Meta's US employee monitoring tool used for AI training violates GDPR

Internal documentation reveals that Meta's plan to track the computer usage of its US employees for use in training its artificial intelligence (AI) models is more extensive than initially described and collects non-US data, potentially violating the EU General Data Protection Regulation (GDPR). 

The Model Capability Initiative (MCI) tool announced last month is designed to log mouse movements, clicks, and dropdown menu navigation across more than 200 applications and websites. While Meta originally stated that the initiative only targets US staff and includes safeguards for sensitive information, internal documents reveal that the tool captures the contents of emails and direct messages sent to US personnel from any global location. Furthermore, employees have reported severe technical issues, noting that substantial data consumption has caused home internet usage to spike and exhaust monthly quotas within days. This is despite Meta informing the Irish Data Protection Commission (DPC) that no EU employee data or screen recordings "falls within the primary purpose of the tool." 

However, in an update, the company is reported to be scaling back aspects of the plan. New controls enable staff to pause ⁠data collection for 30 minutes and request exemptions from the initiative. 

Training Announcement: Find out more about our range of independent accredited qualifications from BCS and IAPP. These include professional certifications for practitioners covering data protection and AI governance, information security and risk management, as well as access to public information.