When you use AdBridge to send data to Facebook, you agree to Facebook's Custom Audience Terms, which do imply ("You represent and warrant that you (or your data provider) have provided appropriate notice to and secured any necessary consent from the data subjects whose data will be hashed to create the Hashed Data") that the data is being hashed. Given that Facebook's developer documentation requires anything (other than user uploaded data) to be SHA256 hashed on the client-side ("You must hash your data as SHA256; we don't support other hashing mechanisms. This is required for all data except External Identifiers."), this indicates the hashing is being done on Marketo's side prior to getting pushed to Facebook.
Again, Facebook's own Custom Audience Terms indicate they're aware and comply with EU and other such laws (and given that Facebook is Facebook, it'd be pretty surprising if they weren't!).
Someone may have more insight into how the hashing occurs, but it looks like you're pretty safe in using AdBridge.