Key Points:
- Meta’s Model Capability Initiative (MCI) logs employee mouse movements, clicks, and keystrokes to train its upcoming autonomous AI agents.
- Although the tool is installed only on U.S. devices, internal files reveal that it captures the communications of European colleagues, risking a GDPR clash.
- European privacy advocates from NOYB warned that taking employee chats to train AI models violates fundamental data-use limitations.
- U.S. employees complained that the aggressive surveillance program consumed massive amounts of data, quickly eating up monthly home internet quotas.
Meta Platforms’ ambitious initiative to train autonomous artificial intelligence agents by tracking its employees’ digital habits has run into a severe regulatory bottleneck. According to internal corporate documents seen by Reuters, the tech giant’s new program, called the Model Capability Initiative (MCI), collects far more extensive records of employee computer usage than the company initially described. Although Meta claimed that the program monitors only U.S.-based employees, the system’s wide-reaching capabilities are capturing the private communications of non-U.S. personnel in the process, placing the company on a direct collision course with the European Union’s strict privacy regulations.
The owner of Facebook and Instagram first notified its workforce of the deployment of MCI in April 2026. Designed under CEO Mark Zuckerberg’s broader plan to automate corporate operations around AI agents, the tool runs silently on work computers. It logs every mouse movement, click, menu navigation, and keystroke, and occasionally takes screen snapshots. By studying how highly skilled knowledge workers interact with computers, Meta hopes to train its next-generation artificial intelligence models, such as the Muse Spark system developed by Meta Superintelligence Labs, to perform routine office tasks autonomously.
However, the company’s internal documentation reveals a significant legal risk. In a question-and-answer document provided to employees, Meta acknowledged that the tracking software will capture the actual contents of any emails or direct messages sent to U.S. personnel, regardless of the sender’s physical location. This means that if a European employee communicates via Gmail, Google Chat, or Slack with a U.S.-based colleague who has the tool enabled, the system will record and ingest that European citizen’s data, transferring it directly to Meta’s AI training models in the United States.
This cross-border data capture has triggered immediate alarm among European data protection advocates. Under the EU’s General Data Protection Regulation (GDPR), companies must have a clear, pre-defined legal basis to process personal data. They must meet exceptionally strict conditions when handling sensitive information. Kleanthi Sardeli, a legal expert at the prominent European privacy advocacy group NOYB, warned that even indirect or incidental capture of EU employee data without explicit, informed consent represents a serious violation of GDPR rules, which could cost the company up to 4% of its global annual turnover, representing a potential $1.5 billion penalty.
Sardeli explained that the initiative fails a fundamental regulatory benchmark known as the “purpose limitation” test under European law. When employees use company-approved communication channels such as Slack or Gmail, they do so solely to fulfill their employment contracts and communicate about work. Ingesting these private professional chats into a generative AI model to build commercial software agents is entirely incompatible with that initial, agreed-upon purpose. Privacy watchdogs argue that using employees’ private communications to train the very machines designed to replace them is both an ethical and a legal breach.
Beyond the looming European regulatory battle, the implementation of the tracking program has sparked an angry backlash among Meta’s own employees. Workers have openly complained on internal company message boards that the data-harvesting software is consuming an astonishing amount of internet bandwidth. In several cases, employees working remotely reported that the background software consumed their entire monthly home internet data quota within just a few days of its launch. This massive bandwidth consumption has forced remote staff to purchase expensive top-up data packages, further fueling internal resentment.
The internal employee backlash has also exposed serious security vulnerabilities in Meta’s handling of collected tracking data. An employee’s analysis of the software’s log files—which she performed with the aid of Anthropic’s Claude chatbot—revealed that the tracking tool had been added directly to the company’s existing security software. This integration granted the system deep access to private code changes, computer sleep and wake cycles, and even clipboard copy-paste contents. Crucially, the analysis revealed that the program stored this highly sensitive, personal information on local hard drives in unencrypted, plain-text formats, making it easy for hackers to steal.
This internal whistleblower post quickly vanished from Meta’s employee message boards, prompting further accusations of corporate censorship from staff members. Although Meta spokesperson Dave Arnold called the post’s security claims “fundamentally inaccurate,” he declined to elaborate on why the company removed the message. He maintained that Meta carefully considered and mitigated potential privacy risks before deploying the tool, emphasizing that the company remains fully committed to complying with all applicable regional laws and regulations.
As the Irish Data Protection Commission—Meta’s lead EU privacy regulator under the GDPR—begins reviewing the program’s scope, the controversy highlights a growing, high-stakes battle over technological surveillance. Global tech companies are increasingly treating their employees as raw training data to accelerate their AI automation pipelines. However, by attempting to bypass the strict digital boundaries of the European Union, Meta is demonstrating that even the world’s most valuable technology giants must respect the fundamental privacy rights of the workers they hope to automate.
