Apple has dropped its long-promised bombshell on the data-tracking industry. The latest version (14.5) of iOS—the operating system of the iPhone—included a provision that required app users explicitly to confirm that they wished to be tracked across the internet in their online activities. At the heart of the switch is a code known as “the identifier for advertisers” or IDFA. It turns out that every iPhone comes with one of these identifiers, the object of which is to provide advertisers with aggregate data about the user’s interests. For years, iPhone users have had the option to switch it off by digging into privacy settings of their devices, but very few bothered to do that.

From 14.5 onwards, however, they couldn’t avoid making a decision and you didn’t have to be a Nobel laureate to guess that most iPhone users would opt out. This explains why those who profit from the data-tracking scheme had for months been angry about Apple’s betrayal. Some counteroffensives included attacks on Apple’s monopolistic control over its App store and charges of rank hypocrisy—that changes in version 14.5 were not motivated by Apple’s concerns for users’ privacy but by its own plans to enter the advertising business. And so on.

The computerised, high-speed system in which online ads are traded is currently unregulated. Often the problem with tech regulation is that our legal systems need to be overhauled to deal with digital technology. But the irony in this particular case is that there’s no need for such an overhaul: Europe already has the law in place. It’s the GDPR (General Data Protection Regulation), which is part of the legal code of every EU country and has provision for imposing punishments for infringers. The problem is that it’s not being effectively enforced.

Why not? The answer is that the EU delegates regulatory power to the relevant institutions—in this case data protection authorities PA)—of its member states. And these local outfits are overwhelmed by the scale of the task and are lamentably under-resourced for it. Half of Europe’s DPAs have only five technical experts or fewer. And the Irish data protection authority, on whose patch most of the tech giants have their European headquarters, has the heaviest enforcement workload in Europe and is clearly swamped.

So here’s where we are: an online system has been running wild for years, generating billions in profits for its participants. We have a powerful law on the statute book that in principle could bring it under control, but which we appear unable to enforce. And the only body that has, to date, been able to exert real control over the aforementioned scheme is a giant private company that itself is subject to serious concerns about its monopolistic behaviour. It really is time to worry.

Which of the following is true about the GDPR?