That might be as simple as requiring someone to log into their account (as you can already do on HN) to sending them a confirmation email, or other.

> What if they got a request like this from someone who claimed not to have access to the email they used to sign up? HN couldn't possibly comply.

No, and nor should they.

> One could easily envision another site that had some non-public data associated with email address, pseudonym, and no other PII.

"Dear requester, please log into you account and use the "request my data" link on your account page"

There's a few things written about this around the web:

https://law.stackexchange.com/questions/28998/right-of-acces...

> ISTM the system you describe could lead to more data collection.

It really doesn't. What it does is attempt to gatekeep data (which these days is a huge risk) collection to organisations that are competent. You always have the option of not collecting data if you don't want to take that responsibility.

They wouldn't have to. If you're requesting your data from a company, you have to burden of proof that you are in fact the person about whom you're requesting the data. If you cannot prove it, you cannot get the data.