Meta Platforms is facing mounting regulatory scrutiny in Europe over an internal program that collects employee computer activity to train artificial intelligence systems. The initiative, dubbed the Model Capability Initiative, tracks how employees use their computers, including mouse movements, clicks, keystrokes and activity across applications. Meta is using this behavioural data to train AI agents that can learn and imitate human behaviours, and it hopes to eventually create AI systems that can do software-based work with minimal human intervention.
The project has a clear ambition, but the methodology has been severely criticised by privacy experts, employees, and regulators across Europe. The core issue is simple: information collected for one use — running the business of the workplace — is being used for a very different purpose, training commercial artificial intelligence systems. Under European law, that difference is a huge one.
Why the GDPR Creates a Problem for Meta
The General Data Protection Regulation (GDPR) is one of the world’s most comprehensive data protection frameworks. It governs not only the way in which companies collect data from consumers but also how they handle personal information more generally — including data generated by employees in the course of their work.
Meta said the surveillance software only exists on devices owned and used by its U.S. employees. But reports based on internal documents suggest that emails and chat messages could also be scooped up when colleagues in other countries correspond with monitored workers. This is where the legal exposure comes into play. If communications with people in Europe are ingested into the data collection pipeline, then the GDPR jurisdiction could potentially apply regardless of where the infrastructure doing the monitoring is located physically.
Privacy and legal experts have paid particular attention to the purpose limitation principle of the GDPR. The basic rule is that an organisation cannot use personal data for a purpose that is substantially different from the purpose for which the data was originally collected. The basic rule is that an organisation cannot use personal data for a purpose that is substantially different from the purpose for which the data was originally collected. The emails, IMs, collaborative documents and other communications we have at work are there to conduct business. That’s a fundamentally different use of the data, and without a clearly documented and lawful basis for that secondary purpose, Meta’s program is on legally shaky ground.
Organisations must have a lawful basis to process personal data in the first place, and must also set out the scope and purpose of that processing when it is collected. Changing the purpose afterwards, or extending it without sufficient transparency and legal basis, is precisely the sort of conduct that the GDPR.
Employee Opposition: More Than a Legal Argument
The debate stretches far beyond regulatory offices and legal briefings. Internally, the Model Capability Initiative has met with an unusual level of resistance within Meta. Organised dissent was rare in the tech industry; more than 1,000 employees reportedly signed a petition opposing the program, and protests were held at some Meta offices.
Workers complained about the extent of surveillance and, more importantly, the lack of a real opt-out on company devices. The discomfort for employees is both practical and moral. It’s a very personal form of data collection to be tracked at the keystroke level and then have that data used to train systems that might ultimately automate some of their own roles — that was non-negotiable for many.
Meta has defended the program, saying it focuses on interaction data rather than screen content and has safeguards in place to limit privacy risks. The company said it is also committed to complying with all applicable laws and regulations. Critics, however, note that internal safeguards are no substitute for independent regulatory oversight, and the company’s assurances are of little value without verified compliance with GDPR requirements.
Regulators Take Notice
The matter has caught the notice of Ireland’s Data Protection Commission, the main privacy regulator of Meta in the European Union. Since Meta’s European base is in Dublin, the Irish DPC acts as the main authority responsible for GDPR enforcement for the company. This gives the Irish DPC the power to examine the Model Capability Initiative, issue corrective orders, and impose hefty fines if any breaches are identified.
A thorough regulatory investigation of the program might have repercussions not only on Meta. Other technology firms across the board are also looking at similar strategies – using behavioural and interaction data from the employees to train and improve the AI systems. The manner in which the Irish DPC and other European regulators handle Meta’s program will determine the future of workplace data usage for AI development throughout the continent.
And, the European regulatory landscape is becoming more harmonised. The European Data Protection Board, responsible for ensuring uniformity in GDPR enforcement across all EU member states, has identified transparency obligations as a major focus area for 2026. All EU data protection authorities are part of joint enforcement campaigns, with regulators requiring clear and specific identification of data processing purposes – not generic or vague descriptions. Meta, considering its history of enforcement actions and its current prominence in AI development, is exactly the type of entity that these coordinated efforts aim to target.
Context: A Company Already Under Sustained Regulatory Pressure
The Model Capability Initiative controversy is not a new or isolated matter. Meta has been hit with over 2.6 billion worth of GDPR fines via seven different enforcement actions over the past five years – a record that indicates deep and recurring conflicts between the data-driven aspects of the company’s business and the European law. The biggest one-off punishment was a 1.2 billion fine handed down in May 2023 for transferring data of EU users to the US without proper legal bases, and as of today, it is the largest GDPR penalty that has ever been given to any organisation in the world.
Also, at the beginning of 2026, Meta gave European Facebook and Instagram users the option of less data sharing in exchange for less personalised advertisements – a switch from the heavily criticised “consent or pay” model that earlier left users with no choice other than extensive tracking or paying for an ad-free version. This alteration, a result of negotiations with the European Commission under the Digital Markets Act, was, in fact, a real structural concession. But the EU authorities have made it clear that the period of compliance monitoring will not be lifted in the future.
With the mounting accumulation of fines, open investigations, and now new issues for the Model Capability Initiative, Meta’s interaction with European privacy law in the year 2026 is Sure much more complicated and significant than at any other time in the company’s history.
Frequently Asked Questions (FAQs)
What is Meta’s Model Capability Initiative?
Meta’s Model Capability Initiative is a program that monitors how employees use their computers, tracking movements of the mouse, clicks, and keystrokes and then uses that information to develop AI models that can imitate human behaviour in software settings.
Why are European privacy regulators concerned about this program?
They worry because the program might be recording the workplace communications of employees outside the U.S., and that would fall under the EU’s General Data Protection Regulation. The GDPR says that data collected for one purpose, like work communication, can’t then be reused for the training of AIs without a proper, legal reason for that secondary use.
What is the GDPR’s purpose-limitation principle?
The purpose-limitation principle means that a company must not use the personal data of individuals in any way that is fundamentally different from the original reasons for which the data was collected. This principle is one of the most important elements of the European data protection law setup and is often the one that technology companies are cited for when enforcement measures are taken against them.
Has Meta broken any laws?
It is not known if Meta has violated any laws yet. The Data Protection Commission of Ireland has apparently been notified about this program, but before a decision of non-compliance could be made, any regulatory assessment would have to be finalised.
