The GDPR doesn't just apply to legal persons (companies), it also applies to natural persons (individuals). If a Lemmy server is hosted in the EEA (EU+Norway, Lichtenstein, Iceland) and Switzerland it should have to comply with EU data protection laws.
For this Lemmy would need to implement deletion. As the feature does not exist the admin would likely have some initial legal protection (grounds of impossibility), but I'm not sure how much, in particular if there are repeated requests. That would probably lead to Lemmy being deemed illegal in the EEA and switzerland (32 countries)
Concerning federation, if Lemmy implements deletion and a federated server does not respect the deletion, that server is liable, not the original Lemmy server.
I think it depends, given the data available on Lemmy, and the context of federated services I highly doubt that an instance could be held liable for another server not federating deletion.
The GDPR is implemented by 31 countries (EU27+Norway, Iceland, Lichtenstein, Switzerland). The UK also currently implements it, and both Californian and Chinese data protection laws are inspired by it.
Some EU/Ukraine propaganda posters
Warning: You cannot delete posts or comments on Lemmy. It stays up forever, and is in direct violation of GDPR and other national privacy laws.
Title says it. Apparently lemmy devs are not concerned with such worldly matters as privacy, or respecting international privacy laws.