I think this is a cover up for making it easier for government officials to get data about you. To protect your customers you should store as little personal data as possible and encrypt all other data such as e-mail and messages, so it only can be decrypted by the user's password or key, that you only have the hash for. And also inform your customers about he importance of strong passwords or using key's. I tried to create a Microsoft account the other day and the password was only allowed to have A-z0-9 characters, with four numbers. You can probably guess most peoples password by using their name plus the birth year of their child. So don't impose any rules other then length and a warning if the password hash is in the list of 100,000 most common passwords.