Meta's tool for tracking employee mouse clicks is gathering EU data that it previously stated it would not gather.

      Internal documents reveal that Meta’s Model Capability Initiative is capturing emails and chats exchanged between US employees and their European colleagues, leading to potential conflicts with GDPR regulations. According to a Reuters exclusive published on Thursday, internal documents indicate that this surveillance program, initiated in April across US employee workstations to gather keystrokes, mouse movements, and screen content for AI training, is acquiring significantly more data from European employees than Meta has publicly stated.

      Privacy lawyers from the Vienna-based organization NOYB assert that the documented system places Meta at odds with GDPR compliance. The primary issue lies in the program's scope. Meta has repeatedly informed its employees, regulators, and the public that the Model Capability Initiative operates solely on US workstations and does not monitor European staff.

      The Irish Data Protection Commission, Meta’s principal EU privacy regulator under GDPR, was given the same assurances. However, the internal documents reviewed by Reuters reveal that the initiative collects all content from any email or message sent or received by a US-based Meta employee, without regard for the location of the other party involved. As a result, every discussion between a Meta employee in California and a colleague in cities like Dublin, Paris, or Munich is being included in the training data. Likewise, every email sent by a US-based account manager to a European client is also captured.

      The legal aspect is crucial here. The GDPR’s purpose limitation principle states that personal data collected for one specific use, in this case, workplace communication as part of an employment agreement, cannot later be used for an unrelated objective, such as training an advanced AI model. NOYB summarizes its position to Reuters by stating that “ingesting an employee’s chat into an AI model contradicts the original intent” behind the communication.

      The argument regarding repurposing does not necessitate that Meta actively surveils European employees; the simple occurrence of incorporating European personal data into the training set constitutes, in NOYB's view, a violation of GDPR.

      This situation occurs in the context of increased tension in Meta's relationship with the EU. The European Commission secured user consent commitments related to targeted advertising from Meta the previous year. In 2024, the EU Court of Justice ruled against Meta in a case pertaining to payment to Italian publishers, and the company is currently contesting Ofcom in the UK High Court regarding fees under the Online Safety Act.

      NOYB has also requested that 11 European data protection authorities prevent Meta from utilizing personal data for AI training. Thus, the MCI situation is not Meta's first privacy-related confrontation concerning AI training in Europe, but it marks the first instance wherein the conflict involves the company’s own employees rather than its consumer product users.

      Additionally, the commercial reasoning behind MCI warrants attention. It is part of Meta’s broader Agent Transformation Accelerator program, overseen by Meta SuperIntelligence Labs, which aims to train the Muse Spark family of models for autonomously executing multi-step workplace tasks. The data on keystrokes and mouse movements is essential for teaching the models how actual human workers navigate applications like Google Docs, LinkedIn, Wikipedia, and around 200 others covered by MCI. Essentially, the training material relies on observing real employees complete genuine workplace activities.

      Meta’s choice to utilize its own US workforce instead of hiring external workers provides the company with a data advantage, yet it also exposes them to GDPR risks. Furthermore, the internal documents bring to light whether the acquisition of European data is an incidental occurrence or a systematic practice. Meta has characterized the capture of European data as accidental overflow, an unavoidable consequence of operating the tool on US machines that interact with European employees.

      This framing is important as GDPR does allow for certain exceptions for incidental processing in various situations. NOYB counters that the extent and regularity of the data capture—every email, every chat, constantly—exceeds any reasonable definition of incidental. The Irish Data Protection Commission will need to determine which perspective applies.

      Meta’s CTO, Andrew Bosworth, has previously stated that there is no option for US employees to opt out of this monitoring. European employees are formally exempt due to GDPR restrictions against similar monitoring; however, the documents now imply that this exemption functions more as a slogan rather than as an actual enforced boundary.

      As of now, the IDPC has not initiated a formal investigation, and Meta has not provided any comments regarding the findings reported by Reuters. This case will serve as one of the initial significant tests of applying the GDPR’s purpose limitation principle to AI training data flows that cross the Atlantic.