Re: I have but one question
"I think the GDRP requires more than just an assumption on Facebook's part that the sources of personal data they are collecting and storing have permission to share what is other's personal data."
Facebook's way was to put some legalise in their T&Cs/Privacy Notice for the app that the person with the phone (who is doing the address book sharing) by doing that sharing is agreeing that *they* have obtained permission from the individuals for the sharing. It's Facebook's way to shift the "blame" onto someone else.
However this doesn't change the fact that, even if the phone owner did obtain permission, that Facebook would be acting as either a Data Processor (for the phone owner) or else a Data Controller in their own right for the shared personal data and its not clear (i.e. not transparent - where's the Privacy Notice explaining this?) as to the nature of Facebook's role in that scenario as either a Data Processor or Data Controller.
Biting the hand that feeds IT
