Alice is a Facebook user. Alice uploads Bob’s photo—and Bob’s photo is Bob’s personal data (Article 4 item 1). How can this be legal, given that the GDPR places restrictions on the cases where personal data can be collected? (Article 6)
I think that Facebook can get away because personal data can be collected if it is “necessary for the purposes of the legitimate interests pursued by” Facebook (Article 6, paragraph 1, item f). In order to know what this means, we need to know what is a “legitimate interest”. The GDPR does not define it, and I’ve read it doesn’t have a legal meaning in general either. This means that a court is free to interpret it.
I guess that the court’s interpretation depends on who is arguing. If it’s my lawyer, they are likely to dismiss my interest as non-legitimate, whereas they are more likely to accept Facebook’s lawyer’s argumentation.
Disclaimer: I am not a laywer.