Do We Need a Regulatory Reset for Data Retention?