Meta's employee mouse tracking program could violate EU privacy laws

At a glance:

• Meta's internal Model Capability Initiative captures keystrokes, mouse movements and clicks from US employees.
• The tool may also record contents of emails and chats with non‑US contacts, potentially capturing EU personal data.
• Reuters reports the program monitors over 200 apps and has sparked employee protests and quota‑drain complaints.

What the tool does

Meta confirmed to Engadget that it is “launching an internal tool that will capture these kinds of inputs on certain applications” to gather real‑world examples of people completing everyday tasks. The initiative, dubbed Model Capability Initiative (MCI), records keystrokes, mouse movements, clicks and, according to internal Q&A documents, the contents of emails and instant messages sent by US‑based staff.

The company says the data is intended to train its artificial‑intelligence models, giving them richer context about how users interact with software. By collecting granular interaction data, Meta hopes to improve the accuracy of future AI assistants, content‑ranking algorithms, and other automated services.

Scope expansion and EU concerns

Reuters’ latest investigation suggests the program’s reach may be broader than Meta initially disclosed. The internal documents indicate that if a US‑based colleague is using the tool while chatting or emailing with someone outside the United States, the content of that communication could be captured regardless of the other party’s location.

Such cross‑border data capture raises red flags under the European Union’s General Data Protection Regulation (GDPR). GDPR requires a lawful basis for processing personal data and mandates clear disclosure of what is being collected. A legal expert quoted by Reuters warned that even limited collection of EU employee data could constitute a violation.

Employee backlash

Meta’s workforce has reacted strongly since the program’s rollout. Employees report that MCI consumes large amounts of data, depleting monthly internet quotas within days. Some staff have circulated flyers and petitions, arguing that the surveillance feels invasive and that they are inadvertently training “their eventual replacements.”

The dissent has been organized enough to generate internal petitions, with signatures calling for the tool’s suspension or greater transparency. The unrest reflects broader concerns about workplace monitoring and the ethical implications of using employee data to fuel corporate AI ambitions.

Legal perspective

Under GDPR, companies must identify a specific legal ground—such as consent, contract performance, or legitimate interest—to process personal data. Meta’s claim that it “carefully considered and mitigated potential privacy risks” does not automatically satisfy the regulation’s stringent documentation and transparency requirements.

If regulators determine that the captured email or chat content includes personal data of EU residents, Meta could face hefty fines, mandatory data‑deletion orders, or injunctions forcing the tool’s shutdown in Europe. The company’s public statements emphasize compliance, but the legal gray area remains significant.

Potential impact on AI training

The richness of interaction data can accelerate AI model development, offering nuanced signals that synthetic datasets lack. However, the trade‑off between data utility and privacy compliance is delicate. Should Meta be forced to limit or anonymize the captured data, the effectiveness of its training pipelines could be reduced, potentially slowing the rollout of new AI features.

Conversely, a successful compliance framework could set a precedent for other tech firms seeking to harness employee‑generated data. The outcome may influence industry standards for internal data collection aimed at AI research.

Next steps for Meta

Meta has indicated that it will continue to monitor the tool’s deployment and work with legal teams to ensure GDPR adherence. The company may need to implement additional safeguards, such as explicit consent mechanisms for EU‑based contacts or stricter data minimization policies.

Stakeholders—including regulators, privacy advocates, and Meta’s own employees—will be watching closely. The situation underscores the growing tension between rapid AI development and the evolving landscape of data‑privacy law.