NEW YORK/AMSTERDAM--Meta Platforms' plan to collect detailed records of U.S. employees’ computer usage for training its AI models is more extensive than initially described and set to capture non-U.S. data in the process, according to internal documentation seen by Reuters.
The documents introduce fresh complications for the project — a key component of CEO Mark Zuckerberg’s broader plan to transform how the company operates around AI agents — that could draw Meta into a new European privacy fight, rights groups told Reuters.
The Facebook and Instagram owner told staff last month it was launching the tool to capture how people use computers, including mouse movements, clicks and navigation through dropdown menus, in order to build AI agents that can perform everyday software tasks autonomously. The tool, called Model Capability Initiative, or MCI, is pulling in data from more than 200 apps and websites, according to a list Meta shared with staffers. The company said it would impact only U.S. employees and that safeguards were in place to protect sensitive information.
In the weeks since its launch, however, Meta employees have complained that MCI was consuming so much data that it was causing their home internet usage to spike, in some cases using up an entire month’s quota within days, according to internal posts seen by Reuters.
Meta also acknowledged in a question-and-answer document provided to employees that the tool would capture the contents of any emails or direct messages sent to U.S. personnel, regardless of the sender’s location.
In a statement, Meta spokesperson Dave Arnold said MCI was installed only on U.S. employees’ devices and that its focus was on how people interact with computers, not the content on their screens.“In the interest of transparency, we notified non-U.S. employees that it was deployed on the computers of U.S. colleagues they may email or chat with in the normal course of business,” said Arnold.
He confirmed the approximate number of apps and websites the tool is tracking, but declined to answer detailed questions about how much data it is ingesting and its legality.“We carefully considered and mitigated potential privacy risks in both the development and deployment of this tool, and we are committed to complying with applicable laws and regulations," he said.
The findings could deepen Meta’s regulatory troubles in the European Union, where tech companies are facing heated legal clashes over how they collect and deploy data. While U.S. workers have few protections against employer surveillance, companies operating under the EU’s General Data Protection Regulation must have a legal basis for processing personal data, disclose what is collected and meet strict conditions for especially sensitive data like health information.
In Meta’s FAQ document on MCI, one entry addressed the tracking from the perspective of a non-U.S. employee: “I'm based outside the U.S. Will my conversations or data be captured if I'm communicating with a U.S.-based colleague who has the tool enabled?”
The company's response: “If a U.S.-based colleague has the tool enabled while gchatting or emailing with someone outside the U.S., that activity would be captured.”
Meta also said in the FAQ that data collected by MCI would be “dissociated” from identifying employee information and therefore could not be looked up or deleted for individuals, a requirement in Europe.
Kleanthi Sardeli, a legal expert at privacy advocacy group NOYB ("none of your business"), told Reuters that even limited or indirect capture of EU employee data could put Meta in violation of GDPR rules.Key sticking points could include whether the tool’s collection of European data is considered “incidental” or counted as monitoring under the GDPR, and whether the initiative can pass a “purpose limitation” test, she added.
“This data was originally collected for the purpose of work communication and fulfilling an employment contract. Taking an employee's chat and ingesting it into an AI model is incompatible with that initial purpose,” said Sardeli.
