Navigation path

Use of third-party tools and services

Mandatory requirement

Third party services are not allowed on EUROPA. Webmasters must use in-house solutions and not third party tools.

 

View all IPG Rules

Third-party tools and services carry considerable continuity, accuracy and privacy risks and their use on EUROPA websites is therefore not allowed. Webmasters must use in-house solutions.

 

Description

Many companies offer "free" tools, services, plug-ins or widgets that provide extra features and functionalities on websites. Use of these tools generally requires registration on the site and acceptance of the companies' terms of use. Examples include Google analytics or Statscounter to analyse site traffic; Bing maps for geographical information; AddThis to share or bookmark; YouTube for videos; Facebook social plug-ins an extension of Facebook in other site; Twitter plug-ins, etc.

These tools can be used or embedded on any website via JavaScript or API, while the tool remains hosted on the servers of the company. The website including the third-party tool will contact and connect to the company's servers anytime a page is viewed by a user. 

Using these tools embedded on EUROPA sites is not without risk. Several European countries and the US have removed third-party tools from their sites for fear of breaching their user privacy obligations following complaints by web users. For example, the German Data Protection Institution has declared it does not authorize the use of Google Analytics on public websites.

 

Use on EUROPA websites

  • Third party services are not allowed on EUROPA. Webmasters must use in-house solutions and not third party tools. The Commission has set up a range of in-house solutions which provide the same or often better service than some of these "free" tools. These services are tested to comply with security and legal requirements of the institutions. They also come with the full support and back-up of the EUROPA Team and DIGIT. 
  • Insert a link to your social media pages instead of embedding the plug-ins on your site. 
  • All videos posted on EUTube are available on the Audiovisual service. Embed or link to them instead.
  • Use of social media in EU communication 

In case a EUROPA website wishes to use third party services, it should concern a justified business need, which cannot be fulfilled by in-house solutions. In that case, a risk assessment should be made, considering the requirements of Regulation (EC) 45/2001,  Decision C(2006)3602 and Directive 2009/136/EC. This risk assessment should cover at least the 7 risk areas mentioned below and should include a consultation of the DPO and HR.DS.

If the aforementioned actions have lead to a positive outcome, the owner of the EUROPA website must comply with the ePrivacy Directive, implement the cookie consent kit and clearly inform the users via a specific disclaimer that a third party is collecting data on them and that they are no longer covered by the standard EUROPA privacy statement on data protection.

 

Risks

The risks of using third party tools are based on the following critical issues:

Privacy and data protection

The European Union is committed to user privacy in conformity with Regulation 45/2001. As far as the Commission is concerned, its Personal Data Protection legal notice based on Regulation (EC) 45/2001pdf guarantees that on EUROPA sites the users are always informed when their private data is collected and how this data is handled.

Moreover, the ePrivacy directive (Directive 2009/136/EC) and specifically Article 5(3) requires prior user informed consent for storage or access to information stored on a user's device.

EUROPA sites permit the use of first party session cookies and in cases when first party permanent cookies are used the Internet user is duly notified. On the contrary, third-party products often use permanent cookies, log files, web beacons and other tracking tools to monitor and analyse user behaviour.

In that case, the data will be transferred outside the EU, which is subject to a series of conditions and restrictions: the Commission is generally not in a position to check that such conditions are met by the third party service provider.

Business continuity is not guaranteed

The third-party tools are not maintained by the EUROPA team and the European Commission does not have any influence over them. That means there is a risk that the product could be discontinued at any time without prior notice. In case of malfunction or error in the service,

Legal uncertainty

The terms of use of third-party tools may be changed without notice. A service that was once free may suddenly bring about legal or financial obligations for the institutions. The company that developed the tool may be sold to a competitor that could have different intentions for the use of the collected data. The privacy policy of the service provider may vary.

It should be also noted that by accepting the terms of use of the third-party service, EUROPA webmasters participate in a legal act in the name of the institution for which he or she may not have any authorisation.

Dependency on third party

External tools are essentially black boxes. Webmasters do not have control over them and the development team of DIGIT is unable to assist with any development or troubleshooting.

Limited accuracy assurance, dubious data comparability

Providers could change or adjust the collected data without notice. Moreover, various companies offering third party tools use differing data collection methods. Therefore, websites cannot be compared to each other. Their results can vary depending on the tool used thus being useless for reporting. On the contrary, EUROPA analytics uses the same collection method for all sites and allows comparability between them.

Internet security risks

In the past, the settings of a third-party service integrated on a Commission website were changed to redirect users to a pornographic website. On another occasion, users were asked to install virus infested software under heading of the European Union. Recently, Twitter was spreading a worm without the account owner's knowledge. This is an obvious public relation risk. 

Endorsement

The use of a third-party service on EUROPA sites serves as implicit endorsement or approval by the European institutions. This would constitute a breach of competition rules as no tender has been launched nor there exists any contractual relationship. This can also result in the Commission being held liable for any harm suffered by the Internet user.