No, the existing privacy legislation already requires opt-in for processing of biometric data; GDPR makes many things stricter, but much of it is already a legal requirement.
Apparently Facebook's well-trained legal team disagrees with your assessment of European law. Facebook isn't stupid; they wouldn't have done this if it weren't legal.
