Icon base by Lorc under CC BY 3.0 with modifications to add a gradient
The wording is pretty wild to me:
is required to implement appropriate technical and organisational security measures in order to prevent advertisements published there and containing sensitive data, in terms of Article 9(1) of that regulation, from being copied and unlawfully published on other websites.
Whatever can be accessed can be copied, there is nothing bar not publishing that can prevent it. Except if they call a pretty please in TOS an appropriate measure
This is why my idea of federation should move to service discovery. A federation would then be just a node that can points to other node serving similar service/protocol and keep their data separate. No need to copy data between server. Authentication can then be done via oAuth. This also means federation would need to be a 2-way street. Server admin would both have to allow CORS from every domain they federated with and trust the others oAuth secret/public key