And yet you aren’t. You, as an admin, can’t store unnecessary personal data and you must tell what you are storing, why and how long. Such things. With other services you have to tell you are using those and point to theirs privacy policy. The rest is theirs responsibility. Totally same thing than with Google Analytics, Adsense, Amazon S3, email delivering etc.
So, basically what you have to do is tell. It is user’s choise to use or not to use. If Discourse ID or what ever SSO is the only options then you must be more strict, but that isn’t the situation.
But you don’t need to allow Discourse ID if you don’t want to. I enabled it because I was curious, but there won’t be a single user in my forum at the moment who would use it. Perhaps that situation will change when translations works in full speed, but that is different story. But there isn’t basically any EU rules that is your to concern.