The issue is that it they changed the agreement suddenly, and held user's data hostage until they "agreed".

I don't know why you think that's ethically ok to hold user data hostage until they agree to give up more rights. It's borderline ransom.