As I mentioned before, modern technologies raise complex issues about third parties that we have barely begun to explore. SOP at social networks is very much to get people to provide information about not only themselves but also other people they know, and that's a minefield if those other people aren't happy about it. Obviously you can't just say social networks can do what they want if someone else provided the personal data, because that undermines the entire principle of data protection and privacy. But equally, if you require explicit consent from everyone for everything, you create a huge burden that might make the whole idea unworkable or at least remove a lot of the value these services offer to their users when maybe a lot of people wouldn't have a problem with, say, a friend tagging them in a photo anyway.

As things stand, taking the GDPR at face value, I don't see how it would be legal for a social network to retain any photo in which someone is identifiable if that person doesn't consent, unless that social network also took rather dramatic steps like avoiding any sort of automated processing and analysis of photos that might identify people in them, as well as removing features like letting a user tag someone who isn't a member of the social network.

Except that is not included in this. You are in fact not even supposed to retain data to identify a user after their account has been used to match them on other data.

I don't know the law by heart right now but I had discussions even a year ago with people consulting on this about this very topic what to do for such cases.

This law was not drafted in a vacuum where nobody looked at real world situations.

Sadly, given that we're talking about an EU law in a technical field, I suspect that what you just wrote is actually quite close to what did happen. That would be consistent with other recent EU rules affecting creative and technical businesses. In some cases, even senior EU and national government figures have admitted that those involved hadn't seen major unintended consequences coming at all, at least not until it was too late in the process to avoid them.

Essentially, the EU often exhibits good intentions and its laws might be made with laudable overall goals, but it frequently produces poor implementations that haven't been thought through in enough detail before legislating. So far the GDPR is shaping up to be another textbook example, with perhaps a side order of political football so the EU can beat up big US tech businesses because the EU's business environment hasn't resulted in creating equivalent services of its own.

This doesn't seem healthy for either our tech industry or our society as a whole to me. I'm actually a rather strong advocate of privacy online, but rules intended to protect it do need to be reasonably clear and practical or they're not going to be worth very much.

We will see soon enough how this plays out. From where I'm standing I'm very welcoming of this development because it's the first time I see an actual attempt of companies doing something that is in the interest of the customer when it comes to data.