I imagine scraping Facebook might be similar to the result in the hiQ v. Linkedin case, involving scraping public LinkedIn information. At the time, the EFF and a lot of others celebrated the ruling. For example, the EFF characterized it as a victory for "...the wide variety of researchers, journalists, and companies who have had reason to fear cease and desist letters threatening liability simply for accessing publicly available information in a way that publishers object to."
I feel like there ought to be a line somewhere. Like, maybe you can access the data because it's public, but to (for example) profit off of it or even share it further, you need more than just the fact that it's public.
For some reason open source licenses come to mind. You can use this code (or image) under terms XYZ and this license has to go with it too. That way, me letting github to show my code publicly doesn't give you license to do whatever you want with it. Or me letting linkedin show my picture doesn't give you license to do whatever you want with it. Maybe we need something like that.
If you make your profile available publicly then I'd argue it is indeed public. As far as I'm aware, Clearview doesn't have a relationship with Facebook to access non-public data and instead they just operate a web crawler storing anything that's being served without requiring auth.
An image at the top of a news article on cnn.com is "public" in the sense that anyone can access it. But the company and the photographer still retain rights to that image - you can't take it and use it for whatever you like.
What is confusing here is that everyone imagines that clearview (and google, and fb, ...) are really storing those pictures. In reallity they just train their ai. There is no trace of that picture on their servers once you delete it. But ai is capable of recognizing you, in case of clearview from picture. In case of google and fb from your picture, browsing habits, contacts, gps coordinates, your friends, semantics of your texts, ... The only difference is that google and fb are not so stupid to advertise this. But capability is there.
IANAL but I think the GDPR does not just look at the data in isolation, but considers the data and what it is used for.
Thus if I give a company access to my data it does not give them a carte blanche to use it however they see fit, instead I have allowed usage of the data for a set of purposes.