Thanks @asim1234 for your comments. Great point on GDPR, it's a start.

1-None of the data Cambridge got involves ‘hacking’ Facebook, a data breach or exploiting a bug. Instead, it all revolves around the use of a feature that Facebook provided to all developers and (at least) tens of thousands took advantage off.
2-The data collected was not internal Facebook data. It was data that developers accessed from the profiles of people who downloaded their apps (and their friends). Facebook has a lot more data on users than is publicly available and it has it for everyone who uses their platform. No-one but Facebook has access to that data. This is a point that almost all the journalists involved seem unable to grasp, instead they repeatedly equate ‘Facebook’s internal data’ to ‘data accessed from Facebook profiles using a third party app’. But these are VERY different things.

Source and to read a lot more:

https://medium.com/@CKava/why-almost-everything-reported-about-the-cambridge-analytica-facebook-hacking-controversy-is-db7f8af2d042