Be interesting on this one. GDPR has explicitly called out legal obligations for the data controller and the data processor. Controller is the one you consent to data collection, processor is 3rd party carrying out processing on behalf of controller. If data sold then it is passed to another data controller.
In this case user has apparently given, some level of, consent to Cambridge Analytica. I don't know whether that would then make them a data controller in their own right or whether they still be treated as a data processor. If former then user would have to engage directly with CA for right to erasure or FB need to invoke T&C's. If later then it's down to FB T&Cs and then FB would have to inform CA of user invoking right to erasure.
GDPR will a minefield for consumers and organisations for at least another 2 years until we have some case law that backs it all up
In this case user has apparently given, some level of, consent to Cambridge Analytica. I don't know whether that would then make them a data controller in their own right or whether they still be treated as a data processor. If former then user would have to engage directly with CA for right to erasure or FB need to invoke T&C's. If later then it's down to FB T&Cs and then FB would have to inform CA of user invoking right to erasure.
GDPR will a minefield for consumers and organisations for at least another 2 years until we have some case law that backs it all up