"The user(s) then gave FB permission to access it."
At least in my country - Italy - the law states data can be collected freely for personal use (i.e. address books) - but can't be shared with third parties. IMHO, applications that automatically do so, even if told in their T&C are illegal, because when data are shared with a third party from a personal or public source, the interested people must be notified to be allow to exercise their rights - and that burden is on the entity that acts of on the data for non-personal purposes, in this case Facebook.
The issue is privacy-protection agencies are not very effective, and mostly run by people with a background in law, not technology, and they don't understand all the deceptive practices data thieves use to gather data behind the regulator back.
I think till now companies like Facebook were mostly see as a toy where the boys and girls played - hope now many eyes will open and brains unlock, and regulators start to understand to what extents privacy rules were broken, and the inherent deep risks.