Meta Employee Data Tracking Tool Raises EU Privacy and GDPR Compliance Concerns
Meta's AI Data Collection Initiative and Its Regulatory Implications
By Katie Paul and Toby Sterling
NEW YORK/AMSTERDAM, May 29 (Reuters) - Meta Platforms' plan to collect detailed records of U.S. employees’ computer usage for training its AI models is more extensive than initially described and set to capture non-U.S. data in the process, according to internal documentation seen by Reuters.
The documents introduce fresh complications for the project — a key component of CEO Mark Zuckerberg’s broader plan to transform how the company operates around AI agents — that could draw Meta into a new European privacy fight, rights groups told Reuters.
Overview of the Model Capability Initiative (MCI)
The Facebook and Instagram owner told staff last month it was launching the tool to capture how people use computers, including mouse movements, clicks and navigation through dropdown menus, in order to build AI agents that can perform everyday software tasks autonomously.
The tool, called Model Capability Initiative, or MCI, is pulling in data from more than 200 apps and websites, according to a list Meta shared with staffers. The company said it would impact only U.S. employees and that safeguards were in place to protect sensitive information.
In the weeks since its launch, however, Meta employees have complained that MCI was consuming so much data that it was causing their home internet usage to spike, in some cases using up an entire month’s quota within days, according to internal posts seen by Reuters.
Meta also acknowledged in a question-and-answer document provided to employees that the tool would capture the contents of any emails or direct messages sent to U.S. personnel, regardless of the sender’s location.
In a statement, Meta spokesperson Dave Arnold said MCI was installed only on U.S. employees’ devices and that its focus was on how people interact with computers, not the content on their screens.
“In the interest of transparency, we notified non-U.S. employees that it was deployed on the computers of U.S. colleagues they may email or chat with in the normal course of business,” said Arnold.
He confirmed the approximate number of apps and websites the tool is tracking, but declined to answer detailed questions about how much data it is ingesting and its legality.
“We carefully considered and mitigated potential privacy risks in both the development and deployment of this tool, and we are committed to complying with applicable laws and regulations," he said.
GDPR Compliance and Privacy Concerns
Emergence of GDPR Compliance Questions
GDPR COMPLIANCE QUESTIONS EMERGE
The findings could deepen Meta’s regulatory troubles in the European Union, where tech companies are facing heated legal clashes over how they collect and deploy data.
While U.S. workers have few protections against employer surveillance, companies operating under the EU’s General Data Protection Regulation must have a legal basis for processing personal data, disclose what is collected and meet strict conditions for especially sensitive data like health information.
Potential Capture of Non-U.S. Employee Data
In Meta’s FAQ document on MCI, one entry addressed the tracking from the perspective of a non-U.S. employee: “I'm based outside the U.S. Will my conversations or data be captured if I'm communicating with a U.S.-based colleague who has the tool enabled?”
The company's response: “If a U.S.-based colleague has the tool enabled while gchatting or emailing with someone outside the U.S., that activity would be captured.”
Meta also said in the FAQ that data collected by MCI would be “dissociated” from identifying employee information and therefore could not be looked up or deleted for individuals, a requirement in Europe.
Expert Opinions on GDPR Risks
Kleanthi Sardeli, a legal expert at privacy advocacy group NOYB ("none of your business"), told Reuters that even limited or indirect capture of EU employee data could put Meta in violation of GDPR rules.
Key sticking points could include whether the tool’s collection of European data is considered “incidental” or counted as monitoring under the GDPR, and whether the initiative can pass a “purpose limitation” test, she added.
“This data was originally collected for the purpose of work communication and fulfilling an employment contract. Taking an employee's chat and ingesting it into an AI model is incompatible with that initial purpose,” said Sardeli.
Meta told the Irish Data Protection Commission, its lead EU privacy regulator under GDPR, that neither EU employee data nor the recording of screen content "falls within the primary purpose of the tool," a DPC spokesperson told Reuters, without elaborating.
Arnold, the Meta spokesperson, declined to comment on the company’s exchanges with regulators.
Employee Reactions and Internal Backlash
Backlash Over Data Scope
EMPLOYEE BACKLASH OVER DATA SCOPE
The MCI project is part of a far-reaching restructuring at Meta aimed at handing large swaths of work over to AI agents, which has prompted an angry backlash among employees, who have likened Meta to an “Employee Data Extraction Factory.”
Employee Analysis and Security Concerns
In an internal post, one employee shared findings of a detailed analysis of MCI log files performed with the aid of Anthropic’s Claude, the type of AI tool Meta has been pushing staffers to incorporate into their workflows.
According to the analysis — replicated by others — MCI was tacked on to the company’s existing data security software, giving it access to additional details including employees’ code changes, their computers’ sleep and wake cycles, URLs visited and any clipboard content they copy and paste, which it then stored less securely in unencrypted form.
Compiling that volume of data would make it possible to build “a complete behavioral model of how a knowledge worker does their job,” the employee wrote.
“Not ‘an AI that clicks a dropdown for you’ but ‘an AI that knows which dropdown to click, what to select, which document to paste it into, and what to do next,'” she wrote.
The employee’s post later vanished, two other employees
