TLDR: On the web-pages of the European Commission, you could sign up for an event. There existed the option to sign up with Facebook. On one occasion, this lead to a connection with servers in the US. That is interpreted as a transfer of personal data. Since this is a transfer of personal data outside the EU, beyond the reach of the GDPR, this requires special handling. (I’m not sure why this request was routed via the US.)
This is probably surprising to many. There is a myth out there that it is enough not to collect personal data. But you also are responsible if data is collected by other parties to which you link on a site. This is a potential problem for Lemmy instances. Of course, instances also share data via federation, which should not be done without a contract, especially outside the EU.
TLDR: On the web-pages of the European Commission, you could sign up for an event. There existed the option to sign up with Facebook. On one occasion, this lead to a connection with servers in the US. That is interpreted as a transfer of personal data. Since this is a transfer of personal data outside the EU, beyond the reach of the GDPR, this requires special handling. (I’m not sure why this request was routed via the US.)
This is probably surprising to many. There is a myth out there that it is enough not to collect personal data. But you also are responsible if data is collected by other parties to which you link on a site. This is a potential problem for Lemmy instances. Of course, instances also share data via federation, which should not be done without a contract, especially outside the EU.