You can't be marketing yourself as the pinnacle of security and privacy in the domaining industry--
"The Swiss Bank of Domains"--if you don't understand what that means; it's just not acceptable, and we should be demanding better.
At the end of the day, it doesn't matter whether he was deliberately ignoring security or just naïve: his customers will be suffering the consequences of his (in)actions regardless. He pitched himself as an innovator in privacy and security, yet here we are.
If you're pitching yourself as a shield for the persecuted, protecting their freedom of speech, you'd better not be storing such verbose PII in this manner. That's not to say you can't store it, but it can't be sitting in the clear in your backups alongside the rest of your data.