Whenever a user in Minecraft: Java Edition changes their name, their previous usernames are still publicly visible in the API and they cannot be removed by the user themselves. This data can only be removed by employees with service tools, such as Mojang Support. Mojang Support refuses to remove usernames unless they contain their own definition of PII, which is a full name or a full address. They also refuse to remove information having only part of the full name or address. Their policy is very strict and they do not discuss those things any further, even if the past usernames can be used to identify an individual (e.g., username being used elsewhere or simply containing enough information to be used maliciously). Even for requests that do fall within their guidelines, some support agents claim that they cannot verify the user before proceeding with the request, asking for additional and excessive account ownership evidence, such as decade old receipts, effectively making it impossible for end-users to have this data removed from their own account.
It is also worth mentioning that username history is almost always used to hack into someone else’s account when combined with database leaks from other sites. Acquiring the list of past usernames of any account is also very easy as there are multiple third-party sites that display names using the API (e.g., namemc). Mojang Studios has no reason to store past usernames, let alone have them in the public API, as they do not serve any purpose. The account’s UUID which is also publicly available is what is used to identify users instead. Considering the game’s playerbase consists of tens of millions, mainly minors, some of which are protected under GDPR, does that mean Mojang Support is violating the law by rejecting username history removal requests?