Skip to main content
TechnologyJun 4, 2026· 4 min read

Meta Halts Employee Tracking, but GDPR Uncertainty Looms...

Meta has introduced initial controls on software that records the movements of the mouse, clicks, and keystrokes of its U.S. employees, but the concessions leave the most sensitive issue unresolved. In a memo delivered on Tuesday, the company announced that data collection could be paused for a maximum of thirty minutes at a time and that workers could request to be exempted from it. The reversal, signed by Stephane Kasriel, vice president of the Superintelligence Labs division, comes after weeks of internal protests and after documents reviewed by Reuters revealed the system's scope to be far broader than previously disclosed.

Kasriel explained that the team introduced optimizations to contain the impact on battery consumption, having also responded to reports of data usage that burdened employees' home connections. The company claims to remain confident in the protections adopted at launch, but has listened to concerns regarding personal data, battery life, and control over capture moments. For most staff, however, participation remains mandatory, and the thirty-minute pause only applies in the United States.

The tool, called Model Capability Initiative (MCI), has been active since April on U.S. workstations and collects real examples of human-computer interaction to be used for training artificial intelligence agents, across over 200 apps and websites. It falls under the broader Agent Transformation Accelerator managed by Superintelligence Labs, the program through which Meta aims for models capable of performing work tasks autonomously. An internal analysis of log files, conducted with the help of Claude from Anthropic, showed that the system also captures code changes, suspension and reactivation cycles of the computer, visited URLs, and content copied to the clipboard, partly stored without encryption.

Internal discontent is not new: we have already discussed it when flyers and a petition appeared in U.S. offices against what employees describe as a form of surveillance in the service of AI, with concerns about training their future replacements. However, the most recent revelation concerns Europe. From the beginning, Meta assured staff, the public, and oversight authorities that MCI would only run on U.S. machines, without monitoring European workers; the same guarantee was provided to the Irish Data Protection Commission. The documents tell a different story: MCI captures the content of any email or message exchanged by a U.S. employee, regardless of where the other party is. Every chat between a worker in California and a colleague in Dublin, Paris, or Munich ends up in the training flow, and the same applies to emails directed to European clients.

The GDPR Issue and Limitation of Purposes

The legal point revolves around the principle of limitation of purposes: personal data collected for one purpose, here the work communication within an employment relationship, cannot be reused for a different purpose such as training a model. Lawyers from the Austrian organization NOYB argue that funneling a worker's chat into a model is incompatible with the purpose for which that message was written and that active monitoring of European workers is unnecessary: the mere incorporation of their data into the training set would suffice to constitute a violation. Meta presents the European capture as an incidental consequence of running the tool on U.S. machines that communicate abroad, and the framing matters because the GDPR provides exceptions for certain incidental processing. NOYB counters that the volume and regularity of the collection exceed anything that could be described as such. Complicating the picture, according to Reuters, MCI data would be dissociated from the information identifying the individual employee, and thus no longer recoverable or deletable upon individual request, a right that is, however, guaranteed in Europe.

Meta's spokesperson, Dave Arnold, stated that the company has informed non-U.S. employees about the presence of the tool on the computers of American colleagues with whom they exchange messages, and that potential privacy risks have been assessed and mitigated. The Irish Commission has yet to open a formal investigation, and Meta has not separately commented on Reuters' findings.

The new rules address the most immediate complaints, from battery life to control over capture times, but do not touch on the most important question: whether the Irish authority will treat European collection as incidental or systematic. It is on that distinction that one of the first concrete cases of applying the principle of limitation of purposes to AI training flows across the Atlantic is at stake.