The two situations are kind of similar. Whether a friend is using an “Invite a friend” mechanism or they are syncing their address book, either way their shitty choice of controller is getting my personal data. And in both cases the data controller proactively implements code to facilitate the sharing.

Also seems to reinforce my previous conjecture: E-mail fundamentally incompatible with the GDPR

I suppose the difference is that invite-a-friend is purely a data share, whereas other cases are to facilitate the data subject’s use of the service.