@deadsuperhero Well, they have to collect this data to be able to federate. Question is only, what they are doing with this data. When they don’t block communication with European servers, they have to follow GDPR here. And these rules limit what they are allowed to do - and the fines for breaching the rules hurt even large companies.

One additional point: Most (all?) AP services perform signed requests when querying the profile and the profile related endpoints. So in the current Friendica version we already added a coding, so that unsigned requests only get some basic data that is needed for the communication, but nothing more. AFAIK some other services are doing so as well.

This coding can be extended so that signed requests from Threads will always result in only returning the basic profile data.

Stupid question, couldn’t instances just say they don’t allow scraping specifically from Facebook in their ToS and then report them for GDPR violations if they do?

As in say that have the ToS says that “we’ll give your data to other instances because that’s how the Fediverse works, we won’t give your data to Facebook” and also “Facebook is not allowed to federate, and is not allowed to pull data”.

Then just say that your data subjects don’t consent to any data pulling by Facebook, and Facebook scraping your system even through ActivityPub is a violation of GDPR.