The European Union investigated itself and found…actual wrongdoing! For the first time, the EU was found to have violated its own privacy rules established by the General Data Protection Regulation (GDPR) and had to pay a fine, each decision handed down by the EU General Court.

The victim of the EU’s disregard for the law is a German citizen who used the “Sign in with Facebook” option when registering for a conference through a European Commission webpage. When the user clicks the button, data about their device, browser, and IP address is transferred through a content delivery network managed by Amazon Web Services and finally finds its way to the servers running of the Facebook company Meta Platform in the United States. The court determined that this transfer of data took place without proper safeguards, which is equivalent to a violation of GDPR rules, and the EU was ordered to pay a fine of €400 (about $412) directly to person who brought the case.

GDPR, the reason that every website today ask you if you want to accept cookieshas been a thorn in the side of tech companies since first taking effect back in 2018. The set of strict data privacy rules designed to control the amount of personal data companies can collect from users and give individuals more control over how their information is accessed and used is the reason for the many large fines paid by Big Tech companies—especially Meta.

Last year, Meta got it slapped with a $1.3 billion fine for failing to adequately protect European users’ data from American intelligence agencies when data was transferred to US servers. In the past, Meta has hit a $417 million in fines under GDPR rules for violating the privacy of minor Instagram users and $232 million for failing to openly disclose how it processes WhatsApp data. While Meta isn’t alone in getting these little expensive slaps on the wrist (Amazon got its own a $887 million penalty in 2021, for example), it is fitting that it is a Facebook login option that has gotten the EU in hot water on its own.

The GDPR has been a bit of a mixed bag since its implementation. It has undoubtedly grabbed some headlines with huge fines aimed at Silicon Valley giants. But enforcement can take forever—even the EU’s first self-imposed fine for violating someone’s privacy took more than two years to process. More than three out of four data protection authorities have COMPLAINANT of the lack of budget and personnel to track violations, and there is ample evidence to suggest that the byzantine list of laws has didn’t really do much to combat the invasive practices of surveillance capitalism. The EU has some work to do. Maybe it starts by following one’s own rules.