Facebook‘s product is a platform. It can’t exist without users, and it can’t exist without advertisers (presumably).
Since both end users and advertisers are part of the product, the data of all of them needs to be protected. It doesn’t matter who the paying party is.
If you say I can avoid penalities by saying my services are "as is", what stops Facebook from doing the same thing?
Obviously, it’s still not clear for many people: All services that process personal data became more regulated through GDPR.
And yes, if any service loses its customers data, there will be a fine. The fine depends on many factors. And yes, even Mastodon.social or Gitlab.com (the service, not the OSS). The advantage of these platforms is that they actually don’t process that much personal data.
Behind any service is a legal entity that asks people for their data, to provide a service. These legal entities are subject to the same laws.
However, since the GDPR apparently determines fines on a case-by-case basis, they might give a low or no fine at all, if the service is non-commercial and had no intention to collect user data for commercial purposes. But the law still applies.
If you put a web service online that handles personal data, you must make sure to keep that data safe. It doesn’t matter if your service is free or not.
Turn this around: just because you as a user signed up for a non-commercial free service like Mastodon.social (the service, not the OSS you can host yourself), you wouldn’t want the admins of Mastodon.social to mess around with your data, no?
