Why are people surprised at the amount of data Facebook has on them? What has perhaps surprised and shocked most is the extent of information that these companies have and the kind of use that information is put to.

“Facebook’s entire business is predicated on the fact that they know about you and they are able to leverage, sell and monetise that information,” says Sahir Hidayatullah, CEO of cybersecurity firm Smokescreen Technologies.

In fact all the big Internet companies allow advertisers to target individuals, who can be easily segmented by gender, location, age, popular culture preferences, language, interactions and so on. In the many years of the Internet, people have left significant digital footprints, making it very easy for them to be targeted for all sorts of products.

Yes, it’s nice to have Amazon recommend books based on your previous buys. It’s a bit spooky, but still nice, since it sometimes lets you discover new writers. If only it stopped there. But when your browsing and buying preferences are used to manipulate decisions that are far more crucial than buying the next book, things get out of hand.

“We don’t know how third parties use our information,” says Hidayatullah. In the case of Cambridge Analytica, it is alleged that the data analytics firm could have influenced the Leave campaign for Brexit and the election of American President Donald Trump, by psychologically profiling Internet users and manipulating their decisions.

A French security researcher, who uses the pseudonym Elliot Alderson, on Twitter, revealed that Prime Minister Narendra Modi’s official mobile app was sending device info and personal user data to a third party without consent, and that the Congress party’s app was transmitting users’ personal data in an unsecured format to a server in Singapore.

Your private data ought to be private. Now, Facebook’s defence and that of most app developers is that users consented to provide data when they signed up. This is where activists and lawyers step in, talking of the difference between informed and uninformed consent.

Supratim Chakraborty, associate partner at legal firm Khaitan & Co., says most people don’t pay attention to what they are agreeing to. He calls it consent fatigue. Also, he adds: “In India, there are so many people who do not understand English, or they might be illiterate. So the right to privacy is a joke, because they don’t know what they are agreeing to or what they are accepting.”

According to a report ‘Internet in India 2017’, published jointly by the Internet and Mobile Association of India & Kantar IMRB, the number of Internet users in India is likely to touch 500 million by June this year. Till December 2017, Internet penetration was 35% of the overall population.

And, according to the 2011 Census, the literacy rate is 73%. That doesn’t give a hint about how many people can read, write, and understand English, which is the default language of all agreements online. That said, the numbers show that the data of close to half the population is vulnerable online, and a significant proportion is not even aware of the threat that their data faces.

Chakraborty makes a telling point about consent. “You cannot have a situation where you take an omnibus consent from me saying that I can do anything for my business purposes. Instead, you should take specific consent from me for using my data and if, at a later stage, your business purposes change, come back to me and seek my consent again,” he says.

Sivarama Krishnan, partner and leader - cybersecurity, PwC India, says that India has a large segment of the population that gets “assisted service” when it come to private data. He explains that people use an intermediary like a distributor, agent, or even shop owners, to apply for things like phone connections, because they cannot read. How does one get consent from them?

So what are the laws that can protect your data? Data protection in India is largely governed by the Information Technology Act, 2000 (IT Act). While a data protection legislation is in the works. As of now, the IT Act alone is not enough to insulate people from threat to their privacy online.

Chakraborty explains that the IT Act, as it was originally framed, did not have specific provisions for data protection and data privacy. It was amended and two specific sections were introduced to deal with the concept of data protection and privacy, section 72-A and section 43-A.

Section 43-A of the IT Act says that a body corporate is liable to pay damages if they have been negligent in implementing and maintaining reasonable security practices while possessing, dealing or handling any sensitive personal data or information that results in any wrongful loss or wrongful gain to any person.

While, section 72-A provides criminal remedy for disclosure of personal information in breach of lawful contract. The section stipulates that any intentional disclosure of personal information, without the consent of the data subject or in breach of lawful contract is punishable with imprisonment of up to three years or a fine of up to Rs 5 lakh or with both.

The problem, says PwC’s Krishnan, is not so much the law as the fact that there is no agency that takes responsibility for implementation of the existing laws.

Added to that is the issue of jurisdiction when it comes to foreign companies operating in India. “In the event of data leak or misuse, data residency or domicile becomes an issue for enforcing the IT Act. For instance, a social networking website which is based in the US cannot be charged under the Indian IT Act as data resides outside the country. Applications (social networks and others) which we use and are foreign companies may come under the US jurisdiction, the European, or some obscure island. But law in general and IT Act in particular is unable to protect such data,” Krishnan adds.

Even more than the law, the entire conversation around privacy is complicated in a culture like India. With a population of 1.3 billion, a legacy of joint (and extended) families, and densely populated towns, community living is almost the norm. The concept of privacy, then, is somewhat different than in the West, at least among the majority.

Also, given the number of other, perhaps life-threatening, issues that are to be addressed, data privacy is not seen as particularly pressing. There are even some who say that since there is already too much data out there, it might be too late to do something about it. Hidayatullah disagrees. “I think there is always scope for control, especially if we say that things are centralised and data has not been disseminated so widely. Given the repercussions and the impact that can be had when it comes to something like identity theft, I think it’s worth fighting tooth and nail to claw it back in whatever small way that we can,” he says.