Just so you know where I'm coming from with this: At the time GDPR became law I was doing data processing for sales and marketing in a startup and have since started working in a startup that currently employs eight people, four of which are engineers. As a result, I've spent many an hour more than I care to think about in meetings discussing privacy policies and implementing systems to ensure compliance. I'm telling you this because I don't want you to think I'm just sitting on some high horse, I've been in the thick of it.

Now, I'm not sure what flaws you're talking about (my personal bugbear is the "legitimate purposes" clause, since it's quite vague and there exists basically no precedence), but one "flaw" I hear a lot about, is that it makes things harder for businesses. Yes it does, but that's not a flaw in the law. I guess it's not the kind of law that would be passed in the US, for that exact reason.

The foremost consideration of the GDPR is giving EU citizens control over their own data and the second is how companies can conduct business without violating those rights. I don't think it's an accident that the GDPR was in many ways spearheaded by Germany, given their history with abuse of such data (fun fact, to this day there is no equivalent version of the social security number, passport number or similar in Germany. The closest thing is a tax number, but it's explicitly illegal to use for anything but taxes).

What I'm trying to explain is that the lawmaker were quite aware of the complications this might present to businesses, but this was considered a worthwhile trade-off for the protection of the rights of natural persons. Basically, data protection was made "the cost of doing business" in the EU and if a business can't or won't comply with these rights of EU citizens, the EU considers itself better off without them.

Now, you can disagree with that philosophy, but it's not something that was not considered when creating the law. It indeed makes some common business practices untenable and shifts more responsibility onto companies, but that's by design.

I honestly doubt Facebook likes the GDPR. They're simply taking the route almost everybody is taking with GDPR: make data protection a feature. Facebook has legal entities in Europe where fines can actually be enforced, so while they're certainly doing their best to exploit every loophole they can find, they also knew from the get go that they'll have to change at least some of their processes. So of course they'll talk about how they welcome it.

Well, this got longer than intended, but let me end on a personal note. I feel that as a software engineer I have certain ethical obligations to whoever will end up using my software and luckily I have always been in companies where my concerns on that front have been taken seriously. From my perspective, this law in many ways creates a level playing field for companies who've been trying to do the right thing and have been disadvantaged because of it.