It seems Aaron Toponce is in the US (UT) and the company is in the UK.
Hypothetically, he were in the EU, I understand it would be illegal to provide the personal information as requested (i.e. of anyone who had not explicitly consented to the transfer of their data to an explicitly named third party).
Maybe there's a way to give the GDPR more teeth by punishing businesses who operate in the EU "legally" while outside the EU are not treating people as well.
“ The GDPR has been incorporated into UK data protection law as the UK GDPR – so in practice there is little change to the core data protection principles, rights and obligations found in the UK GDPR. ”
Right - four months in, there hasn't yet been any divergence, but the GDPR no longer applies to the UK. You don't have recourse to EU enforcement measures or courts.
Hypothetically, he were in the EU, I understand it would be illegal to provide the personal information as requested (i.e. of anyone who had not explicitly consented to the transfer of their data to an explicitly named third party).
Maybe there's a way to give the GDPR more teeth by punishing businesses who operate in the EU "legally" while outside the EU are not treating people as well.