This week, Mark Zuckerberg testified before Congress in the wake of mounting public outrage over Facebook’s data collection methods and role in the 2016 U.S. presidential election.

Those of us frustrated with Facebook and its laundry list of mistakes may have reveled in watching Congress “inflict pain” on the man responsible, while others might have found solace in another one of Zuckerberg’s apologies.

But the sight of legislators chastising Facebook obscures what is perhaps a more important point: These legislators have failed to protect us in the first place.

In the U.S. alone, 214 million people use Facebook. That’s 214 million Facebook users, but also 214 million Americans. Yes, Facebook has failed to protect its users. But what are U.S. lawmakers doing to defend their constituents?

In the U.S., tech firms benefit from relatively weak privacy and data protection laws. As we type, click and search across our many devices, our behaviors are tracked and collected—and this data is purchased and sold for profit. Even in the wake of gross mishandling of such data like the Equifax cybersecurity breach, American legislators have done little to protect its citizens.

Reconciling individual rights with commercial interests may be a difficult balancing act for policymakers. But the U.S. can look to Europe for clues of where to start.

This month across the pond, the European Union’s General Data Protection Regulation (GDPR) will go into effect. The new legislation—the biggest update to Europe’s data protection laws in decades—aims to give individuals greater control over their own data and unify laws across the E.U. The new rules also lay out guidelines for data management and describe fines for businesses that don’t comply.

We don’t yet know how exactly regulators will interpret the new legislation or what impact it will have, but it’s at least a start. And for lawmakers in the U.S. and in other parts of the world, it can be the blueprint for starting a much-need conversation on how to govern big tech and how to protect individual privacy rights.

Yes, Facebook needs internal reforms: It must put measures in place to protect users (beyond just making its terms and policies clearer). But we can hardly expect Facebook to change its entire business model without pressure or policy. There’s a real danger in treating the latest scandal as Facebook’s mistake alone. The tech giant will continue to make such “mistakes” as long as legislators do nothing to anticipate and address them.

We mustn’t allow ourselves to be satisfied by the outrage of legislators or lulled into complicity by Zuckerberg’s apologies. Instead, let the CEO’s testimony be an opportunity for policymakers in the U.S. and around the world to reflect on their responsibility to protect its citizens and hold tech companies to account. Let it be a clarion call for all of us to move beyond our fleeting outrage and half-hearted calls to #DeleteFacebook.

And let’s all begin participate in more nuanced conversations about how our online data should be collected and used and how we and our policymakers better stand up for our rights.