Oke way to protect user data is to NOT ask/collect data in the first place. What's the need of person's full name and address for? Maybe I'm missing the point, but I see zero reasons to have this data in the first place.
If you read the whole thing, it's pretty clear they don't have the person's full name and address, and thus did not provide it. They do mention that it will be needed for organizations that sign up for billing when that feature becomes available.
Other than possibly IP addresses, it seems like the only information they had available to disclose was close to the bare minimum needed to operate the service.
You are probably reading what data the DoJ requested.
Further down in the blogpost (in the "Details" section) they state that they don't have a lot of the data requested and exactly what kind of data they could and did provide. Addresses are not requested by PyPI.
And they state very clearly they don't have this information. In fact, PyPi seems to retain a very reasonable set of information, strictly related to the service itself. I found this disclosure to be entirely refreshing.
