For your point 1)
The same applies to any other social media or good old phpBB forums that some clubs still use. GDPR still apply as soon as you log personal data of an European user. So if an instance admin does shit with the data they can be charged.
GDPR isn’t that complicated, tons of small non profit structure (e.g a sport club) deal with personal data without any issue. If you don’t spy your user and do the minimum needed amount of data processing your data privacy policy can hold in a couple of lines. It get huge because big social media spy us
Old-school forums have single points of contact. They’re no more private than ActivityPub, but a takedown to the admin is a takedown of all instances. Obviously public data can be cached or archived, so as always you have to send takedowns to every archival service, search engine, and any CDNs too.
The GDPR “applies” whenever an EU resident’s data is stored. The enforcement requires some presence in the EU by the entity storing the data. For multinational companies that means if they have any banking services there (e.g. taking payments from EU customers) they have a presence. For individual fediverse admins, that’s not necessarily a concern. At worst their instance’s domain would get blacklisted to EU users.
For your point 1) The same applies to any other social media or good old phpBB forums that some clubs still use. GDPR still apply as soon as you log personal data of an European user. So if an instance admin does shit with the data they can be charged.
GDPR isn’t that complicated, tons of small non profit structure (e.g a sport club) deal with personal data without any issue. If you don’t spy your user and do the minimum needed amount of data processing your data privacy policy can hold in a couple of lines. It get huge because big social media spy us
Old-school forums have single points of contact. They’re no more private than ActivityPub, but a takedown to the admin is a takedown of all instances. Obviously public data can be cached or archived, so as always you have to send takedowns to every archival service, search engine, and any CDNs too.
The GDPR “applies” whenever an EU resident’s data is stored. The enforcement requires some presence in the EU by the entity storing the data. For multinational companies that means if they have any banking services there (e.g. taking payments from EU customers) they have a presence. For individual fediverse admins, that’s not necessarily a concern. At worst their instance’s domain would get blacklisted to EU users.