Of course the Lemmy devs aren’t liable for GDPR violations; the admins are. That doesn’t eliminate the problem, though: if the Lemmy devs wish to see their software used as it is now in the long term, they need to introduce GDPR compliance tools. We should consider it gravely concerning that bad actors (e.g., a Reddit employee) can set up Lemmy admins for a massive GDPR suit at any moment.

Edit:

if the people complaining are so concerned, why do they not contribute the code to fix their perceived issues?

I know it’s a stereotype around here, but not everybody on Lemmy is a programmer with free time.