I think the best we can do here is ensure this is outlined in the privacy policy on each instance. I’ve tried to outline how it works, and why it works that way in my privacy policy. But it’s still a bit work in progress.

I think the most important thing to stress here is that only data required for federation is shared. We don’t build profiles, we don’t send any other data to any third parties and all the data sent to federated servers is available via a web link to anyone publicly too.

The best we can do for users that want to be forgotten is send the delete request. We cannot force other instances to delete content.

I would argue that’s the case for “big social media” too. Say for example I say to facebook “Hey under GDPR provisions I would like you to delete all data you have from my account”. They are obliged to do this. Sure. But what about all the third party advertisers that already have my data through the sharing agreements? Do you think facebook even tries to remove it from them? Do you think they will do it if they ask?

So, I think that’s kinda synonymous with the federation situation. So long as you make clear how it works, and as long as you make good faith attempts to delete a user’s data on request. I’m not sure there’s more we can be expected to do (and it’s already more than the big companies will do for you).