People think GDPR is some magic spell that can be used to stop bits from being transmitted around the Internet.
It’s not. It’s just a set of instructions regarding what online services are supposed to do with the data of European users interacting directly with their servers. To be “GDPR compliant”, all instance admins need to be able to do is:
tell their users what PII they need to collect for their service.
ask for consent to share this PII with other parties.
remove any PII upon the user’s request from their servers.
I’m reasonably certain that I can satisfy these regulations.
I don’t share any PII with other parties (not even analytics of any kind), so I don’t even need that stupid EU cookie pop-up on my website.
The only PII I need to collect is their username. Even email address is optional.
People only get access to my instance by signing up to Communick, so they need to accept my privacy policy.
There is nothing in the law that says “if someone screams Gee-Dee-Pee-Arrr three times in front of their phone, their data becomes radioactive and must disappear from the Internet in 48 hours or the instance owner will pay 100 million euros + 3 pints of blood from their unborn first child”