Ok, so I did some checking regarding the location and stuff, since I’m clearly not informed enough about this. However, my point still stands (I think).

Copy pasted from Twilio. I guess they are better aware than I am about the rules…

The general principle for transfers is outlined in Article 44, which can be summed up as saying, if you transfer EU personal data out of the EU, make sure that this data still enjoys the same level of protection it gets under GDPR. In other words, the entity or company that you pass the data to outside the EU must be under a legally binding obligation to follow GDPR data protection principles or the equivalent. (Unlike an outright prohibition on extraterritorial data transfers, this actually makes sense. No point if having rules if those rules get tossed out the window just by moving the data out of the EU.)

and also:

This legally binding obligation can be achieved in multiple ways. Here is a sampling:

1. The entity to whom you pass the data to happens to be in a country that has data protection laws that are just as strong as GDPR (as determined by the EU Commission).
2. The entity to whom you pass the data to agrees by legally binding contract to follow GDPR principles of data protection.
3. The company has enacted Binding Corporate Rules.
4. There is some regulatory-approved code of conduct to which the entity subscribes.

So, if someone opens up an instance in, let’s say, Ethiopia or the US, it is not compliant, afaik.

However, question remains about the proxy thingy of the fediverse. Is data copied/stored on other instances OR does it remain on the instance that I subscribed to. And what if that instance is located in a “non-GDPR-compliant-environment”?