ANSSI, etc.) actively recommend its use and implementation. It should also be noted that version 2022 of the ISO 27001 standard makes filtering mandatory to obtain certification.

It should be noted that the law requires certain players, in particular individuals or legal entities whose business is to provide access to online public communication services, to implement "technical means to restrict access to certain services or to select them". This is web filtering, even if it is implicit.

What are the legal risks of not implementing filtering?

Risk of criminal liability

Under article 121-2 of the French Penal Code, employers are criminally liable for the actions of their employees if the company is the beneficiary of the illegal act. The company could therefore be held liable, notably as an accomplice (supplier of means), for illicit access, by its bodies or representatives and on behalf of the company, if the following content is consulted:

- Child pornography content

- Illegal online gaming sites (i.e. those accessible from French territory without
that have not been approved by the French online gaming regulator (Autorité de régulation des jeux en
Autorité de régulation des jeux en ligne)

- Infringing sites that infringe authors' rights

- Sites that glorify terrorism

- Software used to undermine an automated data processing system.
system

- Software for circumventing technical protection or information measures

- To sites with regard to the products and services they market, such as in particular :
- Human body organs and products
- drugs
- paedophile items
- Firearms and explosives
- Medicines
- tobacco
- alcohol

Civil liability risk

According to article 1242 paragraph 5 of the French Civil Code, civil liability consists in being answerable for any damage caused, and thus in repairing the damage caused. Consequently, employers are liable for damage caused by their employees in the performance of their duties, and must compensate the victim by paying damages.

The subject essentially concerns the employer's level of responsibility in the face of illicit Internet use by its employees and when it provides Internet access to third parties.

For example, the Aix-en-Provence Court of Appeal convicted an individual and his company of trademark infringement, on the grounds that the disputed website had been created at the employee's place of work using IT resources provided by his employer. The company was held liable in its capacity as principal for the creation by its employee of an illegal personal website.

In the same vein, the TGI de Marseille condemned the employer of an employee who had created a litigious website, for having made available to his employee the technical resources required to put the site in question online, regardless of whether the employee had acted outside his professional remit.

Is there a difference between government and local authorities?

In the event that a local authority fails to take the necessary measures to ensure the security and control
for the security and control of the Internet used by its staff, and in particular has not used filtering software, its criminal liability is not necessarily incurred as a result of the commission of an offence by one of its staff members.

As the hypothesis does not fall within the scope of article 121-2 of the French Penal Code, the failure to implement
filtering measures to secure Internet use by its staff is not one of the activities for which the company may be held criminally liable.

Nevertheless, he may be held liable as the principal of his employee if the conditions are met.
conditions are met. To defend itself, the administration will have to prove the following three cumulative elements, namely that the agent acted :
- Outside the scope of his duties
- Without authorization
- Outside the scope of his duties


But this does not always rule out its responsibility. Since the Lemonnier rulingdecision, the same facts may constitute both a personal fault on the part of the employee and a service-related fault for which the administration will be held accountable.
In this respect, the doctrine specifies that as long as the misconduct has a link with the service, this personal misconduct appears as "not deprived of any link with the service", due to the fact that it was committed
either during the performance of the employee's duties, or because the performance of his or her duties may have in some way facilitated its commission.

 

Conclusion

Although it is not compulsory, except for a well-defined category of companies, web filtering provides a framework and legal protection enabling IT Departments to manage employee access in a way that minimizes legal risk.

In an upcoming article, we'll look at how to deploy a filtering solution while respecting the legal framework and labor laws.

To delve deeper into the subject, Olfeo has written a comprehensive white paper in collaboration with specialist law firm Lexing Bensoussan, to cover all the legal aspects of this topic. We invite you to download it for complete coverage of the subject.