I’m nog sure what they’ll be sued for. The GDPR is very much written so that DPAs take action, not individual users.

Even then, instances need to break the law first. If someone asks a server to delete or alter personal information, the instance has a full month to respond. If deletion or alteration cannot take place within a month (doubtful, but theoretically possible), the the change may take even longer.

You can send a GDPR death letter to an instance admin and the worst you’ve done is annoy an admin who needs to run a bunch of SQL scripts for an one afternoon.

Lemmy doesn’t process that much personal information. It republishes content on your request, but that’s not necessarily PII. There are a few identifiers (your username, user ID, the private/public key pair used to sign your messages when dealing with federation) but like on many other platforms, those can be changed, with great difficulty. Of course, changing that information WILL break shit on other servers, but you can try!

When it comes to other servers, you’re kind of screwed. That’s not really a problem, though. You don’t expect Gmail to make everyone you’ve ever emailed delete the stuff they’ve received from you, that’s just not how that works. You could argue that email is more private, but then mailing lists exist that basically do what the Fediverse does but on a larger scale.