As far as I know, personal data on privacy-enabled domains does not get exposed once a domain expires.
The only thing I'm not sure about is whether or not personal data is able to be looked up if the domain didn't have privacy enabled for any amount of time. What I mean by that is, if you obtained ownership of a domain and didn't have privacy enabled from the initial time of acquisition (but decided to add it later on)--or, if you had it enabled initially, disabled it for a period of time and then re-enabled it. Seems like that would be information that could be found in a search of some kind.