DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. JP2020-011477, filed on 01/28/2020.
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1- 4 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. 
Claims 1,3 and 4 recites the limitation "the resource server”.  There is insufficient antecedent basis for this limitation in the claim.
Claim 2 fall together accordingly. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Gailloux et. al. ( US Patent No. 10733685 B1), hereinafter Gailloux,  in view of Veltman et. al. ( US Patent Application Publication No. 20190370487 A1), hereinafter Veltman.

Regarding claim 1, Gailloux  discloses  A non-transitory computer-readable storage medium storing a program that causes a processor included in an authorization server (fig. 1, block 122) to execute a process (Col. 2, lines 9-15,  In an embodiment, a confidential information release consent management system is disclosed. The system comprises a processor, a non-transitory memory, and an application stored in the non-transitory memory. When executed by the processor, the application causes the processor to …), the process comprising:
storing (Col. 7, lines 51-56, The third parties 110 and/or the third party applications 118 may send a consent record to the hub 122 and to the consent management application 124 when a user grants consent. The consent management application 124 may store the consent records in a data store 126.) an association relationship between a plurality of users who are owners of data, and a consent portal (Col.7, lines 58-62, In an embodiment, the consent record 140 comprises three or more of an information owner identity 142, a third party identity 144, a consent version identity 146, a consent text universal reference locator (URL) 148 (i.e. consent portal), a timestamp 150, and a consent time limit 152.) with which each of the plurality of users performs user registration (Col.7, lines 58-62,  Some of the third party applications 118 may prompt the user of the first UE 102a, for example during installation and/or during execution, to grant consent for the third party application 118 to access sensitive information, for example confidential information and/or private information. The user may be referred to as the owner of the confidential information and/or the owner of the private information. );
extracting a consent portal with which the target user performs user registration (Col. 9, lines 44-47, The consent management application 124 (or web application supporting the information owner consent management web page) may use the consent text URL 148 to retrieve (i.e. extracting) the text of the consent.);
controlling an access by the client to data in the resource server, in accordance with the obtained intention (Col. 10, lines 39-45, The consent monitor application 120 may determine a status of consents to grant access to or to release confidential information to the third party applications and take action in response to determining that the status of consent is not granted to grant access to or release confidential information that a third party application 118 has in fact attempted to access and/or release..).

Gailloux discloses a method of storing user information and consent portal information and controlling access to data based on consent information extracted from the consent portal. Gailloux fails to explicitly disclose receiving a data access consent request from a client and detecting the target user. 
However, Veltman teaches when consent of a user to access to data of a first condition is asked for by a client (Par. [0057], At 340, the information consent gatekeeper receives from the requesting retailer a request for access to the info. The requesting including the token and a specific element of the info. ), detecting a target user who is an owner of data that matches the first condition,  from the association relationship (Par. [0059], In an embodiment of 341 and at 342, the information consent gatekeeper maps a portion of the token to the user and maps another portion of the token to the specific consents permitted by the user for the requesting retailer.), and obtaining an intention of consent or non-consent to access to the data, from the target user by using the extracted consent portal (Par. [0061], At 350, the information consent gatekeeper returns from the privacy vault the specific element when the token includes a proper consent provided by the user for the requesting retailer for access to the specific element.); 
Gailloux and Veltman are analogous references to the claimed invention as they both pertain to a method of protecting  user data based on a consent given by the user. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the current invention to modify Gailloux using the teaching of Veltman. Such modification will allow detecting a user of a requested data and matching the user with a consent record. 

Regarding claim 2, the combination of Gailloux and Veltman teaches The non-transitory computer-readable storage medium according to claim 1, 
Gailloux  further discloses wherein the storing includes: 
obtaining consent portal information (Col. 7, lines 51-56,  The third parties 110 and/or the third party applications 118 may send (i.e. obtaining) a consent record to the hub 122 and to the consent management application 124 when a user grants consent. ) including a user identifier and a consent process Uniform Resource Locator (URL) when the user performs user registration with the consent portal (Col. 7, lines 57-62,  In an embodiment, the consent record 140 comprises three or more of an information owner identity 142, a third party identity 144, a consent version identity 146, a consent text universal reference locator (URL) 148, a timestamp 150, and a consent time limit 152.), the user identifier identifies a user in the consent portal (Col. 7, lines 62-65, The information owner identity 142 may be one or more of a phone number (e.g., mobile phone number), a name, an address, or an account number of the information owner), the consent process URL is used when the intention is obtained by using the consent portal (Col. 8, lines 22-24, The consent text URL 148 may be a link that provides a way for accessing the text of the consent that the user granted.), and 
storing (Col. 7, lines 51-56, The third parties 110 and/or the third party applications 118 may send a consent record to the hub 122 and to the consent management application 124 when a user grants consent. The consent management application 124 may store the consent records in a data store 126.) the user identifier and the consent process URL as the association relationship (Col.7, lines 58-62, In an embodiment, the consent record 140 comprises three or more of an information owner identity 142, a third party identity 144, a consent version identity 146, a consent text universal reference locator (URL) 148 , a timestamp 150, and a consent time limit 152.).  

Regarding claim 3, the combination of Gailloux and Veltman teaches the non-transitory computer-readable storage medium according to claim 2, 
Gailloux  further discloses, wherein the consent portal information is acquired from the user via the resource server (Col. 12, lines 16-22, The method 200 may be executed by a consent management hub 122 or a consent management hub server. At block 202, consent records from third parties are received (e.g., received by the consent management hub server), wherein each consent record relates to a consent by a consenting party to release confidential information to the third party ).  

Regarding claim 5, A data access control method (Col. 2, lines 36-38, In an embodiment, a method of a consent management hub server managing records of consent to release confidential information to third parties is disclosed) comprising: 
Storing (Col. 7, lines 51-56, The third parties 110 and/or the third party applications 118 may send a consent record to the hub 122 and to the consent management application 124 when a user grants consent. The consent management application 124 may store the consent records in a data store 126.) an association relationship between a plurality of users who are owners of data, and a consent portal (Col.7, lines 58-62, In an embodiment, the consent record 140 comprises three or more of an information owner identity 142, a third party identity 144, a consent version identity 146, a consent text universal reference locator (URL) 148 (i.e. consent portal), a timestamp 150, and a consent time limit 152.) with which each of the plurality of users performs user registration (Col.7, lines 58-62,  Some of the third party applications 118 may prompt the user of the first UE 102a, for example during installation and/or during execution, to grant consent for the third party application 118 to access sensitive information, for example confidential information and/or private information. The user may be referred to as the owner of the confidential information and/or the owner of the private information. );
extracting a consent portal with which the target user performs user registration, from the association relationship (Col. 9, lines 44-47, The consent management application 124 (or web application supporting the information owner consent management web page) may use the consent text URL 148 to retrieve (i.e. extracting) the text of the consent.);
controlling an access by the client to data in the resource server, in accordance with the obtained intention (Col. 10, lines 39-45, The consent monitor application 120 may determine a status of consents to grant access to or to release confidential information to the third party applications and take action in response to determining that the status of consent is not granted to grant access to or release confidential information that a third party application 118 has in fact attempted to access and/or release..).

Gailloux discloses a method of storing user information and consent portal information and controlling access to data based on consent information extracted from the consent portal. Gailloux fails to explicitly disclose receiving a data access consent request from a client and detecting the target user. 
However, Veltman teaches detecting a target user who is an owner of data that matches the first condition (Par. [0059], In an embodiment of 341 and at 342, the information consent gatekeeper maps a portion of the token to the user and maps another portion of the token to the specific consents permitted by the user for the requesting retailer.) when consent of a user to access to data of a first condition is asked for by a client (Par. [0057], At 340, the information consent gatekeeper receives from the requesting retailer a request for access to the info. The requesting including the token and a specific element of the info. ); 
obtaining an intention of consent or non-consent to access to the data, from the target user by using the extracted consent portal (Par. [0061], At 350, the information consent gatekeeper returns from the privacy vault the specific element when the token includes a proper consent provided by the user for the requesting retailer for access to the specific element.); 
Gailloux and Veltman are analogous references to the claimed invention as they both pertain to a method of protecting  user data based on a consent given by the user. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the current invention to modify Gailloux using the teaching of Veltman. Such modification will allow detecting a user of a requested data and matching the user with a consent record. 

Regarding claim 6, A authorization server comprising:
 a memory configured to Store (Col. 7, lines 51-56, The third parties 110 and/or the third party applications 118 may send a consent record to the hub 122 and to the consent management application 124 when a user grants consent. The consent management application 124 may store the consent records in a data store 126.) an association relationship between a plurality of users who are owners of data, and a consent portal (Col.7, lines 58-62, In an embodiment, the consent record 140 comprises three or more of an information owner identity 142, a third party identity 144, a consent version identity 146, a consent text universal reference locator (URL) 148 (i.e. consent portal), a timestamp 150, and a consent time limit 152.) with which each of the plurality of users performs user registration (Par. [0052],  Some of the third party applications 118 may prompt the user of the first UE 102a, for example during installation and/or during execution, to grant consent for the third party application 118 to access sensitive information, for example confidential information and/or private information. The user may be referred to as the owner of the confidential information and/or the owner of the private information. ), the data being stored a resource server (Col. 2, lines 36-38, The method further comprises storing the consent records by the consent management hub server in a data store );  
a processor configured to: 
extract a consent portal with which the target user performs user registration, from the association relationship (Col. 9, lines 44-47, The consent management application 124 (or web application supporting the information owner consent management web page) may use the consent text URL 148 to retrieve (i.e. extracting) the text of the consent.);
control an access by the client to data in the resource server, in accordance with the obtained intention (Col. 10, lines 39-45, The consent monitor application 120 may determine a status of consents to grant access to or to release confidential information to the third party applications and take action in response to determining that the status of consent is not granted to grant access to or release confidential information that a third party application 118 has in fact attempted to access and/or release..).

Gailloux discloses a method of storing user information and consent portal information and controlling access to data based on consent information extracted from the consent portal. Gailloux fails to explicitly disclose receiving a data access consent request from a client and detecting the target user. 
However, Veltman teaches when consent of a user to access to data of a first condition is asked for by a client (Par. [0057], At 340, the information consent gatekeeper receives from the requesting retailer a request for access to the info. The requesting including the token and a specific element of the info. ), detect a target user who is an owner of data that matches the first condition (Par. [0059], In an embodiment of 341 and at 342, the information consent gatekeeper maps a portion of the token to the user and maps another portion of the token to the specific consents permitted by the user for the requesting retailer.), 
obtain an intention of consent or non-consent to access to the data, from the target user by using the extracted consent porta (At 350, the information consent gatekeeper returns from the privacy vault the specific element when the token includes a proper consent provided by the user for the requesting retailer for access to the specific element.); and 22Fujitsu Ref. No.: 19-01685 
Gailloux and Veltman are analogous references to the claimed invention as they both pertain to a method of protecting  user data based on a consent given by the user. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the current invention to modify Gailloux using the teaching of Veltman. Such modification will allow detecting a user of a requested data and matching the user with a consent record. 

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Gailloux in view of Veltman and further in view of Reimers et. al. ( US Patent Application Publication No. 20200159957 A1), hereinafter Reimers.

Regarding claim 4, the combination of Gailloux and Veltman teaches The non-transitory computer-readable storage medium according to claim 1. 
The combination teaches a method of communication between third parties and resource server in order to access user data based on consent. The combination fails to specify the protocols used in the communication. 
However, Reimers teaches wherein User-Managed Access (UMA) is used as a protocol in communication with both or one of the resource server and the consent portal  (Par. [0150], The method 110 for exchange of health data may use the server system 136 comprising authentication unit 120, authorization unit 126 and data server 124 which may form a federation or distributed network. For user access the method 110 may use the HEART standards, specifically OpenID Connect to identify users, OAuth 2.0 to delegate access to trusted applications and UMA to control who can access the data.).  
UMA is a standard protocol which gives users the ability to control access to resources by based on their preferences . Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Gailloux and Veltman in claim 1 using the teaching of Reimers to gain the advantages of using UMA protocol mentioned above. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Canning (U.S Patent Application Publication No. US 20140337914 A1) teaches a method of granting access to third party entities based on data owner’s previous authorization and classifying third party entities and applying policies.
Whitfield (U.S Patent No. 9934544 B1) teaches a method of requesting and obtaining consent, agreeing to provide consent, declining to provide consent, preemptively providing or declining consent without a consent request, verifying identities of individual users, verifying users' capacity to consent, and the like in a social networking platform.

 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Dawit Woldemariam whose telephone number is (571)272-2560. The examiner can normally be reached on 7:30 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado, can be reached on (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application
Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/Dawit Woldemariam/
Art Unit 4122

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496