Re: The mistake was to use them for blackmailing intead of simply blocking the domains
You can monitor company resources. Just you can't match easily their use with people, especially when it comes to sensitive data - the mistake he did was to match the data with people identities.
If you do, without the required permissions, you can end in big troubles. Remember also most European privacy laws, and now GDPR, regard sexual preferences as highly sensitive data, and their collection and use is highly restricted. It can put the whole company in trouble.
Years ago I was involved in the creation of a monitoring software to prevent the leak of highly sensitive documents. It had network probes that collected traffic and appliances that rebuilt it to identify documents going where they shouldn't. We had to protect the collected information to a great extent. Any possible personal identifier, including IP addresses, were strongly protected. When a possible data leak was identified, to decrypt data those three people were needed to enter their credentials (from security, upper management, and legal), and a union representative was present. All actions were logged for auditing, and a separate auditor could check which data were accessed (but not the actual data), and why. Workers were notified the system was active. Only banking and healthcare domains were exempt.
We did get porn too, of course - all workers were notified using company resources for such activities was forbidden and could put someone in trouble. Accessing illegal contents would have triggered a notification to law enforcement, and the company would have given all required evidence under a warrant.