Meta's effort to train artificial intelligence systems using detailed records of employee computer activity is drawing fresh scrutiny after internal documents suggested the project may capture data from non-U.S. workers, potentially creating new privacy challenges in Europe.
The initiative, known internally as the Model Capability Initiative (MCI), is part of Chief Executive Officer Mark Zuckerberg's broader strategy to develop AI agents capable of carrying out software tasks autonomously.
Meta told employees last month that the tool would record how U.S.-based staff interact with computers, including mouse movements, clicks, and menu navigation, to help train AI systems. According to internal documents reviewed by Reuters, the tool gathers information from more than 200 applications and websites.
Meta initially said the program would affect only U.S. employees and that it included safeguards to protect sensitive information. However, employees have since raised concerns about the amount of data being collected and its broader implications.
Internal posts showed some workers complaining that MCI consumed so much data that it significantly increased home internet usage, in some cases exhausting monthly data allowances within days.
Meta also acknowledged in an employee question-and-answer document that emails and direct messages sent to U.S.-based employees could be captured regardless of the sender's location.
Meta spokesperson Dave Arnold said the software was installed only on devices used by U.S. employees and that its primary purpose was to study computer interactions rather than screen content.
"In the interest of transparency, we notified non-U.S. employees that it was deployed on the computers of U.S. colleagues they may email or chat with in the normal course of business," Arnold said.
He added that Meta had "carefully considered and mitigated potential privacy risks" and remained committed to complying with applicable laws and regulations.
The disclosures have raised questions about compliance with the European Union's General Data Protection Regulation (GDPR), which requires companies to have a clear legal basis for processing personal information and imposes strict requirements for handling sensitive data.
In one FAQ entry, Meta stated that communications between non-U.S. employees and U.S. colleagues using the tool "would be captured." The company also indicated that the collected data would be anonymized, making it impossible to retrieve or delete information linked to specific individuals.
Kleanthi Sardeli, a legal expert at the privacy advocacy group NOYB, said that even the indirect collection of European employees' data could raise GDPR concerns.
"This data was originally collected for work communication and fulfilling an employment contract. Taking an employee's chat and ingesting it into an AI model is incompatible with that initial purpose," Sardeli said.
A spokesperson for Ireland's Data Protection Commission, Meta's lead regulator in the EU, told Reuters that Meta had said neither EU employee data nor screen-content recording fell within the tool's primary purpose.
The initiative has also generated internal criticism. Employees have described Meta as an "Employee Data Extraction Factory" and expressed concerns that the tool could create detailed behavioral profiles showing how staff perform their work.
One internal analysis claimed the software could access information, including code changes, clipboard contents, computer sleep cycles, and browsing activity. Meta disputed those conclusions.
Arnold described the claims as "fundamentally inaccurate" but declined to address specific allegations.
Johnny Ryan, director of the Irish Council for Civil Liberties' Enforce unit, said the controversy highlighted the need for regulatory scrutiny. "This situation, this case, is not limited to Meta employees. It applies to every employee in every sector who could be replaced. Everybody cares about this if they understand what it is," Ryan said.
