It just so happens that I sent out a note to @lrosen about this very thing. We’ll see what he might have to say. The real question is whether we can continue to claim all volunteered information as “public” and whether that will satisfy EU.
Regarding the rest. I agree that we need to be mindful about disclosure to all because there are projects like Burke is contemplating that will be reusing individual community member data to do aggregate rollups (only to better the community of course).
I just don’t know whether the burden is on us to say what we plan to do with public data. The only data we keep that’s private is passwords at the moment.