[rennokki]

It breaks GDPR easily: GDPR enforces you to comply with opt-out by default, no workaround by prefilling before hitting submit.

While some think this applies only to personal data, then yes. But it takes only one line of code to use my phone number for testing while I test locally a register form in the application I'm developing.

Once it gets sent to Copilot I can threaten with legal action if they are not taking it down.

[pred_]

Based on https://github.blog/changelog/2026-03-25-updates-to-our-priv..., it looks like they are going to go for “legitimate interest” which seems clearly overridden by data subject interests in this case, hence not lawful.

If you don't want to wait until your PII inevitably gets sent through, you can already now file a complaint to your local supervisory authority: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

[edelbitter]

Has there ever been a GDPR fine that actually exhausted all applicable legal challenges within a sufficiently short delay from initial violation to actually matter?

[port11]

https://www.enforcementtracker.com/

Short delay: depends on your DPA, I doubt any country is fast enough. On the other hand, this is the legitimate interest of GitHub, so it would require investigation, maybe even litigation.