If its proven that Facebook intentionally allowed the data to flow out to third parties as opposed to a 'hack' as they put it, of which the data wasn't consented to be given, then I think there is a duty of the regulators / authorities to protect the interests of the public who are effected.

But that is probably wishful thinking.