Use of third-party tools and services
Third party services are not allowed on EUROPA. Webmasters must use in-house solutions and not third party tools.
View all IPG Rules
Third-party tools and services carry considerable continuity, accuracy and privacy risks and their use on EUROPA websites is therefore not allowed. Webmasters must use in-house solutions.
Using these tools embedded on EUROPA sites is not without risk. Several European countries and the US have removed third-party tools from their sites for fear of breaching their user privacy obligations following complaints by web users. For example, the German Data Protection Institution has declared it does not authorize the use of Google Analytics on public websites.
Use on EUROPA websites
- Third party services are not allowed on EUROPA. Webmasters must use in-house solutions and not third party tools. The Commission has set up a range of in-house solutions which provide the same or often better service than some of these "free" tools. These services are tested to comply with security and legal requirements of the institutions. They also come with the full support and back-up of the EUROPA Team and DIGIT.
- Insert a link to your social media pages instead of embedding the plug-ins on your site.
- All videos posted on EUTube are available on the Audiovisual service. Embed or link to them instead.
- Use of social media in EU communication
In case a EUROPA website wishes to use third party services, it should concern a justified business need, which cannot be fulfilled by in-house solutions. In that case, a risk assessment should be made, considering the requirements of Regulation (EU) 2018/1725, Decision C(2006)3602 and Directive 2009/136/EC. This risk assessment should cover at least the 7 risk areas mentioned below and should include a consultation of the DPO and HR.DS.
If the aforementioned actions have lead to a positive outcome, the owner of the EUROPA website must comply with the ePrivacy Directive, implement the cookie consent kit and clearly inform the users via a specific disclaimer that a third party is collecting data on them and that they are no longer covered by the standard EUROPA privacy statement on data protection.
The risks of using third party tools are based on the following critical issues:
Privacy and data protection
The European Union is committed to user privacy in conformity with Regulation (EU) 2018/1725. As far as the Commission is concerned, its Personal Data Protection legal notice based on Regulation (EU) 2018/1725 guarantees that on EUROPA sites the users are always informed when their private data is collected and how this data is handled.
Moreover, the ePrivacy directive (Directive 2009/136/EC) and specifically Article 5(3) requires prior user informed consent for storage or access to information stored on a user's device.
EUROPA sites permit the use of first party session cookies and in cases when first party permanent cookies are used the Internet user is duly notified. On the contrary, third-party products often use permanent cookies, log files, web beacons and other tracking tools to monitor and analyse user behaviour.
In that case, the data will be transferred outside the EU, which is subject to a series of conditions and restrictions: the Commission is generally not in a position to check that such conditions are met by the third party service provider.
Business continuity is not guaranteed
The third-party tools are not maintained by the EUROPA team and the European Commission does not have any influence over them. That means there is a risk that the product could be discontinued at any time without prior notice. In case of malfunction or error in the service,
Dependency on third party
External tools are essentially black boxes. Webmasters do not have control over them and the development team of DIGIT is unable to assist with any development or troubleshooting.
Limited accuracy assurance, dubious data comparability
Providers could change or adjust the collected data without notice. Moreover, various companies offering third party tools use differing data collection methods. Therefore, websites cannot be compared to each other. Their results can vary depending on the tool used thus being useless for reporting. On the contrary, EUROPA analytics uses the same collection method for all sites and allows comparability between them.
Internet security risks
In the past, the settings of a third-party service integrated on a Commission website were changed to redirect users to a pornographic website. On another occasion, users were asked to install virus infested software under heading of the European Union. Recently, Twitter was spreading a worm without the account owner's knowledge. This is an obvious public relation risk.
The use of a third-party service on EUROPA sites serves as implicit endorsement or approval by the European institutions. This would constitute a breach of competition rules as no tender has been launched nor there exists any contractual relationship. This can also result in the Commission being held liable for any harm suffered by the Internet user.