GDPR-like laws are something I hadn't considered, but it makes sense in an absolutist sort of way.

At least here in the U.S. lawyers are more than happy to try and cheat sue anyone for any possible reason unlawful trespass on their clients' rights, so I can see natural keys being the target of a scum-sucking shark over zealous legal beagle fine upstanding pillar of the legal community slavering to strike reluctantly noting a deliberately misconstrued blatant violation of the law.

Regardless, I've always been a firm believer in surrogate keys over natural ones for any number of purely mechanical reasons. First, natural keys change--a lot, meaning fragmentation of the table and indexes. Second, using something like an identity lets you append new records, and third, ala GDPR a surrogate key doesn't leak PII--at least, not by itself.