Meta's employee mouse-click tracking system is gathering EU data that it claimed it would not gather.

      Internal documents indicate that the Model Capability Initiative captures emails and chats exchanged by US employees with European colleagues, resulting in potential conflicts with GDPR regulations. According to a Reuters exclusive published on Thursday, Meta’s Model Capability Initiative, which was launched in April and monitors US employee activities for AI training by tracking keystrokes, mouse clicks, and screen content, is gathering far more data from European employees than Meta has publicly stated. Privacy lawyers from NOYB, based in Vienna, believe this setup puts Meta at odds with GDPR compliance.

      The core issue lies in the scope of the program. Meta has repeatedly assured its employees, regulators, and the public that the MCI operates solely on US-based workstations and does not monitor European employees. The Irish Data Protection Commission, which oversees Meta's privacy practices in the EU under GDPR, was given the same information. However, the internal documents reviewed by Reuters reveal that MCI collects the details of any email or message sent or received by US-based Meta employees, regardless of the recipient's location.

      Consequently, every chat between a Meta worker in California and a colleague in Dublin, Paris, or Munich is included in the training data, as is every email a US-based account manager sends to a European customer. The legal implications here are significant. The GDPR's purpose-limitation principle states that personal data gathered for one purpose (workplace communication within an employment context) cannot be later repurposed for a different purpose (training an advanced AI model).

      NOYB's interpretation of the situation, as conveyed to Reuters, asserts that “taking an employee’s chat and inputting it into an AI model is incompatible with the original purpose” for which the message was sent. The argument regarding repurposing does not necessitate active monitoring of European employees by Meta; according to NOYB, the mere incorporation of European personal data into the training set constitutes a violation of GDPR.

      This case unfolds amid an already strained relationship between Meta and the EU. Last year, the European Commission secured user-consent commitments from Meta regarding targeted advertising. Additionally, the EU’s Court of Justice ruled against Meta in a case involving payment to Italian publishers in 2024, and the company is currently in a legal dispute with Ofcom in the UK High Court concerning fees under the Online Safety Act.

      NOYB has also urged 11 European data protection authorities to prohibit Meta from utilizing personal data for AI training. Therefore, the MCI issue represents not Meta's first privacy challenge related to AI training in Europe, but it is the first instance where the privacy concern centers on the company's own employees instead of its product users.

      The underlying commercial rationale is also notable. MCI falls within Meta’s larger Agent Transformation Accelerator initiative, overseen by Meta SuperIntelligence Labs, which aims to train the Muse Spark family of models to autonomously manage multi-step workplace tasks. The data on keystrokes and mouse movement instructs the models on how human workers navigate tools like Google Docs, LinkedIn, Wikipedia, and about 200 other applications that MCI encompasses. Essentially, the training data relies heavily on observing actual workers performing genuine workplace tasks.

      By opting to utilize US employees instead of external contractors, Meta gains a data advantage while also exposing itself to GDPR risks. The internal documents question whether the capture of European data is incidental or systematic. Meta has characterized this European data capture as accidental overflow, an inevitable consequence of operating the tool on US machines that interact with European colleagues.

      How this is framed has important implications because GDPR allows for exceptions in cases of incidental processing. NOYB argues that the volume and consistency of such data capture—encompassing every email, every chat, continuously—far exceed what could be considered incidental. The Irish DPC will need to decide which interpretation applies.

      Meta CTO Andrew Bosworth has indicated that US employees do not have the option to opt out. European employees are officially exempt due to GDPR restrictions on monitoring; however, the documents now suggest this exemption may be more of a slogan than a real boundary. The IDPC has not yet initiated a formal investigation, and Meta has not provided a comment on the findings from Reuters. This case will serve as one of the first significant assessments of how the GDPR's purpose-limitation principle is applied to data flows used for AI training that cross the Atlantic.