My only issues with this are that it's impractically hard to protect data to the extent necessary, and large fines become a lever for disgruntled employees to cause massive damage.
It's not just phone numbers, though. It could be private messages, friends-only posts, IP address logs, physical addresses, SSNs--the list goes on. You'll quickly find that anything non-trivial will start collecting data users wouldn't want public.
Services like social networks don't need to store physical addresses, SSNs, phone numbers, etc. Therefore, that data should be looked at like a liability rather than an asset. It shouldn't be collected in the first place.
Data like private messages, friends-only posts, etc are needed for the features they want to provide, and they should only provide those features if they can protect that data.
