User Tools

Site Tools


Sidebar

Welcome to OMG-CBDC WG Wiki Provide Feedback

cbdc:public:cbdc_omg:04_doc:15_common:50_international:10_residency

4.6.1 Data Residency

According to the OMG Cloud Working Group's Discussion Paper on Data Residency1). The Data Residency issues from the Cloud Working Group Data Residency White Paper are summarized in Table 1 with each issue being given a unique number.

Table 1: A review of the Data Residency Issues the CBDC needs to address.
Data Residency Issue Number Description CBDC Explanation
DR01

Large multinational companies wish to consolidate data centers from multiple countries into a smaller set of locations (data center consolidation).

Although a U.S.-based CBDC is not a multinational company, it is, by nature, a multinational enterprise. A summary of the multinational nature of the CBDC found in OMG's CBDC WG White Paper Analysis follows:

1. B0036 and B0042 set as a “desirement” the preservation the dominance of the U.S. Dollar internationally
2. B0009, B0024, B0034, P0026 express the “need for speed”
3. B0027 expressed the need for trust and reliability
4. B0053 is resiliency
5. B0009, B0015, B0035, B0041 for the need of cross-border operations
6. D0009 to support foreign demand
DR02

Organizations migrate some of their services to the cloud or to a hosted solution managed by an outsourcing company located in another country. “Services” is a very broad term here, and risk arises simply if a remote backup solution stores the backup data in another country.

For the same reasons given in the explanation for DR01 above, the CBDC has an implied “desirement” for cloud-based data collection and the redundancy it offers. In addition, B0051, and D0011 both refer to data collection, which can cause Data Residency issues when data is from outside U.S. sources.

DR03

A Business Process Outsourcing (BPO) solution, or a managed helpdesk solution, causes agents in a different country to have access to protected information in order to perform the contracted service.

Figure 1 provides a list of the top services to outsource to third Party BPOs. Some of these are relatively benign in terms of data visibility by BPO employees. Other areas such as “Information Technology(IT)” and “Claims, eligibility, and appeals processing” might need to be addressed for any CBDC implantation.

Figure 1: Federal Managers report that BPO is used for a wide range of services2)
DR04

Employees travel across borders, carrying sensitive data with them on their laptops and smartphones.

For the U.S. CBDC, it is not about employees traveling across borders as much as U.S.-based citizens and residents traveling across the border. Even if the people do not travel across the borders, their money may travel through international purchases and remittances.

For the CBDC, the Data Residency issues DR01, DR01 will cause issues if the CBDC obtains international usage and will probably reduce adoption of the U.S. Dollar which are among the stated desirements the Federal Reserve White Paper. See Table 1.

Table 1: International “desirements” specified in the Federal Reserve White Paper.
Statement No. Statement
B0036 Preserve the dominant international role of the U.S. dollar
B0041 Support streamlining cross-border payments
B0042 Preserve the dominant international role of the U.S. dollar

The level of risk to the CBDC mostly depends on several factors in how the design of the CBDC and the international laws and regulations that will ultimately cover the CBDC. The Cloud Working Group Data Residency White Paper identified four major risk areas which have relevance to the CBDC:

  1. Nature of the being gathered and stored by the CBDC
  2. Severity of the laws and regulations governing data in the jurisdiction where the data resides, passes through, or is being manipulated
  3. Nature of the services the CBDC will offer internationally
  4. Level of awareness (or ignorance) of the issues by international communities

The Cloud Working Group Data Residency White Paper (see Table 2) uses a series of Use-Cases to help explain how to classify data usage and when there might be Data Residency issues. The table lists each Use-Case and where it is being generated, stored, processed, routed, and finally accessed by the End User. In other words, the State of the Data:

Figure 2: Data Residency Use Case Matrix from the Cloud Working Group Data Residency White Paper.

Table 2 gives an explanation for the values in each of the cells in Figure 2.

Table 2: Where the data is stored (i.e., Data at Rest.)
In-country

Data is physically present within the boundaries of the jurisdiction in question. When this location is on the physical premises of the data custodian, it is equivalent to in-house

In-house

Data is present within the physical premises of the data custodian. Whether this is a single (computer) room, building or campus is not germane. What is germane is whether the storage, servers and network infrastructure are all privately controlled by the data custodian. As a specific case, if two locations are physically separate and connected by an Internet connection, this criterion would be violated. Examples of data sources that are in-country but not in-house are a well-site sensor on a private owner’s oil lease and an automatic teller machine (ATM) is in an International airport, on a ferry, or on a cruise ship.

External

One or more infrastructure components (storage, servers, network) are outside the jurisdiction in question. An example is a seismic vessel acquiring data within the territorial waters of a country. The acquisition process is being monitored by personnel physically within that country. The data is transmitted via satellite to a ground station located in another country (e.g., Russian Arctic via a Norwegian ground station, offshore Indonesia via a Singapore ground station, etc.) and then via the Internet to the company’s home country

1)
Cloud Standards Customer Council and the Object Management Group, Data Residency Challenges, May 2017, Accessed: 8 April 2022, https://www.omg.org/cloud/deliverables/CSCC-Data-Residency-Challenges.pdf
2)
Government Business Council, Inside Federal Outsourcing - A Candid Survey of Federal Managers, May 2015, Accessed: 8 April 2022, http://cdn.govexec.com/media/gbc/docs/gbc_government_outsourcing_report.pdf
cbdc/public/cbdc_omg/04_doc/15_common/50_international/10_residency.txt · Last modified: 2022/06/17 18:16 by terrance
Translations of this page: