> He mumbled something about GDPR, which is nonsense, because we're on the opposite side of the planet from Europe.

It was also nonsense because the GDPR is crystal clear about where PII may be used. Audit logs are one of those exceptions where the goal of identifying users simply permits storing usernames and associated attributes (certainly in the case of upgrading a paid plan).

This wasn't about the GDPR; you were being told to sod off.