AFAIK Facebook shared data of non-consenting individuals ("friends") of consenting individuals. In light of the GDPR this would be at least borderline to illegal. As well data from consenting parties was used in a manner not consented to (that would cross the line) and handed over to a fourth party. Finally FB did not ensure proper data handling (crossing the line again). At least when regulators would be willing they'd had a leg to stand on.