Data Retention: Difference between revisions

From Bittylicious
Jump to navigation Jump to search
(Created page with "==Regulation And UK Law== As of January 2020, Bittylicious Ltd is now a "relevant person" for the purposes of retaining customer records under the Money Laundering, Terror...")
 
No edit summary
Line 1: Line 1:
==Regulation And UK Law==
==Data Protection, Regulation And Isle of Man Law==


As of January 2020, Bittylicious Ltd is now a "relevant person" for the purposes of retaining customer records under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (most recently amended end of 2019 to include all UK cryptoasset companies).
Bittylicious is registered as a Designated Business with the Isle of Man's Financial Services Authority. As such, it has certain responsibilities with regard to customer data retention which may not apply to companies operating in other industries.


Here is the exact wording of the The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (or “MLR” for short):
According to paragraph 33 of the [https://www.gov.im/media/470621/anti-moneylaunderingandcounteringthefinancingofterrorismcode2015.pdf Anti-Money Laundering and Countering the Financing of Terrorism Code 2015], Bittylicious is required to store user data for at least 5 years even after accounts are marked as deleted:
<blockquote>'''PART 4 Reliance and Record-keeping (40)
 
* (1) Subject to paragraph (5), a relevant person must keep the records specified in paragraph (2) for at least the period specified in paragraph (3).
Here is the exact wording from the Anti-Money Laundering and Countering the Financing of Terrorism Code, paragraph 33:
* (2) The records are—
 
** (a) a copy of any documents and information obtained by the relevant person to satisfy the customer due diligence requirements in regulations 28, 29 and 33 to 37;
<blockquote>'''33 Record retention
** (b) sufficient supporting records (consisting of the original documents or copies) in respect of a transaction (whether or not the transaction is an occasional transaction) which is the subject of customer due diligence measures or ongoing monitoring to enable the transaction to be reconstructed.
*(1)relevant person must keep the records required  by  this  Code  for at least 5 years
* (3) Subject to paragraph (4), the period is five years beginning on the date on which the relevant person knows, or has reasonable grounds to believe—
**(a)in the case of records required by paragraph 32(b), from the date of the completion of the transaction; and
** (a) that the transaction is complete, for records relating to an occasional transaction; or
**(b)in other cases, from the date when
** (b) that the business relationship has come to an end for records relating to—
***(i)all activities relating to anoccasional transactionor a series of linked transactions were completed; or
***(i) any transaction which occurs as part of a business relationship, or
***(ii)in respect of other activities
***(ii) customer due diligence measures taken in connection with that relationship.
****(A)the business relationship was formally ended; or
* (4) A relevant person is not required to keep the records referred to in paragraph (3)(b)(i) for more than 10 years.
****(B)if the business relationship was not formally ended, when  all  activities  relating  to the transaction were completed.
*(2)Without limiting sub-paragraph (1), if
**(a)a  report  has  been  made  to a  constable  under paragraphs26(1)(f)and 28;
**(b)the  relevant  person  knows  or  believes  that a  matter  is  under investigation by a competent authority; or
**(c)the relevant person becomes aware that a request for information or an enquiry is underway by a competent authority,the relevant  person  must  retain  all  relevant  records for as  long  as required by the constable or competent authority as the case may be.
</blockquote>'''
</blockquote>'''


==Industry Standards And Liability==
The legislation does not specify a maximum number of years for data retention. This being the case, and following common industry practice, Bittylicious retains data for 10 years from the date of deletion.
Companies covered by this piece of UK legislation interpret this section to mean that failure to retain records for up to 10 years can result in civil and criminal liability for breach of the MLR, and therefore retention of records for 10 years has become both the industry standard and the expectation of the UK courts when investigating financial crime.
 
In reality, though a company might be found not to be in breach for destroying records between 5 and 10 years, they would have to argue this case in court, and risk losing their case as the legislation only explicitly protects them when they destroy records after 10 years, not 5.  


This risk of criminal and civil liability is too great for other players in the industry (banks, etc), and is similarly too great for Bittylicious, now that all cryptoasset companies are obliged to comply with the same rules as other financial players (since January 2020).
When the account is marked as deleted, we set a flag meaning the account can no longer be registered again. After 10 years, any sort of identifiable data, including uploaded data, will be automatically deleted.


==GDPR Article 17 Right To Erasure==
==GDPR Article 17 Right To Erasure==


The GDPR specifically allows for instances where Article 17 (right to erasure) conflicts with other UK legislation, allowing for the other piece of UK legislation to take precedence, in this case the MLR.
The Isle of Man is not a member of the European Union. Even though Isle of Man legislation specifically introduced the GDPR into law, the GDPR itself specifically allows for instances where Article 17 (right to erasure) conflicts with other legislation, even in member states.  

Article 17(3)(b) of the GDPR states that the right to erasure does not apply where processing is necessary "for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject".
To be clear, this provision of the GDPR means that in this case, the MLR takes precedence over the GDPR with respect to the right to erasure under GDPR Article 17.


This means that Bittylicious not only has the right, but has an ''explicit duty under UK law'' to retain these records for longer than used to be the case, before the cryptoasset industry was regulated and Bittylicious considered a "relevant person" under the MLR.  
In the case of Bittylicious, Isle of Man legislation is the only applicable law, namely the [https://www.gov.im/media/470621/anti-moneylaunderingandcounteringthefinancingofterrorismcode2015.pdf Anti-Money Laundering and Countering the Financing of Terrorism Code 2015], as described above.


Standard GDPR right to erasure rules changed for Bittylicious as soon as it became a "relevant person" for the purposes of the MLR, along with all other UK cryptoasset companies, i.e. January 2020. This is why Bittylicious is now obliged to retain records for 10 years.
Bittylicious therefore not only has the right, but has an explicit duty under Isle of Man law, to retain these records for longer than companies which are not registered as a Designated Business might. It is unfortunate that the legislation does not explicitly set an upper limit of years for record retention. This being the case, Bittylicious follows common industry practice and retains records for 10 years, enabling it to comply fully with its anti-money laundering and counter-terrorism financing duties as a Designated Business.

Revision as of 17:04, 1 January 2021

Data Protection, Regulation And Isle of Man Law

Bittylicious is registered as a Designated Business with the Isle of Man's Financial Services Authority. As such, it has certain responsibilities with regard to customer data retention which may not apply to companies operating in other industries.

According to paragraph 33 of the Anti-Money Laundering and Countering the Financing of Terrorism Code 2015, Bittylicious is required to store user data for at least 5 years even after accounts are marked as deleted:

Here is the exact wording from the Anti-Money Laundering and Countering the Financing of Terrorism Code, paragraph 33:

33 Record retention

  • (1)A relevant person must keep the records required by this Code for at least 5 years
    • (a)in the case of records required by paragraph 32(b), from the date of the completion of the transaction; and
    • (b)in other cases, from the date when
      • (i)all activities relating to anoccasional transactionor a series of linked transactions were completed; or
      • (ii)in respect of other activities
        • (A)the business relationship was formally ended; or
        • (B)if the business relationship was not formally ended, when all activities relating to the transaction were completed.
  • (2)Without limiting sub-paragraph (1), if
    • (a)a report has been made to a constable under paragraphs26(1)(f)and 28;
    • (b)the relevant person knows or believes that a matter is under investigation by a competent authority; or
    • (c)the relevant person becomes aware that a request for information or an enquiry is underway by a competent authority,the relevant person must retain all relevant records for as long as required by the constable or competent authority as the case may be.

The legislation does not specify a maximum number of years for data retention. This being the case, and following common industry practice, Bittylicious retains data for 10 years from the date of deletion.

When the account is marked as deleted, we set a flag meaning the account can no longer be registered again. After 10 years, any sort of identifiable data, including uploaded data, will be automatically deleted.

GDPR Article 17 Right To Erasure

The Isle of Man is not a member of the European Union. Even though Isle of Man legislation specifically introduced the GDPR into law, the GDPR itself specifically allows for instances where Article 17 (right to erasure) conflicts with other legislation, even in member states.

In the case of Bittylicious, Isle of Man legislation is the only applicable law, namely the Anti-Money Laundering and Countering the Financing of Terrorism Code 2015, as described above.

Bittylicious therefore not only has the right, but has an explicit duty under Isle of Man law, to retain these records for longer than companies which are not registered as a Designated Business might. It is unfortunate that the legislation does not explicitly set an upper limit of years for record retention. This being the case, Bittylicious follows common industry practice and retains records for 10 years, enabling it to comply fully with its anti-money laundering and counter-terrorism financing duties as a Designated Business.