Meta's Employee Mouse-Tracking Tool on Collision Course With EU Privacy Rules
Meta Platforms' plan to collect detailed records of U.S. employees' computer usage for training AI models is more extensive than initially described β and is set to capture non-U.S. data in the process, according to internal documentation seen by Reuters.
The tool, called the Model Capability Initiative (MCI), tracks mouse movements, clicks, navigation through dropdown menus, and content from over 200 apps and websites. Privacy advocates warn that even limited tracking of EU employee data could violate the General Data Protection Regulation (GDPR).
Key Update: Meta's MCI tool captures communications sent to U.S. employees from colleagues outside the U.S., including EU-based workers. The company acknowledged this in internal FAQs but maintains the tool is installed only on U.S. devices. Privacy group NOYB warns this could violate GDPR rules on purpose limitation and data deletion.
What Is the MCI Tool?
The Model Capability Initiative (MCI) is a key component of CEO Mark Zuckerberg's broader plan to transform how Meta operates around AI agents. The tool captures:
- Mouse movements and clicks
- Navigation through dropdown menus
- Content from more than 200 apps and websites
- Code changes made by employees
- Computer sleep and wake cycles
- URLs visited
- Clipboard content that employees copy and paste
Meta told staff last month that MCI would help build AI agents capable of performing everyday software tasks autonomously.
Data Consumption Problems
Since the tool's launch, Meta employees have complained that MCI is consuming so much data that it is causing their home internet usage to spike dramatically.
According to internal posts seen by Reuters, in some cases the tool used up an entire month's internet quota within days. The high volume of data being uploaded from employee devices has created operational challenges and raised further questions about the scope of information being collected.
The EU Data Problem
Meta acknowledged in a question-and-answer document provided to employees that MCI would capture the contents of any emails or direct messages sent to U.S. personnel, regardless of the sender's location.
This means that when a non-U.S. employee β including those based in European Union countries β communicates with a U.S. colleague who has MCI enabled, their conversations and data are captured by the tool.
| Scenario |
Is Data Captured? |
| U.S. employee with MCI enabled chats with another U.S. employee |
Yes (fully captured) |
| U.S. employee with MCI enabled chats with EU-based colleague |
Yes β EU colleague's data is captured |
| EU-based employee chats with another EU-based employee (no U.S. participant) |
No (tool not installed on EU devices) |
GDPR Compliance Questions
Kleanthi Sardeli, a legal expert at privacy advocacy group NOYB ("none of your business"), told Reuters that even limited or indirect capture of EU employee data could put Meta in violation of GDPR rules.
Key sticking points include:
- Incidental vs. monitored data: Whether the tool's collection of European data is considered "incidental" or counts as formal monitoring under GDPR
- Purpose limitation: Whether the initiative can pass the GDPR's "purpose limitation" test
"The data was originally collected for the purpose of work communication and fulfilling an employment contract. Taking an employee's chat and ingesting it into an AI model is incompatible with that initial purpose," Sardeli said.
Data Deletion Concerns
Meta stated in its FAQ that data collected by MCI would be "dissociated" from identifying employee information and therefore could not be looked up or deleted for individuals.
This approach directly conflicts with GDPR requirements, which give individuals the right to request deletion of their personal data (the "right to be forgotten"). If data cannot be identified or located at the individual level, Meta cannot comply with deletion requests β potentially exposing the company to significant penalties.
Employee Backlash: 'Data Extraction Factory'
The MCI project has prompted an angry backlash among Meta employees, who have likened the company to an "Employee Data Extraction Factory."
One employee conducted a detailed analysis of MCI log files using Anthropic's Claude AI tool. According to the analysis β replicated by others β MCI was tacked onto the company's existing data security software, giving it access to additional details that were then stored less securely in unencrypted form.
The employee wrote that compiling this volume of data would make it possible to build "a complete behavioral model of how a knowledge worker does their job" β not just an AI that clicks a dropdown, but "an AI that knows which dropdown to click, what to select, which document to paste it into, and what to do next."
The employee's post later vanished from internal channels, two other employees told Reuters.
Meta's Response
Meta spokesperson Dave Arnold said MCI was installed only on U.S. employees' devices and that its focus was on how people interact with computers, not the content on their screens.
"In the interest of transparency, we notified non-U.S. employees that it was deployed on the computers of U.S. colleagues they may email or chat with in the normal course of business," Arnold said.
He confirmed the approximate number of apps and websites the tool is tracking but declined to answer detailed questions about how much data it is ingesting and its legality.
"We carefully considered and mitigated potential privacy risks in both the development and deployment of this tool, and we are committed to complying with applicable laws and regulations," Arnold added.
Regulatory Involvement
Meta has informed the Irish Data Protection Commission (DPC) β its lead EU privacy regulator under GDPR β about the tool. A DPC spokesperson told Reuters that Meta stated neither EU employee data nor the recording of screen content "falls within the primary purpose of the tool."
The DPC did not elaborate further. Meta declined to comment on its exchanges with regulators.
Johnny Ryan, director of the Irish Council for Civil Liberties' Enforce unit, said the exchanges inside Meta reinforced why he considers it "essential" that the DPC investigate the initiative.
Why This Matters Beyond Meta
Ryan emphasized that the implications extend far beyond one company:
"This situation, this case, is not limited to Meta employees. It relates to every employee in every sector where they could be replaced. Everybody cares about this if they understand what it is."
As companies increasingly deploy AI tools that monitor worker behavior to train automation systems, Meta's MCI initiative could set precedents for workplace surveillance, data collection, and the balance between innovation and privacy rights β particularly in jurisdictions with strong data protection laws like the EU.
What Happens Next
Several outcomes are possible:
- DPC investigation: Ireland's Data Protection Commission could launch a formal probe into MCI's GDPR compliance
- NOYB legal action: The privacy advocacy group may file complaints against Meta
- Policy changes: Meta could modify MCI to exclude EU-related data or change how data is stored and deleted
- Penalties: If found in violation, Meta could face fines of up to β¬20 million or 4% of global annual revenue under GDPR
- Broader impact: Other companies using similar employee monitoring for AI training may face regulatory scrutiny
Final Thoughts
Meta's MCI tool represents a clash between two powerful forces: the race to build advanced AI agents that can automate knowledge work, and the fundamental privacy rights protected by regulations like the GDPR.
The company's argument that EU employee data is only "incidentally" captured when they communicate with U.S. colleagues may not satisfy European regulators. The GDPR's purpose limitation principle β which requires data to be used only for the specific purpose for which it was collected β poses a significant hurdle. Employee communications intended for work collaboration were not collected with the understanding they would be fed into AI training models.
Beyond the legal questions, Meta's internal employee backlash reveals a deeper tension: workers are uncomfortable becoming the raw material for AI systems designed to potentially automate their own jobs. When an employee describes their employer as a "data extraction factory" and internal critical posts mysteriously vanish, it suggests a culture of surveillance that extends beyond the technology itself.
As the Irish Data Protection Commission reviews Meta's explanations and privacy advocates prepare potential legal challenges, the outcome of this case will resonate far beyond Menlo Park. It will help define whether β and under what conditions β companies can turn workplace monitoring into AI training data, and whether employees anywhere in the world have meaningful privacy protections when their employer is a Big Tech giant.
Tech Insight: Meta's MCI tool tracks over 200 apps and websites, capturing mouse movements, clipboard content, and even communications with EU colleagues. Privacy advocates warn this "incidental" data collection may violate GDPR's purpose limitation and data deletion requirements β potentially exposing Meta to significant fines.
