Is it? I guess in Italy we have more or less the same European directives. So long as the user is clearly informed about what data is being sent to who, and grants her/his consent to that, it should be legal to do FBLs. Yet, IANAL. The best thing, IMHO, would be do gather users' consent on the first time they hit a "This is Spam" button. At the same time, give them the option to redact their email address in the header. (See http://tools.ietf.org/html/rfc6590 ).
The real story is that RIPE staff and several people involved with this have been putting out false information and lying to people about the applicability of the EU privacy laws. They are doing this so they have an excuse to restrict access to the whois database. Now that they made up this false story they have backed themselves into a corner and they don't want to admit they lied to everybody so they keep making the same false claims over and over to save face. These are the people that treat abuse like a religion and they no longer use common sense or logic. You don't need to be a lawyer to understand that once someone gives permission to publish data related to them then the privacy laws no longer apply to that situation.