Adding one more datapoint here, I reached out to Github to find out their
stance.
Here is what I got back
Quote:
Thanks for reaching out to us about this.
It's important to remember that the Right to Erasure only applies to personal
data, not all data. It only applies to data a controller (GitHub, for example)
is processing _solely_ on the basis of consent. And it only applies when there's
not another legal reason to keep the data — for instance, if the data is no
longer necessary for the purpose for which it was collected.
We do not process Git commit history on the basis of consent. We have a
legitimate business purpose for collecting Git commit history: to maintain the
integrity of the Git commit record. It remains necessary for its purpose for as
long as a commit needs to be attributable to its committer. At GitHub, as part
of our Privacy By Design work, we offer ways for users to set their own Git
commit email data, so if an individual wants to remain anonymous or
pseudonymous, he or she can do so. We also explain, in our [Privacy
Statement](https://help.github.com/articles/github-privacy-statement), that we
are not able to delete personal data from the Git commit history once it has
been recorded.
End Quote
I'll point out that not only did the Github lawyers need to sign off on this
stance, but the Microsoft lawyers would have looked at it as well as part of
their purchase of Github.
David Lang
