Can you use GDPR to Circumvent BlueSky's Adult Content Blocks? Overview This blog post by Terence Eden, dated September 29, 2025, explores whether the GDPR (General Data Protection Regulation) can be used to bypass BlueSky's adult content blocks, imposed under the Online Safety Act (OSA). BlueSky restricts access to adult content and direct messages (DMs) for users who do not verify their age. --- Background BlueSky's Approach: Unverified users can still access the service but cannot view porn or receive non-public messages. Users who do not complete age verification cannot turn off DM notifications or retrieve past private messages. Exported user data only includes public information, not private DMs. Author's Stance on Online Safety: Terence is moderately supportive of the Online Safety Act. Believes platforms should moderate content to protect younger users if they allow access. --- The Problem with BlueSky’s Implementation of Adult Content Blocks No ability to access or control DM settings without age verification. Messages from people who previously messaged still come through and cannot be blocked. Persistent DM notifications encourage age verification. --- GDPR and BlueSky BlueSky's Privacy Policy states: DMs are stored and processed to enable private communication and may be accessed for Trust and Safety. Users may have the right to access and port their personal information, including DMs. Terence’s GDPR Subject Access Request (SAR): He requested a copy of his DMs as personal data. Proved account ownership but did not verify age. --- Timeline of the GDPR Request | Date | Event | Response | |------------|--------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------| | 2025-07-24 | SAR sent to BlueSky support; acknowledged | Request shared with the team; may need verification | | 2025-07-31 | Reminder sent | Escalated to developers; awaiting confirmation | | 2025-08-25 | Escalation to legal team | Asked for country of residence and verification via associated email | | 2025-09-05 | Another follow-up sent | None specified | | 2025-09-13 | After 7 weeks, asked which data authority BlueSky registered with; intention to complain | Data being prepared for download | | 2025-09-22 | 8 weeks after SAR, asked for ETA on data preparation | None specified | | 2025-09-25 | After 64 days, BlueSky sent a CSV file containing DMs | Data received | --- Result Received DMs in a CSV file with JSON embedded content. Messages contained timestamps, sender DID, and message contents. Data was returned without age verification. --- Author's Reflections Surprisingly long response time despite BlueSky’s funding. Proves GDPR still