I'm not sure it's that straightforward -- from the Guardian's coverage:
"The data was collected through an app called thisisyourdigitallife, built by academic Aleksandr Kogan, separately from his work at Cambridge University. Through his company Global Science Research (GSR), in collaboration with Cambridge Analytica, hundreds of thousands of users were paid to take a personality test and agreed to have their data collected for academic use."
It's not clear to me whether the transfer of data from GSR to CA was legal, or covered in the ToS for the app.
I'd guess that end users agreed to blanket sharing of data in the FB ToS, but again I don't think we can be certain that their ToS covers exactly this situation -- according to FB, CA / GSR were in breach of their ToS agreements, which might mean they transitively caused FB to breach their agreements with their users. I'd be interested to hear theories from anyone with legal expertise, but I imagine we'll hear more before too long.
This gets to the debate around if you can consent when giving up information about your friends. For example, is it OK for someone to give a company access to their phone's address book when the people in it haven't consented themselves?
