DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/22/22 has been entered.

Response to Amendment
The amendment filed on 07/22/22 has been entered. Claims 1-20 remain pending in the application.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Independent claim 1 recites a method comprising: determining, by a computing device, database metadata for a plurality of databases; generating a database metadata table comprising the database metadata for each database of the plurality of databases; determining, based on one or more database metadata rules associated with a jurisdictional requirement for a jurisdiction, a portion of the database metadata table associated with personal information (PI), wherein the jurisdictional requirement defines the PI for the jurisdiction; determining, based on the jurisdictional requirement and the portion of the database metadata table associated with the PI for the jurisdiction, that a database of the plurality of databases comprises PI-associated data responsive to a request associated with a requesting party; and sending a notification indicative of the PI-associated data responsive to the request.
The limitations of determining, …, database metadata for a plurality of databases; determining, based on one or more database metadata rules associated with a jurisdictional requirement for a jurisdiction, a portion of the database metadata table associated with personal information (PI), wherein the jurisdictional requirement defines the PI for the jurisdiction; determining, based on the jurisdictional requirement and the portion of the database metadata table associated with the PI for the jurisdiction, that a database of the plurality of databases comprises PI-associated data…, as drafted, are processes that, under their broadest reasonable interpretation, cover mental processes but from the recitation of implementing them on generic computer components. That is, other than reciting “by a computing device,” nothing in the claim element precludes the steps from practically being performed in the mind. For example, but for the “by a computing device” language, the “determining…database metadata…”, “generating a database metadata table…”, “determining, based on one or more metadata rules…” and “determining, based on the jurisdictional requirement…” steps encompass the user observing displayed data/metadata of databases and mentally determining database metadata for the plurality of databases, and judging if the database, based on the table and jurisdictional requirements contains personal information associated with a particular jurisdiction. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, claim 1 recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claim recites the additional element of – by a computing device; …responsive to a request associated with a requesting party; generating a database metadata table comprising the database metadata for each database of the plurality of databases; and sending a notification indicative of the PI-associated data responsive to the request. The computing device is recited at a high-level of generality (i.e., as a generic computer device performing generic computer functions of receiving data and generating tables). The limitations, …responsive to a request associated with a requesting party; and sending a notification indicative of the PI-associated data responsive to the request are directed to insignificant extra-solution activity. This claim does not include any other additional elements. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element only recites generic computing components. The limitations, …responsive to a request associated with a requesting party; generating a database metadata table comprising the database metadata for each database of the plurality of databases; and sending a notification indicative of the PI-associated data responsive to the request are insignificant extra-solution activity and are mere data gathering steps. That is, these limitations represent well-understood, routine, conventional activity in the field of data storage and retrieval and are merely directed to the well-understood, routine, conventional activity of storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015). Therefore, these additional elements are not sufficient to overcome the essentially mental nature of this claim. Accordingly, claim 1 is not patent eligible.
Independent claim 8 recites a method comprising: receiving, by a computing device via a plurality of collectors, database metadata associated with a plurality of databases, wherein each collector of the plurality of collectors retrieves database metadata from at least one database of the plurality of databases; generating, based on aggregated database metadata, a database metadata table, wherein the aggregated database metadata comprises the database metadata associated with the plurality of databases; determining, based on one or more database metadata rules associated with a jurisdictional requirement for a jurisdiction, a portion of the database metadata table associated with personal information (PI), wherein the jurisdictional requirement defines the PI for the jurisdiction; determining, based on the jurisdictional requirement and the portion of the database metadata table associated with the PI for the jurisdiction, that a database of the plurality of databases comprises PI-associated data responsive to a request associated with a requesting party; and sending a notification indicative of the PI-associated data responsive to the request.
The limitations of determining, based on one or more database metadata rules associated with a jurisdictional requirement for a jurisdiction, a portion of the database metadata table associated with personal information (PI), wherein the jurisdictional requirement defines the PI for the jurisdiction; determining, based on the jurisdictional requirement and the portion of the database metadata table associated with the PI for the jurisdiction, that a database of the plurality of databases comprises PI-associated data…, as drafted, are processes that, under their broadest reasonable interpretation, cover mental processes but from the recitation of implementing them on generic computer components. That is, other than reciting “by a computing device,” nothing in the claim element precludes the steps from practically being performed in the mind. For example, the “determining, based on one or more metadata rules…” and “determining, based on the jurisdictional requirement…” steps encompass the user observing displayed data/metadata of databases and mentally determining database metadata for the plurality of databases, and judging if the database, based on the table and jurisdictional requirements contains personal information associated with a particular jurisdiction. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, claim 8 recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claim recites the additional elements of – receiving, by a computing device via a plurality of collectors, database metadata associated with a plurality of databases, wherein each collector of the plurality of collectors retrieves database metadata from at least one database of the plurality of databases; generating, based on aggregated database metadata, a database metadata table, wherein the aggregated database metadata comprises the database metadata associated with the plurality of databases; …responsive to a request associated with a requesting party; and sending a notification indicative of the PI-associated data responsive to the request. The computing device, collectors, at least one database of the plurality of databases and plurality of databases are recited at a high-level of generality (i.e., as a generic computer devices performing generic computer functions of receiving data and generating tables). The additional elements of receiving, by a computing device via a plurality of collectors, database metadata associated with a plurality of databases, wherein each collector of the plurality of collectors retrieves database metadata from at least one database of the plurality of databases; …responsive to a request associated with a requesting party; and sending a notification indicative of the PI-associated data responsive to the request represent insignificant extra-solution activities to the judicial exception and are mere data gathering steps. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of receiving, by a computing device via a plurality of collectors, database metadata associated with a plurality of databases, wherein each collector of the plurality of collectors retrieves database metadata from at least one database of the plurality of databases; generating, based on aggregated database metadata, a database metadata table, wherein the aggregated database metadata comprises the database metadata associated with the plurality of databases; …responsive to a request associated with a requesting party; and sending a notification indicative of the PI-associated data responsive to the request, which are mere data gathering steps, represents a well-understood, routine, conventional activity previously known to the industry and are specified at a high level of generality. That is, these limitations represent well-understood, routine, conventional activity in the field of data storage and retrieval and are merely directed to the well-understood, routine, conventional activity of storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015). This additional element is not sufficient to overcome the essentially mental nature of these claims, as they recite the use of existing database technology as mere tools of conventional receiving of data and generating of tables. Accordingly, claim 8 is not patent eligible.
Independent claim 15 recites a method comprising: receiving, by a computing device in communication with at least one database, database metadata for the at least one database; generating, based on the database metadata, a database metadata table comprising one or more of a plurality of column names, a plurality of column attribute datatypes, or a plurality of column descriptions associated with the at least one database; determining, based on one or more character patterns, at least one column name of the plurality of column names, at least one column attribute datatype of the plurality of column attribute datatypes, or at least one column description of the plurality of column descriptions associated with personal information (PI); determining, based on a jurisdictional requirement and a portion of the database metadata table associated with the PI for a jurisdiction, that a database of a plurality of databases comprises PI-associated data responsive to a request associated with a requesting party, wherein the jurisdictional requirement defines the PI for the jurisdiction; and sending a notification indicative of the PI-associated data responsive to the request.
The limitations of receiving,…, database metadata for the at least one database; determining, based on one or more database metadata rules associated with a jurisdictional requirement for a jurisdiction, a portion of the database metadata table associated with personal information (PI), wherein the jurisdictional requirement defines the PI for the jurisdiction; determining, based on the jurisdictional requirement and the portion of the database metadata table associated with the PI for the jurisdiction, that a database of the plurality of databases comprises PI-associated data…, as drafted, are processes that, under their broadest reasonable interpretation, cover mental processes but from the recitation of implementing them on generic computer components. That is, other than reciting “by a computing device,” nothing in the claim element precludes the steps from practically being performed in the mind. For example, but for the “by a computing device” language, the “determining…database metadata…”, “generating a database metadata table…”, “determining, based on one or more metadata rules…” and “determining, based on the jurisdictional requirement…” steps encompass the user observing displayed data/metadata of databases and mentally determining database metadata for the plurality of databases, and judging if the database, based on the table and jurisdictional requirements contains personal information  associated with a particular jurisdiction. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, claim 15 recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claim recites the additional element of – …by a computing device in communication with at least one database…; …responsive to a request associated with a requesting party; generating, based on the database metadata, a database metadata table comprising one or more of a plurality of column names, a plurality of column attribute datatypes, or a plurality of column descriptions associated with the at least one database; and sending a notification indicative of the PI-associated data responsive to the request. The computing device is recited at a high-level of generality (i.e., as a generic computer device performing generic computer functions of receiving data and generating tables). The limitations, …responsive to a request associated with a requesting party; and sending a notification indicative of the PI-associated data responsive to the request are directed to insignificant extra-solution activity. This claim does not include any other additional elements. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element only recites generic computing components. The limitations, …responsive to a request associated with a requesting party; generating, based on the database metadata, a database metadata table comprising one or more of a plurality of column names, a plurality of column attribute datatypes, or a plurality of column descriptions associated with the at least one database; and sending a notification indicative of the PI-associated data responsive to the request are insignificant extra-solution activity and are mere data gathering steps. That is, these limitations represent well-understood, routine, conventional activity in the field of data storage and retrieval and are merely directed to the well-understood, routine, conventional activity of storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015). Therefore, these additional elements are not sufficient to overcome the essentially mental nature of this claim. Accordingly, claim 15 is not patent eligible.
Claims 2-7, 9-14, 16-20 depend on claims 1, 8, 15 and include all the limitations of claims 1, 8, 15. Therefore, claims 2-7, 9-14, 16-19 recite the same abstract idea of determining if data contains PII practically being performed in the mind, and the analysis must therefore proceed to Step 2A Prong Two. 
Claims 2-3, 6-7, 9-10, 14, 16-17 similarly recite additional limitations pertaining to the database metadata table and the determining of personal information based on patterns within them. These additional elements represent further mental process steps of mentally determining information from specific information in a database metadata table. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. This additional step is considered an abstract idea (mental process step) and does not integrate the judicial exception into a practical application. Accordingly, claims 2-3, 6-7, 9-10, 13-14, 16-17 further recite the abstract idea and are ineligible.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements further represent the mental process step of mentally determining information from specific information in a database metadata table. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. This additional step is considered an abstract idea (mental process step) and does not integrate the judicial exception into a practical application. Further recitation of the abstract idea (mental process step) is not sufficient to amount to significantly more than the judicial exception. Claims 2-3, 6-7, 9-10, 13-14, 16-17 are not patent eligible.
Claims 4, 13, 18 similarly recite the additional limitations pertaining to determining that a database comprises data responsive to a request by determining a jurisdictional requirement based on the jurisdiction associated with a requesting party indicated by the request. Therefore, this additional step is considered an abstract idea (mental process step) and does not integrate the judicial exception into a practical application. That is, a person could mentally judge a likely jurisdictional requirement of a request, such as based on where the request came from (granted that this information was already available) and the data that is attempting to retrieve. Accordingly, claims 4, 13, 18 recite an abstract idea and are ineligible.
The limitations pertaining to determining that a database comprises data responsive to a request by determining a jurisdictional requirement based on the jurisdiction associated with a requesting party indicated by the request, as drafted, recite a process that, under their broadest reasonable interpretation, merely covers a mental process because they can be accomplished within the human mind, and therefore, falls within the “Mental Processes” grouping of abstract ideas. Accordingly, claims 4, 13, 18 further recites an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. Accordingly, these additional elements does not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. Therefore, there are no additional elements that are not sufficient to overcome the essentially mental nature of these claims.
Claims 5, 12, 19-20 similarly recite additional limitations pertaining to connecting to databases and receiving/storing information from them. These additional limitations do not integrate the abstract idea into a practical application and merely represent insignificant extra-solution activities to the judicial exception. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, The additional elements represent well-understood, routine, conventional activity previously known to the industry and are specified at a high level of generality. That is, these limitations represent well-understood, routine, conventional activity in the field of data storage and retrieval and are merely directed to the well-understood, routine, conventional activity of storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015); OIP Techs., 788 F.3d at 1363, 115 USPQ2d at 1092-93. Therefore, the additional elements are not sufficient to overcome the essentially mental nature of these claims, as they recite the use of existing database technology as mere tools of conventional data gathering and generating of database tables.
Claim 11 recites additional limitations pertaining to databases and collectors. These additional limitations merely describe generic computing components for practicing the claimed invention. That is, these limitations are recited at a high-level of generality (i.e., as a generic computer components/devices performing generic computer functions of receiving data and generating tables).
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. That is, the implementation of an abstract idea using generic computers components would not integrate it into a practical application.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6, 8-13 are rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy (US 2017/0264619) in view of Palop (US 2021/0084109) and further in view of Barday (US 2019/0179799).	
Regarding claim 1, Narayanaswamy discloses:
A method comprising: determining, by a computing device, database metadata for a plurality of databases at least by ([0136] “Independent Data Store: As used herein, a hosted service or a cloud service or a cloud application or a cloud storage provider or a cloud storage application or a cloud computing service (CCS) is referred to as an “independent data store”, and vice-versa.” [0163] “inspective analyzer 194 includes a data aggregator (omitted to improve clarity). Data aggregator includes listener capable of listening to streams and data flows originating at the cloud services 140 by connecting with their respective APIs via the public Internet. In some implementations, listener includes heterogeneous instances responsible for the intake of content and content metadata from different cloud services 140”) and the database metadata associated for a plurality of databases is the content metadata from different cloud services;
generating a database metadata table comprising the database metadata for each database of the plurality of databases at least by ([0163] “inspective analyzer 194 includes a data aggregator (omitted to improve clarity). Data aggregator includes listener capable of listening to streams and data flows originating at the cloud services 140 by connecting with their respective APIs via the public Internet. In some implementations, listener includes heterogeneous instances responsible for the intake of content and content metadata from different cloud services 140” [0165] “the gathered content metadata is processed and/or normalized. In some instances, metadata includes structured data and functionality targets specific data constructs provided by the cloud services 140. Non-structured data, such as free text, can also be provided by, and targeted back to, the cloud services 140. Both structured and non-structured data are capable of being aggregated by the inspective analyzer 194. For instance, the assembled metadata is stored in a semi-structured data format” [0179] “After the object metadata is extracted, it is organized into data sets and stored as lists, tuples, dictionaries, tables, and/or sets in metadata store 196, according to one implementation.”) and the determining of the database metadata table is the organizing and storing of the extracted and aggregated metadata as tables;
Narayanaswamy fails to disclose “determining, based on one or more database metadata rules associated with a jurisdictional requirement for a jurisdiction, a portion of the database metadata table associated with personal information (PI), wherein the jurisdictional requirement defines the PI for the jurisdiction; determining, based on the jurisdictional requirement and the portion of the database metadata table associated with the PI for the jurisdiction, that a database of the plurality of databases comprises PI-associated data responsive to a request associated with a requesting party; and sending a notification indicative of the PI-associated data responsive to the request”
However, Palop teaches the following limitations, determining, based on one or more database metadata rules associated with a jurisdictional requirement for a jurisdiction, a portion of the database metadata table associated with personal information (PI) at least by ([0009] “A typical example of a service mesh includes a data plane and control plane. Services are operably coupled to the service mesh to send communications in the form of requests between the services. Data flows between services in the data plane” [0010] “The control plane calls the content management system and verifies the metadata applied to the privacy policy to determine whether the request may be completed, such as whether data from one server located in the EU can be transferred to a server located in the U.S. based on a privacy policy linked to GDPR. The control plane enforces an action regarding the data transfer based on the privacy policy” [0017] “The content management system 200, in the example, can include a service that extends the control plane 218 and stores and retrieves metadata about the data records in the datasets 224, 226. For example, the metadata can include location information about the datasets 224, 226 and privacy policy related metadata about each data record. The metadata repository 204 can be configured as a key value store that includes the metadata about the data records in the datasets 224, 226. In one example, the key can be the record identifier, or record ID, which can correspond with a data record in the datasets 224, 226. The value can include the metadata about each data record.” [0018] “A data regulation, such as the examples of HIIPA, SOX, and GDPR, can be implemented as a privacy policy 206 that is stored and executed at the control plane 218 along with general policies. The privacy policy can be crafted to comply with a selected regulation or other selected rule and is driven by the selected regulation or the selected rule. In response to a service request, a proxy in the service mesh 208 can send the request attributes and context to the control plane 218, which will evaluate the policy to be used. The privacy policy 206 will be executed at the control plane 218 if the attributes and context, such as originator and destination, of the service request implicates the privacy policy 206. The privacy policy 206 can evaluate the attributes and context, and extract the record ID. The record ID can be provided to the metadata engine 202 to look up the corresponding metadata in the metadata repository 204. The metadata engine 204 can determine an appropriate action based on the privacy policy 206 applied to the metadata in the metadata repository 204. The action can be provided to the control plane 218 and enforced.” [0018] “The privacy policy can be crafted to comply with a selected regulation or other selected rule and is driven by the selected regulation or the selected rule. In response to a service request, a proxy in the service mesh 208 can send the request attributes and context to the control plane 218, which will evaluate the policy to be used. The privacy policy 206 will be executed at the control plane 218 if the attributes and context, such as originator and destination, of the service request implicates the privacy policy 206. The privacy policy 206 can evaluate the attributes and context, and extract the record ID. The record ID can be provided to the metadata engine 202 to look up the corresponding metadata in the metadata repository 204. The metadata engine 204 can determine an appropriate action based on the privacy policy 206 applied to the metadata in the metadata repository 204” [0020] “the metadata for a data record could include a jurisdiction of the data record, such as a country, state, province, region or other legal zone. The privacy policy 206 in the example could include an aspect or rule that documents originated in a first country are not to be sent to a second country. The control plane 218 could receive an intercepted request from the data plane 228 in which the attributes and context of the request implicate the privacy policy 206, such as origination and destination information.” [0021] “The metadata repository 204 can store metadata properties with the record ID to permit the evaluation of the privacy policy 206. Two such metadata properties that typically can apply to a privacy policy include data type and jurisdiction type, or legal zone type. Examples of data types can include general data, personal data, PCI, and personal health information. The jurisdiction types can be applied to the location of the data record, the location of the user identified in the data record. Examples of jurisdiction types can include the country, state, province, and region of the record or the individual identified in the record. In one example, the type of data and the jurisdiction are considered together in a privacy policy”) and the portion of the metadata table associated with the PI is the metadata that is looked up in metadata repository using a key or record ID, wherein the metadata associated with the key/record ID that is looked can specify a jurisdiction of a data record,
wherein the jurisdictional requirement defines the PI for the jurisdiction at least by ([0020] “In another example, the metadata for a data record could include a jurisdiction of the data record, such as a country, state, province, region or other legal zone. The privacy policy 206 in the example could include an aspect or rule that documents originated in a first country are not to be sent to a second country” [0021] “The metadata repository 204 can store metadata properties with the record ID to permit the evaluation of the privacy policy 206. Two such metadata properties that typically can apply to a privacy policy include data type and jurisdiction type, or legal zone type. Examples of data types can include general data, personal data, PCI, and personal health information. The jurisdiction types can be applied to the location of the data record, the location of the user identified in the data record. Examples of jurisdiction types can include the country, state, province, and region of the record or the individual identified in the record. In one example, the type of data and the jurisdiction are considered together in a privacy policy. For instance, a record have a selected type of data may not be implicated unless a particular type of jurisdiction has a regulation on that type of data.”);
determining, based on the jurisdictional requirement and the portion of the database metadata table associated with the PI for the jurisdiction, … PI-associated data responsive to a request associated with a requesting party at least by ([0009] “A typical example of a service mesh includes a data plane and control plane. Services are operably coupled to the service mesh to send communications in the form of requests between the services. Data flows between services in the data plane” [0010] “The control plane calls the content management system and verifies the metadata applied to the privacy policy to determine whether the request may be completed, such as whether data from one server located in the EU can be transferred to a server located in the U.S. based on a privacy policy linked to GDPR. The control plane enforces an action regarding the data transfer based on the privacy policy” [0016] “The illustrated services 214, 216 can include service datasets 224, 226, respectively, which include data records for use by service calls that may be transferred to other services via requests.” [0017] “The metadata repository 204 can be configured as a key value store that includes the metadata about the data records in the datasets 224, 226. In one example, the key can be the record identifier, or record ID, which can correspond with a data record in the datasets 224, 226. The value can include the metadata about each data record.” [0018] “A data regulation, such as the examples of HIIPA, SOX, and GDPR, can be implemented as a privacy policy 206 that is stored and executed at the control plane 218 along with general policies. The privacy policy can be crafted to comply with a selected regulation or other selected rule and is driven by the selected regulation or the selected rule. In response to a service request, a proxy in the service mesh 208 can send the request attributes and context to the control plane 218, which will evaluate the policy to be used. The privacy policy 206 will be executed at the control plane 218 if the attributes and context, such as originator and destination, of the service request implicates the privacy policy 206. The privacy policy 206 can evaluate the attributes and context, and extract the record ID. The record ID can be provided to the metadata engine 202 to look up the corresponding metadata in the metadata repository 204. The metadata engine 204 can determine an appropriate action based on the privacy policy 206 applied to the metadata in the metadata repository 204. The action can be provided to the control plane 218 and enforced.” [0018] “The privacy policy can be crafted to comply with a selected regulation or other selected rule and is driven by the selected regulation or the selected rule. In response to a service request, a proxy in the service mesh 208 can send the request attributes and context to the control plane 218, which will evaluate the policy to be used. The privacy policy 206 will be executed at the control plane 218 if the attributes and context, such as originator and destination, of the service request implicates the privacy policy 206. The privacy policy 206 can evaluate the attributes and context, and extract the record ID. The record ID can be provided to the metadata engine 202 to look up the corresponding metadata in the metadata repository 204. The metadata engine 204 can determine an appropriate action based on the privacy policy 206 applied to the metadata in the metadata repository 204” [0020] “the metadata for a data record could include a jurisdiction of the data record, such as a country, state, province, region or other legal zone. The privacy policy 206 in the example could include an aspect or rule that documents originated in a first country are not to be sent to a second country. The control plane 218 could receive an intercepted request from the data plane 228 in which the attributes and context of the request implicate the privacy policy 206, such as origination and destination information.” [0021] “The metadata repository 204 can store metadata properties with the record ID to permit the evaluation of the privacy policy 206. Two such metadata properties that typically can apply to a privacy policy include data type and jurisdiction type, or legal zone type. Examples of data types can include general data, personal data, PCI, and personal health information. The jurisdiction types can be applied to the location of the data record, the location of the user identified in the data record. Examples of jurisdiction types can include the country, state, province, and region of the record or the individual identified in the record. In one example, the type of data and the jurisdiction are considered together in a privacy policy”) and the metadata engine verifies the metadata applied to the privacy policy to determine whether the request may be completed between the disparate services; further, the requesting party is the service that initiated the request to another service.
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the teaching of Palop into the teaching of Narayanaswamy because the references similarly disclose data retrieval involving PII. Consequently, one of ordinary skill in the art would be motivated to further modify the system as in Narayanaswamy to further include the centralized policy management enforcement as in Palop in order “to allow for more direct policy reactions and updates to changes in the regulations and for consistency across the application” (Palop, [0011]).
Narayanaswamy, Palop fail to disclose “determining, based on the jurisdictional requirement …, that a database of the plurality of databases comprises PI-associated data responsive to a request associated with a requesting party; and sending a notification indicative of the PI-associated data responsive to the request”
However, Barday teaches the following limitations, determining, based on the jurisdictional requirement …, that a database of the plurality of databases comprises PI-associated data responsive to a request associated with a requesting party at least by ([0314] “when executing the DSAR Processing via Local Storage Node Module 4700, the system begins, at Step 4710, by receiving a data subject access request associated with a data subject.” [0316] “Continuing to Step 4720, the system is configured to identify a suitable local storage node based at least in part on the request and/or the data subject. For example, the system may be configured to identify the suitable local storage node (e.g., suitable one or more local storage nodes) based at least in part on: (1) a jurisdiction in which the data subject resides; (2) a country in which the data subject resides; (3) a jurisdiction from which the data subject made the request”);
and sending a notification indicative of the PI-associated data responsive to the request at least by ([0320] “the system is configured to route one or more pieces of data to the local storage node that the system retrieved in response to receiving the request (e.g., one or more pieces of information associated with data collect, stored and/or processed about the data subject)”).
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the teaching of Barday into the teaching of Narayanaswamy, Palop because the references similarly disclose data retrieval involving PII. Consequently, one of ordinary skill in the art would be motivated to further modify the system as in the combination of references to further include the processing of requests for private data based on the jurisdiction of the subject that made the request so that the system ensures that any legal requirements, such as those mandates by state, local, or federal government, are not violated by providing private data to unauthorized parties.
As per claim 2, claim 1 is incorporated, Narayanaswamy further discloses:
wherein the database metadata table comprises one or more of a plurality of data table names, a plurality of column names, a plurality of column attribute datatypes, or a plurality of column descriptions at least by ([0165 “the assembled metadata is stored in a semi-structured data format like a JSON (JavaScript Option Notation), BSON (Binary JSON), XML, Protobuf, Avro or Thrift object, which consists of string fields (or columns) and corresponding values of potentially different types like numbers, strings, arrays, objects, etc” and Fig. 13 which shows an example metadata table that comprises at least a plurality of column names and a plurality of column attribute datatypes).
As per claim 3, claim 2 is incorporated, Palop further discloses:
wherein the portion of the database metadata table comprises one or more of a data table name of the plurality of data table names, a column name of the plurality of column names, a column attribute datatype of the plurality of column attribute datatypes, or a column description of the plurality of column descriptions associated with PI at least by ([0022] “Granularity of the metadata properties can vary from the entire dataset 224, 226 to each individual data field in the datasets. In one example, each service 212 can manage a dataset of a specific type. In this example, each dataset 224, 226 can include a data of the similar type, such as data type and jurisdiction type. The data records in each dataset 224, 226 in this example can thus include the same metadata properties”) and the metadata properties can be specified at the field-level corresponding to similar or different data types.
As per claim 4, claim 1 is incorporated, Barday further discloses:
wherein determining that the database of the plurality of databases comprises the PI-associated data responsive to the request comprises: determining, based on a residence associated with the requesting party indicated by the request, the jurisdictional requirement; determining, based on the jurisdictional requirement, the database comprising the PI- associated data responsive to the request at least by ([0314] “when executing the DSAR Processing via Local Storage Node Module 4700, the system begins, at Step 4710, by receiving a data subject access request associated with a data subject.” [0316] “Continuing to Step 4720, the system is configured to identify a suitable local storage node based at least in part on the request and/or the data subject. For example, the system may be configured to identify the suitable local storage node (e.g., suitable one or more local storage nodes) based at least in part on: (1) a jurisdiction in which the data subject resides; (2) a country in which the data subject resides; (3) a jurisdiction from which the data subject made the request”).
As per claim 6, claim 1 is incorporated, Palop further discloses:
wherein the one or more database metadata rules comprise one or more character patterns indicative of PI at least by ([0006] “Each data set may be subjected to specific rules depending on whether the data includes, for example, personal data, Personal Identifiable Information (PII), Personal Credit Information (PCI), or personal health information… some data records such as name or date of birth for European citizens might not be allowed to be stored on servers outside of the European Union” [0018] “The metadata engine 204 can determine an appropriate action based on the privacy policy 206 applied to the metadata in the metadata repository 204.” [0020] “The privacy policy 206 in the example could include an aspect or rule that documents originated in a first country are not to be sent to a second country.”).
Regarding claim 8, Narayanaswamy discloses:
A method comprising: receiving, by a computing device via a plurality of collectors, database metadata associated with a plurality of databases, wherein each collector of the plurality of collectors retrieves database metadata from at least one database of the plurality of databases at least by ([0136] “Independent Data Store: As used herein, a hosted service or a cloud service or a cloud application or a cloud storage provider or a cloud storage application or a cloud computing service (CCS) is referred to as an “independent data store”, and vice-versa.” [0163] “inspective analyzer 194 includes a data aggregator (omitted to improve clarity). Data aggregator includes listener capable of listening to streams and data flows originating at the cloud services 140 by connecting with their respective APIs via the public Internet. In some implementations, listener includes heterogeneous instances responsible for the intake of content and content metadata from different cloud services 140”) and the plurality of collectors are the heterogeneous instances of listeners while the database metadata associated with the plurality of databases is the content metadata from different cloud services;
generating based on aggregated database metadata, a database metadata table, wherein the aggregated database metadata comprises the database metadata associated with the plurality of databases at least by ([0163] “inspective analyzer 194 includes a data aggregator (omitted to improve clarity). Data aggregator includes listener capable of listening to streams and data flows originating at the cloud services 140 by connecting with their respective APIs via the public Internet. In some implementations, listener includes heterogeneous instances responsible for the intake of content and content metadata from different cloud services 140” [0165] “the gathered content metadata is processed and/or normalized. In some instances, metadata includes structured data and functionality targets specific data constructs provided by the cloud services 140. Non-structured data, such as free text, can also be provided by, and targeted back to, the cloud services 140. Both structured and non-structured data are capable of being aggregated by the inspective analyzer 194. For instance, the assembled metadata is stored in a semi-structured data format” [0179] “After the object metadata is extracted, it is organized into data sets and stored as lists, tuples, dictionaries, tables, and/or sets in metadata store 196, according to one implementation.”) and the analyzer module is the inspective analyzer 194 which includes a data aggregator while the aggregated database metadata is the gathered/aggregated content metadata;
Narayanaswamy fails to disclose “determining, based on one or more database metadata rules associated with a jurisdictional requirement for a jurisdiction, a portion of the database metadata table associated with personal information (PI), wherein the jurisdictional requirement defines the PI for the jurisdiction; determining, based on the jurisdictional requirement and the portion of the database metadata table associated with the PI for the jurisdiction, that a database of the plurality of databases comprises PI-associated data responsive to a request associated with a requesting party; and sending a notification indicative of the PI-associated data responsive to the request”
However, Palop teaches the following limitations, determining, based on one or more database metadata rules associated with a jurisdictional requirement for a jurisdiction, a portion of the database metadata table associated with personal information (PI) at least by ([0009] “A typical example of a service mesh includes a data plane and control plane. Services are operably coupled to the service mesh to send communications in the form of requests between the services. Data flows between services in the data plane” [0010] “The control plane calls the content management system and verifies the metadata applied to the privacy policy to determine whether the request may be completed, such as whether data from one server located in the EU can be transferred to a server located in the U.S. based on a privacy policy linked to GDPR. The control plane enforces an action regarding the data transfer based on the privacy policy” [0017] “The content management system 200, in the example, can include a service that extends the control plane 218 and stores and retrieves metadata about the data records in the datasets 224, 226. For example, the metadata can include location information about the datasets 224, 226 and privacy policy related metadata about each data record. The metadata repository 204 can be configured as a key value store that includes the metadata about the data records in the datasets 224, 226. In one example, the key can be the record identifier, or record ID, which can correspond with a data record in the datasets 224, 226. The value can include the metadata about each data record.” [0018] “A data regulation, such as the examples of HIIPA, SOX, and GDPR, can be implemented as a privacy policy 206 that is stored and executed at the control plane 218 along with general policies. The privacy policy can be crafted to comply with a selected regulation or other selected rule and is driven by the selected regulation or the selected rule. In response to a service request, a proxy in the service mesh 208 can send the request attributes and context to the control plane 218, which will evaluate the policy to be used. The privacy policy 206 will be executed at the control plane 218 if the attributes and context, such as originator and destination, of the service request implicates the privacy policy 206. The privacy policy 206 can evaluate the attributes and context, and extract the record ID. The record ID can be provided to the metadata engine 202 to look up the corresponding metadata in the metadata repository 204. The metadata engine 204 can determine an appropriate action based on the privacy policy 206 applied to the metadata in the metadata repository 204. The action can be provided to the control plane 218 and enforced.” [0018] “The privacy policy can be crafted to comply with a selected regulation or other selected rule and is driven by the selected regulation or the selected rule. In response to a service request, a proxy in the service mesh 208 can send the request attributes and context to the control plane 218, which will evaluate the policy to be used. The privacy policy 206 will be executed at the control plane 218 if the attributes and context, such as originator and destination, of the service request implicates the privacy policy 206. The privacy policy 206 can evaluate the attributes and context, and extract the record ID. The record ID can be provided to the metadata engine 202 to look up the corresponding metadata in the metadata repository 204. The metadata engine 204 can determine an appropriate action based on the privacy policy 206 applied to the metadata in the metadata repository 204” [0020] “the metadata for a data record could include a jurisdiction of the data record, such as a country, state, province, region or other legal zone. The privacy policy 206 in the example could include an aspect or rule that documents originated in a first country are not to be sent to a second country. The control plane 218 could receive an intercepted request from the data plane 228 in which the attributes and context of the request implicate the privacy policy 206, such as origination and destination information.” [0021] “The metadata repository 204 can store metadata properties with the record ID to permit the evaluation of the privacy policy 206. Two such metadata properties that typically can apply to a privacy policy include data type and jurisdiction type, or legal zone type. Examples of data types can include general data, personal data, PCI, and personal health information. The jurisdiction types can be applied to the location of the data record, the location of the user identified in the data record. Examples of jurisdiction types can include the country, state, province, and region of the record or the individual identified in the record. In one example, the type of data and the jurisdiction are considered together in a privacy policy”) and the portion of the metadata table associated with the PI is the metadata that is looked up in metadata repository using a key or record ID, wherein the metadata associated with the key/record ID that is looked can specify a jurisdiction of a data record,
wherein the jurisdictional requirement defines the PI for the jurisdiction at least by ([0020] “In another example, the metadata for a data record could include a jurisdiction of the data record, such as a country, state, province, region or other legal zone. The privacy policy 206 in the example could include an aspect or rule that documents originated in a first country are not to be sent to a second country” [0021] “The metadata repository 204 can store metadata properties with the record ID to permit the evaluation of the privacy policy 206. Two such metadata properties that typically can apply to a privacy policy include data type and jurisdiction type, or legal zone type. Examples of data types can include general data, personal data, PCI, and personal health information. The jurisdiction types can be applied to the location of the data record, the location of the user identified in the data record. Examples of jurisdiction types can include the country, state, province, and region of the record or the individual identified in the record. In one example, the type of data and the jurisdiction are considered together in a privacy policy. For instance, a record have a selected type of data may not be implicated unless a particular type of jurisdiction has a regulation on that type of data.”);
determining, based on the jurisdictional requirement and the portion of the database metadata table associated with the PI for the jurisdiction, … PI-associated data responsive to a request associated with a requesting party at least by ([0009] “A typical example of a service mesh includes a data plane and control plane. Services are operably coupled to the service mesh to send communications in the form of requests between the services. Data flows between services in the data plane” [0010] “The control plane calls the content management system and verifies the metadata applied to the privacy policy to determine whether the request may be completed, such as whether data from one server located in the EU can be transferred to a server located in the U.S. based on a privacy policy linked to GDPR. The control plane enforces an action regarding the data transfer based on the privacy policy” [0016] “The illustrated services 214, 216 can include service datasets 224, 226, respectively, which include data records for use by service calls that may be transferred to other services via requests.” [0017] “The metadata repository 204 can be configured as a key value store that includes the metadata about the data records in the datasets 224, 226. In one example, the key can be the record identifier, or record ID, which can correspond with a data record in the datasets 224, 226. The value can include the metadata about each data record.” [0018] “A data regulation, such as the examples of HIIPA, SOX, and GDPR, can be implemented as a privacy policy 206 that is stored and executed at the control plane 218 along with general policies. The privacy policy can be crafted to comply with a selected regulation or other selected rule and is driven by the selected regulation or the selected rule. In response to a service request, a proxy in the service mesh 208 can send the request attributes and context to the control plane 218, which will evaluate the policy to be used. The privacy policy 206 will be executed at the control plane 218 if the attributes and context, such as originator and destination, of the service request implicates the privacy policy 206. The privacy policy 206 can evaluate the attributes and context, and extract the record ID. The record ID can be provided to the metadata engine 202 to look up the corresponding metadata in the metadata repository 204. The metadata engine 204 can determine an appropriate action based on the privacy policy 206 applied to the metadata in the metadata repository 204. The action can be provided to the control plane 218 and enforced.” [0018] “The privacy policy can be crafted to comply with a selected regulation or other selected rule and is driven by the selected regulation or the selected rule. In response to a service request, a proxy in the service mesh 208 can send the request attributes and context to the control plane 218, which will evaluate the policy to be used. The privacy policy 206 will be executed at the control plane 218 if the attributes and context, such as originator and destination, of the service request implicates the privacy policy 206. The privacy policy 206 can evaluate the attributes and context, and extract the record ID. The record ID can be provided to the metadata engine 202 to look up the corresponding metadata in the metadata repository 204. The metadata engine 204 can determine an appropriate action based on the privacy policy 206 applied to the metadata in the metadata repository 204” [0020] “the metadata for a data record could include a jurisdiction of the data record, such as a country, state, province, region or other legal zone. The privacy policy 206 in the example could include an aspect or rule that documents originated in a first country are not to be sent to a second country. The control plane 218 could receive an intercepted request from the data plane 228 in which the attributes and context of the request implicate the privacy policy 206, such as origination and destination information.” [0021] “The metadata repository 204 can store metadata properties with the record ID to permit the evaluation of the privacy policy 206. Two such metadata properties that typically can apply to a privacy policy include data type and jurisdiction type, or legal zone type. Examples of data types can include general data, personal data, PCI, and personal health information. The jurisdiction types can be applied to the location of the data record, the location of the user identified in the data record. Examples of jurisdiction types can include the country, state, province, and region of the record or the individual identified in the record. In one example, the type of data and the jurisdiction are considered together in a privacy policy”) and the metadata engine verifies the metadata applied to the privacy policy to determine whether the request may be completed between the disparate services; further, the requesting party is the service that initiated the request to another service.
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the teaching of Palop into the teaching of Narayanaswamy because the references similarly disclose data retrieval involving PII. Consequently, one of ordinary skill in the art would be motivated to further modify the system as in Narayanaswamy to further include the centralized policy management enforcement as in Palop in order “to allow for more direct policy reactions and updates to changes in the regulations and for consistency across the application” (Palop, [0011]).
Narayanaswamy, Palop fail to disclose “determining, based on the jurisdictional requirement …, that a database of the plurality of databases comprises PI-associated data responsive to a request associated with a requesting party; and sending a notification indicative of the PI-associated data responsive to the request”
However, Barday teaches the following limitations, determining, based on the jurisdictional requirement …, that a database of the plurality of databases comprises PI-associated data responsive to a request associated with a requesting party at least by ([0314] “when executing the DSAR Processing via Local Storage Node Module 4700, the system begins, at Step 4710, by receiving a data subject access request associated with a data subject.” [0316] “Continuing to Step 4720, the system is configured to identify a suitable local storage node based at least in part on the request and/or the data subject. For example, the system may be configured to identify the suitable local storage node (e.g., suitable one or more local storage nodes) based at least in part on: (1) a jurisdiction in which the data subject resides; (2) a country in which the data subject resides; (3) a jurisdiction from which the data subject made the request”);
and sending a notification indicative of the PI-associated data responsive to the request at least by ([0320] “the system is configured to route one or more pieces of data to the local storage node that the system retrieved in response to receiving the request (e.g., one or more pieces of information associated with data collect, stored and/or processed about the data subject)”).
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the teaching of Barday into the teaching of Narayanaswamy, Palop because the references similarly disclose data retrieval involving PII. Consequently, one of ordinary skill in the art would be motivated to further modify the system as in the combination of references to further include the processing of requests for private data based on the jurisdiction of the subject that made the request so that the system ensures that any legal requirements, such as those mandates by state, local, or federal government, are not violated by providing private data to unauthorized parties.
As per claim 9, claim 8 is incorporated, Narayanaswamy further discloses:
wherein the database metadata table comprises one or more of a plurality of column names, a plurality of column attribute datatypes, or a plurality of column descriptions at least by ([0165 “the assembled metadata is stored in a semi-structured data format like a JSON (JavaScript Option Notation), BSON (Binary JSON), XML, Protobuf, Avro or Thrift object, which consists of string fields (or columns) and corresponding values of potentially different types like numbers, strings, arrays, objects, etc” and Fig. 13 which shows an example metadata table that comprises at least a plurality of column names and a plurality of column attribute datatypes).
As per claim 10, claim 8 is incorporated, Palop further discloses:
wherein the portion of the database metadata table comprises one or more of a column name of the plurality of column names, a column attribute datatype of the plurality of column attribute datatypes, or a column description of the plurality of column descriptions associated with PI at least by ([0022] “Granularity of the metadata properties can vary from the entire dataset 224, 226 to each individual data field in the datasets. In one example, each service 212 can manage a dataset of a specific type. In this example, each dataset 224, 226 can include a data of the similar type, such as data type and jurisdiction type. The data records in each dataset 224, 226 in this example can thus include the same metadata properties”) and the metadata properties can be specified at the field-level corresponding to similar or different data types.
As per claim 11, claim 8 is incorporated, Narayanaswamy further discloses:
wherein the plurality of databases comprises one or more database types, and wherein each collector of the plurality of collectors is associated with a database type of one or more database types at least by ([0163] details the aggregating data by heterogeneous instances of listeners, [0171] “Because metadata analyzed by inspective analyzer 194 are not homogenous (e.g., there are many different sources in many different formats), certain implementations employ at least one metadata parser per cloud service, and in some cases more than one.”) and the different sources/cloud services are in many different formats which are each associated with a different parser which analyzes the incoming metadata from the heterogeneous listeners as mentioned in [0163].
As per claim 12, claim 8 is incorporated, Narayanaswamy further discloses:
wherein generating the database metadata table comprises: aggregating the database metadata associated with the plurality of databases; and generating based on the aggregated database metadata, the database metadata table at least by ([0165] “the gathered content metadata is processed and/or normalized. In some instances, metadata includes structured data and functionality targets specific data constructs provided by the cloud services 140. Non-structured data, such as free text, can also be provided by, and targeted back to, the cloud services 140. Both structured and non-structured data are capable of being aggregated by the inspective analyzer 194. For instance, the assembled metadata is stored in a semi-structured data format” [0179] “After the object metadata is extracted, it is organized into data sets and stored as lists, tuples, dictionaries, tables, and/or sets in metadata store 196, according to one implementation.”).
As per claim 13, claim 8 is incorporated, Barday further discloses:
wherein determining that the database of the plurality of databases comprises the PI-associated data responsive to the request comprises: determining, based on a residence  associated with the requesting party indicated by the request, the jurisdictional requirement|; and determining, based on the jurisdictional requirement, the database comprising the PI-associated data responsive to the request at least by ([0314] “when executing the DSAR Processing via Local Storage Node Module 4700, the system begins, at Step 4710, by receiving a data subject access request associated with a data subject.” [0316] “Continuing to Step 4720, the system is configured to identify a suitable local storage node based at least in part on the request and/or the data subject. For example, the system may be configured to identify the suitable local storage node (e.g., suitable one or more local storage nodes) based at least in part on: (1) a jurisdiction in which the data subject resides; (2) a country in which the data subject resides; (3) a jurisdiction from which the data subject made the request”).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy (US 2017/0264619) in view of Palop (US 2021/0084109) and Barday (US 2019/0179799) and further in view of Enuka (US 2020/0050966).
As per claim 5, claim 1 is incorporated, Narayanaswamy, Palop, Barday fail to disclose “wherein determining the database metadata for the plurality of databases comprises: establishing, by each of a plurality of collectors, a communication session with at least one database of the plurality of databases, wherein each collector of the plurality of collectors is associated with a database; and receiving, by each collector of the plurality of collectors, the database metadata for the at least one database of the plurality of databases”
However, Enuka teaches the above limitations at least by ([0053] “As discussed above, as potential personal information is found in a data source, the system may add the finding to a personal information findings file along with any relevant metadata. Accordingly, the personal information findings file may comprise any number of personal information findings and metadata associated with such findings.” [0189]-[0193] discloses the connecting and scanning of each type of scanner (collector) of a plurality of scanners to each type of data source, [0194] “Generally, the system may be configured to scan multiple data sources of multiple types (e.g. Hadoop Server 1, Hadoop Server 2, Fileshare 1, Fileshare 2 and so on). In one embodiment, each type of data source may be scanned by a scanner 1350 specifically adapted to scan that type of data source.”).
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the teaching of Enuka into the teaching of Narayanaswamy, Palop, Barday because the references similarly disclose data retrieval involving PII. Consequently, one of ordinary skill in the art would be motivated to further modify the system as in the combination of references to further include the database-specific scanners as in Enuka in order to allow the system to quickly ingest and understand data from many different databases in various different formats.

Claims 7, 14-18 are rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy (US 2017/0264619) in view of Palop (US 2021/0084109) and Barday (US 2019/0179799) and further in view of Joshi (US 2020/0125746).
As per claim 7, claim 6 is incorporated, Narayanaswamy, Palop, Barday fail to disclose “wherein generating the portion of the database metadata table associated with PI comprises: determining at least one portion of the database metadata table that comprises one or more of a column name, a column attribute datatype, or a column description that matches the one or more character patterns”
However, Joshi teaches the above limitations at least by ([0060] “Sensitive data may include, but is not limited to, personal credit information (PCI), personal identifying information (PII), personal health information (PHI), trade secrets, and/or other confidential information.” [0070] “a regex is a string or other sequence of characters that defines a pattern for which to search. In the present context, regexes may define predefined and/or learned patterns that are indicative of sensitive data” [0090] “SDDE 106 is configured analyze table-level contexts to determine whether table objects are likely storing sensitive information. SDDE 106 may analyze contextual information within a table by classifying columns based on regex matches within the column. For example, a given column may include values and/or metadata that match regex patterns indicative of credit card information. Based on the match, SDDE 106 may classify the column as potentially storing PCI data.”) and the character patterns are the regex patterns that are matched to.
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the teaching of Joshi into the teaching of Narayanaswamy, Palop, Barday because the references similarly disclose data retrieval involving PII. Consequently, one of ordinary skill in the art would be motivated to further modify the system as in the combination of references to further include the matching of stored metadata table data to input character patterns as in Joshi in order to identify PII within the data.
As per claim 14, claim 8 is incorporated, Narayanaswamy, Palop, Barday fail to disclose “wherein determining the portion of the database metadata table associated with the PI comprises: determining at least one portion of the database metadata table that comprises one or more of a column name, a column attribute datatype, or a column description that matches the one or more character patterns indicative of the PI”
However, Joshi teaches the above limitations at least by ([0060] “Sensitive data may include, but is not limited to, personal credit information (PCI), personal identifying information (PII), personal health information (PHI), trade secrets, and/or other confidential information.” [0070] “a regex is a string or other sequence of characters that defines a pattern for which to search. In the present context, regexes may define predefined and/or learned patterns that are indicative of sensitive data” [0090] “SDDE 106 is configured analyze table-level contexts to determine whether table objects are likely storing sensitive information. SDDE 106 may analyze contextual information within a table by classifying columns based on regex matches within the column. For example, a given column may include values and/or metadata that match regex patterns indicative of credit card information. Based on the match, SDDE 106 may classify the column as potentially storing PCI data.”) and the character patterns are the regex patterns that are matched to.
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the teaching of Joshi into the teaching of Narayanaswamy, Palop, Barday because the references similarly disclose data retrieval involving PII. Consequently, one of ordinary skill in the art would be motivated to further modify the system as in the combination of references to further include the matching of stored metadata table data to input character patterns as in Joshi in order to identify PII within the data.
Regarding claim 15, Narayanaswamy discloses:
A method comprising: receiving, by a computing device in communication with at least one database, database metadata for the at least one database at least by ([0136] “Independent Data Store: As used herein, a hosted service or a cloud service or a cloud application or a cloud storage provider or a cloud storage application or a cloud computing service (CCS) is referred to as an “independent data store”, and vice-versa.” [0163] “inspective analyzer 194 includes a data aggregator (omitted to improve clarity). Data aggregator includes listener capable of listening to streams and data flows originating at the cloud services 140 by connecting with their respective APIs via the public Internet. In some implementations, listener includes heterogeneous instances responsible for the intake of content and content metadata from different cloud services 140”) and the database metadata associated for a plurality of databases is the content metadata from different cloud services;
generating, based on the database metadata, a database metadata table comprising one or more of a plurality of column names, a plurality of column attribute datatypes, or a plurality of column descriptions associated with the at least one database at least by ([0163] “inspective analyzer 194 includes a data aggregator (omitted to improve clarity). Data aggregator includes listener capable of listening to streams and data flows originating at the cloud services 140 by connecting with their respective APIs via the public Internet. In some implementations, listener includes heterogeneous instances responsible for the intake of content and content metadata from different cloud services 140” [0165] “the gathered content metadata is processed and/or normalized. In some instances, metadata includes structured data and functionality targets specific data constructs provided by the cloud services 140. Non-structured data, such as free text, can also be provided by, and targeted back to, the cloud services 140. Both structured and non-structured data are capable of being aggregated by the inspective analyzer 194. For instance, the assembled metadata is stored in a semi-structured data format like a JSON (JavaScript Option Notation), BSON (Binary JSON), XML, Protobuf, Avro or Thrift object, which consists of string fields (or columns) and corresponding values of potentially different types like numbers, strings, arrays, objects, etc” and Fig. 13 which shows an example metadata table that comprises at least a plurality of column names and a plurality of column attribute datatypes”, [0179] “After the object metadata is extracted, it is organized into data sets and stored as lists, tuples, dictionaries, tables, and/or sets in metadata store 196, according to one implementation.”, Fig. 13 additionally shows an example metadata table that comprises at least a plurality of column names and a plurality of column attribute datatypes) and the generating of the database metadata table is the organizing and storing of the extracted and aggregated metadata (database metadata) as tables;
Narayanaswamy fails to disclose “and determining, based on one or more character patterns, at least one column name of the plurality of column names, at least one column attribute datatype of the plurality of column attribute datatypes, or at least one column description of the plurality of column descriptions associated with personal information (PI); determining, based on a jurisdictional requirement and a portion of the database metadata table associated with the PI for a jurisdiction, that a database of a plurality of databases comprises PI-associated data responsive to a request associated with a requesting party, wherein the jurisdictional requirement defines the PI for the jurisdiction; and sending a notification indicative of the PI-associated data responsive to the request”
However, Palop teaches the following limitations, determining, based on a jurisdictional requirement and a portion of the database metadata table associated with the PI for a jurisdiction, … PI-associated data responsive to a request associated with a requesting party, wherein the jurisdictional requirement defines the PI for the jurisdiction at least by ([0009] “A typical example of a service mesh includes a data plane and control plane. Services are operably coupled to the service mesh to send communications in the form of requests between the services. Data flows between services in the data plane” [0010] “The control plane calls the content management system and verifies the metadata applied to the privacy policy to determine whether the request may be completed, such as whether data from one server located in the EU can be transferred to a server located in the U.S. based on a privacy policy linked to GDPR. The control plane enforces an action regarding the data transfer based on the privacy policy” [0016] “The illustrated services 214, 216 can include service datasets 224, 226, respectively, which include data records for use by service calls that may be transferred to other services via requests.” [0017] “The metadata repository 204 can be configured as a key value store that includes the metadata about the data records in the datasets 224, 226. In one example, the key can be the record identifier, or record ID, which can correspond with a data record in the datasets 224, 226. The value can include the metadata about each data record.” [0018] “A data regulation, such as the examples of HIIPA, SOX, and GDPR, can be implemented as a privacy policy 206 that is stored and executed at the control plane 218 along with general policies. The privacy policy can be crafted to comply with a selected regulation or other selected rule and is driven by the selected regulation or the selected rule. In response to a service request, a proxy in the service mesh 208 can send the request attributes and context to the control plane 218, which will evaluate the policy to be used. The privacy policy 206 will be executed at the control plane 218 if the attributes and context, such as originator and destination, of the service request implicates the privacy policy 206. The privacy policy 206 can evaluate the attributes and context, and extract the record ID. The record ID can be provided to the metadata engine 202 to look up the corresponding metadata in the metadata repository 204. The metadata engine 204 can determine an appropriate action based on the privacy policy 206 applied to the metadata in the metadata repository 204. The action can be provided to the control plane 218 and enforced.” [0018] “The privacy policy can be crafted to comply with a selected regulation or other selected rule and is driven by the selected regulation or the selected rule. In response to a service request, a proxy in the service mesh 208 can send the request attributes and context to the control plane 218, which will evaluate the policy to be used. The privacy policy 206 will be executed at the control plane 218 if the attributes and context, such as originator and destination, of the service request implicates the privacy policy 206. The privacy policy 206 can evaluate the attributes and context, and extract the record ID. The record ID can be provided to the metadata engine 202 to look up the corresponding metadata in the metadata repository 204. The metadata engine 204 can determine an appropriate action based on the privacy policy 206 applied to the metadata in the metadata repository 204” [0020] “the metadata for a data record could include a jurisdiction of the data record, such as a country, state, province, region or other legal zone. The privacy policy 206 in the example could include an aspect or rule that documents originated in a first country are not to be sent to a second country. The control plane 218 could receive an intercepted request from the data plane 228 in which the attributes and context of the request implicate the privacy policy 206, such as origination and destination information.” [0021] “The metadata repository 204 can store metadata properties with the record ID to permit the evaluation of the privacy policy 206. Two such metadata properties that typically can apply to a privacy policy include data type and jurisdiction type, or legal zone type. Examples of data types can include general data, personal data, PCI, and personal health information. The jurisdiction types can be applied to the location of the data record, the location of the user identified in the data record. Examples of jurisdiction types can include the country, state, province, and region of the record or the individual identified in the record. In one example, the type of data and the jurisdiction are considered together in a privacy policy”) and the metadata engine verifies the metadata applied to the privacy policy to determine whether the request may be completed between the disparate services; further, the requesting party is the service that initiated the request to another service.
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the teaching of Palop into the teaching of Narayanaswamy because the references similarly disclose data retrieval involving PII. Consequently, one of ordinary skill in the art would be motivated to further modify the system as in Narayanaswamy to further include the centralized policy management enforcement as in Palop in order “to allow for more direct policy reactions and updates to changes in the regulations and for consistency across the application” (Palop, [0011]).
Narayanaswamy, Palop fail to disclose “and determining, based on one or more character patterns, at least one column name of the plurality of column names, at least one column attribute datatype of the plurality of column attribute datatypes, or at least one column description of the plurality of column descriptions associated with personal information (PI); determining, based on a jurisdictional requirement and a portion of the database metadata table associated with the PI for a jurisdiction, that a database of a plurality of databases comprises PI-associated data responsive to a request associated with a requesting party, wherein the jurisdictional requirement defines the PI for the jurisdiction; and sending a notification indicative of the PI-associated data responsive to the request”
However, Barday teaches the following limitations, determining, based on a jurisdictional requirement …, that a database of a plurality of databases comprises PI-associated data responsive to a request associated with a requesting party, wherein the jurisdictional requirement defines the PI for the jurisdiction at least by ([0314] “when executing the DSAR Processing via Local Storage Node Module 4700, the system begins, at Step 4710, by receiving a data subject access request associated with a data subject.” [0316] “Continuing to Step 4720, the system is configured to identify a suitable local storage node based at least in part on the request and/or the data subject. For example, the system may be configured to identify the suitable local storage node (e.g., suitable one or more local storage nodes) based at least in part on: (1) a jurisdiction in which the data subject resides; (2) a country in which the data subject resides; (3) a jurisdiction from which the data subject made the request”);
and sending a notification indicative of the PI-associated data responsive to the request at least by ([0320] “the system is configured to route one or more pieces of data to the local storage node that the system retrieved in response to receiving the request (e.g., one or more pieces of information associated with data collect, stored and/or processed about the data subject)”).
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the teaching of Barday into the teaching of Narayanaswamy, Palop because the references similarly disclose data retrieval involving PII. Consequently, one of ordinary skill in the art would be motivated to further modify the system as in the combination of references to further include the processing of requests for private data based on the jurisdiction of the subject that made the request so that the system ensures that any legal requirements, such as those mandates by state, local, or federal government, are not violated by providing private data to unauthorized parties.
Narayanaswamy, Palop, Barday fail to disclose “and determining, based on one or more character patterns, at least one column name of the plurality of column names, at least one column attribute datatype of the plurality of column attribute datatypes, or at least one column description of the plurality of column descriptions associated with personal information (PI)”
However, Joshi teaches the above limitations at least by ([0060] “Sensitive data may include, but is not limited to, personal credit information (PCI), personal identifying information (PII), personal health information (PHI), trade secrets, and/or other confidential information.” [0070] “a regex is a string or other sequence of characters that defines a pattern for which to search. In the present context, regexes may define predefined and/or learned patterns that are indicative of sensitive data” [0090] “SDDE 106 is configured analyze table-level contexts to determine whether table objects are likely storing sensitive information. SDDE 106 may analyze contextual information within a table by classifying columns based on regex matches within the column. For example, a given column may include values and/or metadata that match regex patterns indicative of credit card information. Based on the match, SDDE 106 may classify the column as potentially storing PCI data.”) and the character patterns are the regex patterns that are matched to.
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the teaching of Joshi into the teaching of Narayanaswamy, Palop, Barday because the references similarly disclose data retrieval involving PII. Consequently, one of ordinary skill in the art would be motivated to further modify the system as in the combination of reference to further include the matching of stored metadata table data to input character patterns as in Joshi in order to identify PII within the data and be able to responsibly process it.
As per claim 16, claim 15 is incorporated, Joshi further discloses:
wherein the one or more character patterns are indicative of the PI at least by ([0060] “Sensitive data may include, but is not limited to, personal credit information (PCI), personal identifying information (PII), personal health information (PHI), trade secrets, and/or other confidential information.” [0070] “a regex is a string or other sequence of characters that defines a pattern for which to search. In the present context, regexes may define predefined and/or learned patterns that are indicative of sensitive data” [0090] “SDDE 106 is configured analyze table-level contexts to determine whether table objects are likely storing sensitive information. SDDE 106 may analyze contextual information within a table by classifying columns based on regex matches within the column. For example, a given column may include values and/or metadata that match regex patterns indicative of credit card information. Based on the match, SDDE 106 may classify the column as potentially storing PCI data.”) and the character patterns are the regex patterns that are matched to.
As per claim 17, claim 16 is incorporated, Joshi further discloses:
wherein the at least one column name, the at least one column attribute datatype, or the at least one column description matches the one or more character patterns at least by ([0060] “Sensitive data may include, but is not limited to, personal credit information (PCI), personal identifying information (PII), personal health information (PHI), trade secrets, and/or other confidential information.” [0070] “a regex is a string or other sequence of characters that defines a pattern for which to search. In the present context, regexes may define predefined and/or learned patterns that are indicative of sensitive data” [0090] “SDDE 106 is configured analyze table-level contexts to determine whether table objects are likely storing sensitive information. SDDE 106 may analyze contextual information within a table by classifying columns based on regex matches within the column. For example, a given column may include values and/or metadata that match regex patterns indicative of credit card information. Based on the match, SDDE 106 may classify the column as potentially storing PCI data.”) and the character patterns are the regex patterns that are matched to.
As per claim 18, claim 15 is incorporated, Barday further discloses:
wherein determining that the database of the plurality of databases comprises the PI-associated data responsive to the request comprises: determining, based on a residence associated with associated with the requesting party indicated by the request, the jurisdictional requirement ; and determining, based on the jurisdictional requirement, the database comprising the PI- associated data responsive to the request at least by ([0314] “when executing the DSAR Processing via Local Storage Node Module 4700, the system begins, at Step 4710, by receiving a data subject access request associated with a data subject.” [0316] “Continuing to Step 4720, the system is configured to identify a suitable local storage node based at least in part on the request and/or the data subject. For example, the system may be configured to identify the suitable local storage node (e.g., suitable one or more local storage nodes) based at least in part on: (1) a jurisdiction in which the data subject resides; (2) a country in which the data subject resides; (3) a jurisdiction from which the data subject made the request”).

Claims 19, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy (US 2017/0264619) in view of Palop (US 2021/0084109) and Barday (US 2019/0179799) and Joshi (US 2020/0125746) and further in view of Enuka (US 2020/0050966).
As per claim 19, claim 15 is incorporated, Narayanaswamy, Palop, Barday, Joshi fail to disclose “wherein receiving the database metadata for the at least one database comprises: establishing, by at least one collector associated with the computing device, a communication session with the at least one database, wherein the least one collector is configured to communicate with databases associated with a first database type”
However, Enuka teaches the above limitations at least by ([0053] “As discussed above, as potential personal information is found in a data source, the system may add the finding to a personal information findings file along with any relevant metadata. Accordingly, the personal information findings file may comprise any number of personal information findings and metadata associated with such findings.” [0189]-[0193] discloses the connecting and scanning of each type of scanner (collector) of a plurality of scanners to each type of data source, [0194] “Generally, the system may be configured to scan multiple data sources of multiple types (e.g. Hadoop Server 1, Hadoop Server 2, Fileshare 1, Fileshare 2 and so on). In one embodiment, each type of data source may be scanned by a scanner 1350 specifically adapted to scan that type of data source.”).
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the teaching of Enuka into the teaching of Narayanaswamy, Palop, Barday, Joshi because the references similarly disclose data retrieval involving PII. Consequently, one of ordinary skill in the art would be motivated to further modify the system as in the combination of references to further include the database-specific scanners as in Enuka in order to allow the system to quickly ingest and understand data from many different databases in various different formats.
As per claim 20, claim 19 is incorporated, Enuka further discloses:
further comprising: receiving, by the at least one collector, the database metadata for the at least one database at least by ([0053] “As discussed above, as potential personal information is found in a data source, the system may add the finding to a personal information findings file along with any relevant metadata (receive database metadata). Accordingly, the personal information findings file may comprise any number of personal information findings and metadata associated with such findings.” [0189]-[0193] discloses the connecting and scanning of each type of scanner (collector) of a plurality of scanners to each type of data source).

Response to Arguments
The following is in response to the amendment filed on 07/22/22.
Applicant’s arguments have been carefully and respectfully considered but are not persuasive.
Regarding 35 USC 101, on pgs. 7-8, applicant argues that the claims are not directed to an abstract idea and that they do not recite a mental process.
In response to the preceding argument, examiner respectfully submits that, in claim 1, but for the “by a computing device” language, the “determining…database metadata…”, “determining, based on one or more metadata rules…” and “determining, based on the jurisdictional requirement…” steps encompass the user observing displayed data/metadata of databases and mentally determining database metadata for the plurality of databases, and judging if the database, based on the table and jurisdictional requirements contains personal information associated with a particular jurisdiction.
Regarding 35 USC 101, on pg. 9, applicant argues that a person cannot determine which portion of a database metadata table are associated with PI or determining, based on a jurisdictional requirement and the portion of the database metadata table associated with PI, that a database of the plurality of database comprises data responsive to a request. Therefore, they are directed to a mental process.
In response to the preceding argument, examiner respectfully submits that these limitations, but for the “by a computing device” language, encompass the user observing displayed data/metadata of databases and mentally determining database metadata for the plurality of databases, and judging if the database, based on the table and jurisdictional requirements contains personal information associated with a particular jurisdiction. Therefore, they are directed to a mental process.
Regarding 35 USC 101, on pgs. 10, applicant argues that the examiner has oversimplified the claimed invention and not considered the concrete limitations recited by the claims.
In response to the preceding argument, examiner respectfully submits that the examiner referred to the limitations by the first word in the limitation and in quotations to refer to each of the limitations as a whole for the sake of brevity; however, it is noted that this does not imply that any limitations, or portions thereof, were disregarded or overlooked during the analysis as suggested by the applicant. In the examiner’s claim interpretation and analysis, each and every limitation was considered as a whole and in combination.
Regarding 35 USC 101, on pgs. 10-11, applicant argues that the claims are patent-eligible because they provide an improvement to the technology.
In response to the preceding argument, examiner respectfully submits that the applicant has not recited “implementing legislative privacy rules” within the claims. Therefore, the claimed invention would not necessarily provide the alleged improvement, as suggested by the applicant.
Regarding 35 USC 101, on pgs. 11-12, applicant argues that the claimed invention solves a problem and that the computing device provides a technological solution to a technical problem.
In response to the preceding argument, examiner respectfully submits that the citations from the instant specification disclose the locating of data associated with PI, aggregating of database metadata, and applying metadata rules to a database metadata table. The claims do not recite applying metadata rules to a database, as is disclosed in the paragraphs provided by the applicant. That is, at least claim 1 only recites “determining, based on one or more database metadata rules, a portion of the database metadata table associated with personal information (PI)”. Therefore, it is not clear how the claimed invention would provide the alleged solution the problem, as identified by the applicant. Rather, the limitations, as claimed, are directed to mental processes as well as additional limitations that are directed to insignificant extra-solution activities that are well-understood, routine, and conventionally in the art. Further, the computing device, as claimed, is recited at a high-level of generality (i.e., as a generic computer device performing generic computer functions of receiving data and generating tables) which would also not provide any solutions to any problems; further, generic computing devices cannot provide significantly more than the judicial exception.	
	
Applicant’s arguments with respect to the prior art rejections have been considered but are moot because they do not apply to all of the references being used in the current rejection.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM P BARTLETT whose telephone number is (469)295-9085.  The examiner can normally be reached on M-Th 11:30-8:30, F 11-3.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Usmaan Saeed can be reached on 5712724046.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/WILLIAM P BARTLETT/
Examiner, Art Unit 2169

/USMAAN SAEED/Supervisory Patent Examiner, Art Unit 2169