[Privvy]

Of course penalties for non-compliance have gone up. But collecting biometric data without explicit and informed opt-in, is already against the laws of many EU member states, and has been for nearly a decade. Facebook is walking on thin ice.

It seems they ask for permission, so the title that users are auto-enrolled may be misleading. But if they do auto-enroll: It is against the privacy laws already, no need to wait for GDPR.

About respecting local laws, I find this a difficult issue. What to do with draconian local laws that forbid ridiculing a president? But if it has to be a yes-no: I'd say, yes, obey local laws when you serve users there. Remove comments from Turkish IPs that slander their president, but keep comments from German IPs that ridicule Turkey's leader.