Remember MySpace? It was the social media juggernaut of the mid-2000s, great for listening to music, watching videos and sharing other content with friends.

Over the last decade the platform has been in the shadow of others such as Facebook, YouTube and Instagram – but MySpace made news again in March 2019. Unfortunately it wasn’t for platform innovation, but for losing a vast amount of user uploaded content while carrying out a server migration.

Reports suggest up to 50 million songs plus users’ photos and videos were lost as part of the platform’s server migration. The affected content had been uploaded three or more years ago.

In the age where data (and content) is king and data retention can be crucial, this incident is a powerful example of why it’s so important to understand your customers’ and suppliers’ data retention responsibilities and liabilities, as well as your own.

Three is the magic number

Data retention policies can cover commercially sensitive data as well as personal data. Compliance with principles such as data minimisation (e.g. not retaining more than is needed for a specific purpose) and storage limitation (e.g. not keeping data for longer than necessary) are only strictly required to comply with GDPR. Yet a general data retention policy should incorporate these measures to reduce the potential liability that follows lost data/content.

The fact that the content lost in the MySpace server migration was uploaded three or more years ago brings the principle of storage limitation into sharp focus. Believe it or not there was once a time before GDPR. This means questions could also be asked whether MySpace complied with its transparency obligations under the data protection regime at the time (the Data Protection Act 1998). For example, did MySpace communicate to users where and for how long it would store any personal data contained within user content?

Let’s put to one side whether MySpace users were under any obligation to back-up their content and if they were also notified to do so ahead of the server migration. One could also ask if MySpace needed to keep all that data/content for so long in the first place?

Thinking out loud

This incident gives many people a reason to stop and think more closely about data retention. Here are some key questions worth considering:

  • Is there a data/content retention policy in place and is this incorporated into the relevant contract?
  • What type of data/content does it cover?
  • Are there any obligations on the party submitting or retaining the data/content to back it up (and if so, are there any requirements on back-up frequency or limitations on capacity)?
  • How long do the obligations last?
  • Has the party storing the data/content been transparent in terms of where the data/content is stored and for how long it will store it?
  • What exclusions are in place in the event of loss or corruption?

Can’t stand losing you

Context is everything, but even where a business has the clearest data retention policy in place, it will likely do little to soften the potential PR fallout from a wide-scale loss of commercially sensitive or sentimentally valuable data/content. While not all businesses may have to worry about losing as much data as the MySpace incident, they should not overlook the importance of planning how to respond to those affected by a data/content incident. It could make a huge difference when it comes to protecting your image and relationship.

Devil in the detail

It is also worth considering whether the MySpace users whose content was lost owned the intellectual property rights in the content itself and if they had the right to upload the content in the first place.

Platforms such as MySpace will specify in their terms of use that users should not upload content in which they do not own the IP (or at least have a licence). It won’t remove the bitter taste that many MySpace users may well have right now and it doesn’t justify MySpace’s loss of the content, but it certainly makes for an interesting discussion.