Even as a paying customer for many years, my account was disabled – without even receiving an email warning. I only discovered when browsing issue histories where I knew I'd left detailed comments, and noticing my comments gone without even a note about deletion, leaving threads nonsensically fragmented.
When I tried to login, I was only faced with a generic "activity that looked malicious" message – but no hint of what that might have been. Once I complained, I was restored quickly – but if I'd been on extended vacation, or perhaps even passed away, there'd have remained giant holes, indefinitely, in projects I'd contributed to.
Was anything I legitimately did as myself suspect? (They couldn't say.) Was some third party trying to get access – or did they even briefly succeed, perhaps with some compromised credential somewhere? (That was my fear – but they couldn't say & there was no evidence of compromise in what I could see.)
After several angry emails about how they shouldn't accuse a longtime paying account in good standing of 'malicious activity' – creating fear of an account compromise of unknown extent – they finally said no, it wasn't unauthorized access (or attempts thereof) but some comment (unspecified in age/topic) that a filter deemed similar to other malicious comments.
I'd paid them ~$600 over the previous 5 years, and still had an active subscription with working billing details. My account was nearly a decade old with a wide variety of contributions & comments. But still, an automated system with no apparent human review disappeared my account, without even generating a notification.
If this is a thing that happens at Github, I guess that's another reason to check out Gitlab instead.
Not that those warnings were heeded, of course, as usual.
I would argue that we should encourage more platforms (paid) that can host git and not just depend on github or gitlab. But those 2 are successful because they were some of the early ones and then got a lot of money/funding. There may be other alternatives but no one wants to put their code with a small risky company that may not exist tomorrow. IF we can solve that problem, I think we will be ok.
When you have 40 million users and a few hundred people running the system, all kinds of issues just sit in queues never seen by human eyes until a gigantic stink about it is raised.
The usual issues arise about enforceability as long as this is only European law, and about ambiguity in the way the GDPR itself is written.
However, it seems likely that arbitrary deletion of personal data like this could fall foul of the requirements for integrity and availability, particularly given the GP was a paying customer.
> The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
And any exceptions still require the data controller to provide:
> suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.