Can we expose APIS which return email address plain format
Can we expose APIS which ask email address as input plain format
Can we expose APIS which return user address plain format
GDPR Article 5 mandates that personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
PCIDSS also allows to use PCI data if proper security measures are in place.
Don't expose data to a partner unless absolutely necessary. One of the downfalls of this new API Economy is that many developers are not following "best practices" for protecting a data subjects privacy. Enforce the principle of least privilege by ensuring any third-party that has access to the endpoints is authorized and access is provisioned accordingly. I love the OWASP API Security Top 10. Check it out.