One would hope the people on bluesky understand that they're posting publically to a centralized database. What data privacy problem are you concerned with?
As I understand it, the moment you're processing someone's personally identifiable information, you're in the red zone, GDPR-wise. The users consented to publish their info on BlueSky, but not on OP's website.
I get the idea behind the GDPR and it's nice to protect consumers but I'm scared for hobby projects like this.
I think GDPR itself is a bit unclear here. Google Search still operates in Europe as far as I know even though it scrapes and indexes people's websites without explicit consent, and I suspect GDPR doesn't intend to make it illegal to do this. Could be wrong...
IANAL but at least in the U.S. I'm pretty sure publicly-available data is generally excluded from whatever protections do exist on PII. I'm not sure what, if anything, has been said about this in the EU.
