Facebook (not me, I don’t work there anymore) is storing information about *your friends*, namely a hash of *their* contact list, with their explicit consent to do so. Those numbers are only used to help friends find each other in the site, the exact reasons the information was collected. Facebook didn’t tell you to share your phone numbers with your friend. You did. If you want to enforce a rule against their ability to share it further, go for it. I’m not sure how you are going to do that, though: sue the phone company, or sue your friends?

The only thing that Facebook can do to help you right the horrific wrong of someone sharing your phone number without your explicit consent —well, just the hash of ten digits, without any other information associated to it, like your name or location, so an effective enforcement of its limited use— is to help you find all the culprits (presumably your parents, your cousin or your plumber), all of whom are obviously in need of much legal sanctions from the nearest privacy authority. Nothing says “Happy Mother’s day” like a fine for 4% of her worldwide revenue.

Incidentally, Facebook made the process of finding them easy: that list is the first thing you should see, when you _did_ consent and created an account. Because, well in the comment before you wrote that you absolutely did not consent, you did write that you created an account, during which you did consent so… Anyway.

How that (Facebook using information shared willingly by your friends for its intended use) violates GDPR baffles me a bit, and it seems to have escaped the authorities in charge of enforcing it too, because I don’t remember that tool violating anything but… Hey, being wrong has not stopped your previous comments, so I can’t be surprised it hasn’t stoped you to do more armchair lawyering.

I’d love to highlight that you are commenting on a public site, about Facebook. Do you expect people who help the company understand their brand, or how they can improve their service to read your comment? Store it? Analyse it? Did you consent to that, or do you refuse to look into how public statements work?

More seriously, why something so shocking to you seems perfectly legal when you actually look at what happened (your friend uploaded their phone book)? Well, because the reality is that information doesn’t have clear ownership edges like goods do. Information is more often than not shared, often with implicit rules (like don’t write my phone number on a bathroom stall in a dodgy bar with the mention “For a good time, call 123 456 78 90!”). Either parties can presumably do a lot with their information, like sharing it with a third party, while the other party might not know or have the ability to prevent it. Even today, there’s almost no rule clarifying how to handle triads like this. GDPR still assumes that I own information exclusively. Any interpretation that I know of assumes that I am free to share my address book, my DMs, my genetic material, etc. without much consideration for the others affected. And I agree with you: that’s a concern, and it is a concern that Facebook shares, but their calls for clarifications from authorities haven’t been heard.

Imagine that I use a crappy browser, or more realistically a spammy extension, that reads my emails and send them to a North Korean hacker group: my correspondents haven’t approved of me sharing their thoughts with said dodgy group. I made that decision, possibly accepting the risks, or not understanding them at all. You won’t make much progress unless you establish whether it’s my role, yours, my friends’, the browser, the company operating an extension store, my email-provider or theirs that should know better, warn, explain, block or hash messages.

None of the experts, lawyers, advocates that I’ve spoken to about this seem to care about that nuance, except people who deal with genetic information because tracking criminals through their relatives on ancestry.com has become massive. Well, they care but no one has an answer to what crimes are heinous enough that ancestry.com can profit from solving them and selling that service to the police. Oh, yeah because while you are offended that Facebook (a company whose service you have registered to, as per your previous message) you gladly ignore that your cousin gave away your shared genealogical information to a company willing to sell it to problematic institutions like ICE.

No one seems to realise that a lot of other people have your phone number and email by design and those people would want to share those with on-line platforms for legitimate reasons (personal archive, productivity tools, flag spammers) including reasons that could stitch more PII together. Well, no one except Facebook who has though about it, out of necessity, and has set-up several systems to match a few common expectations from what is still a very ambiguous situation.

But I’m sad to report that those expectations do not include: "We know nothing about dtx, but also we know that this is his phone number; we refuse to have anything to do with him, but also, we are going to store that you know him and he’s asked us to never have anything to do with him, so we need to forget that this ever happen. And learned the lesson from not knowing that."