As I said in another comment, the GDPR protects people. And the GDPR only applies to personnaly identifiable data (IPs, email addresses, street address, legal name, date of birh…) Lemmy only collect emails and IPs, and do not share them between instances. So it’s very easy to comply to the GDPR as long as you don’t do anything shady.
The EU has a marketing issue. They tried to pass legislation to prevent companies to collect data. But instead, company displayed a popup, kept collecting data, and blamed it on the EU. Everytime I see a popup, I blame ruthless data collection.
Actually, Lemmy is most likely violatiing the California Consumer Privacy Act, which, as opposed to the GPDR, gives the right to update/delete any data generated by the user, not only personally identifiable information.
Everybody is talking about the GPDR, but the GPDR when hosting in the EU, should be the least if your concerns. As I said elsewhere:
The real issue is Directive on Copyright in the Digital Single Market which is a nightmare if you want to host lemmy legally. Realistically, the government don’t care about a few copyright infrigement by some guy/gal hosting a lemmy instance in their garage.
But, if you want to follow the law to the letter, the EU doesn’t have any fair use. So theorically, you need to allow users to only post creative commons images, with attribution. Or do some copyright checks on the content posted on your instance. Here is an EU video on how to comply with the directive, it’s a nightmare.