As far as I am aware they operate out of Ireland, that means they need to follow EU laws.
I am not aware if that gives Germany any power over them or not, but if Germany can prove that the same laws they are referencing (and the data protection laws are the same across the EU, so I am making a big assumption here that it is the case) they could make Facebook follow the EU laws.
I am not aware if that gives Germany any power over them or not
Not really, it is Irish law that applies.
the data protection laws are the same across the EU, so I am making a big assumption here that it is the case
Yes and no. EU Directives set out a lot details (and usually minimum levels) for various things, but countries implement & transpose them into national law (i.e. actual law) themselves and there can be differences. Remember not all countries in EU speak same language, have same legal systems (civil law vs. common law) or use the same currency so there will be some some superficial differences. Sometimes countries get a opt-out of certain EU directives. Sometimes countries will go above and beyond the EU directives. (e.g. in UK it's possible to opt out of the 48 hr maximum working week, whereas France has no opt out and sets the maximum working week at 35 hrs.) Broadly speaking EU law will be the same across the EU.
However the next EU Data Protection / Privacy directive will allow one country to act against a company/person if they are active in that country, rather than it having to be based on where that company's headquarters are.