It's a fair point that most WHOIS data used to be public by default, though not for some country codes, though even then many used WHOIS privacy services, either paid or free, to avoid publishing their particulars. And a lot of historic WHOIS data can be bought from Domaintools.com - when they started offering that in the late 2000s many complained, and for some in the know that was the time to start using WHOIS privacy.
It seems most registrars in publishing WHOIS data say it may not be scraped or repurposed, though I doubt they have any power to enforce it.
But under GDPR you have to have a reason to collect PII (Personally Idenitifiable Information), collect only the data you need, and keep it only as long as you have an identifiable need for it. Data has to have a defined shelf life.
Under GDPR ,EU citizens and residents have a right to request the data that a data controller holds on them, and to request its amendment or deletion. So Epik and Domaintools could face emails and requests from 400+ million people about the data they hold, or might hold. GDPR does apply to Epik and USA companies, as documented earlier in this thread.
Perhaps someone here can comment on the new California data protection laws, which I think are similar to GDPR in many ways.