DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.
The abstract of the disclosure is objected to because the abstract should avoid phrases which can be implied such as “are presented”.  Correction is required.  See MPEP § 608.01(b).

The disclosure is objected to because of the following informalities:
 “It is can be desirable…” recited in paragraph 3 should be “It is desirable…” ;
  “It is can be desirable…” recited in paragraph 45 should be “It is desirable…” ;
“Millenium” recited in paragraph 62 should be “Millennium”;
“Phillipines” recited in paragraph 62 should be “Philippines”; and
Paragraph 92 duplicates “(REST)ful” in reciting  “(REST)ful (RESTful)”.
Appropriate correction is required.

The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-4, 6-7, 10-11, 13-16, and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brannon et al US 20200356697 (hereinafter Brannon) in view of Vax et al US 20220179993 (hereinafter Vax).

As to claim 1, Brannon teaches a system (Figure 1 shows the data model generation system and consent interface management server; Figure 2 shows schematic diagram of a computer of the system) , comprising: 
a processor (Figure 2, reference number 202 “Processor”) that executes computer-executable components  (Figure 2, “Instructions” and paragraph 621 reveal the instructions are executed on the processing device 202) stored in a memory (Figure 2, “Main Memory”, paragraph 621), the computer-executable components comprising: 
a secure data store that stores information relating to items of data associated with users that are stored in a set of data stores(paragraph 711-712 reveal the scanned data items which can include personal information associated with one or more individuals are stored in a catalog which is in the format of a data table. The cataloged in the data table/store is the secure data store. Access to the data in the data store(s) is per user consent, thus the data store(s) is/are secure data store(s). The individual(s) information comes from one or more databases), wherein the information is generated based on scanning the items of data in the set of data stores (Figure 26, step 2610 “Connect to one or more databases, and scan the one or more databases to generate catalog of one or more individuals and one or more pieces of personal information associated with the one or more individuals”, see paragraph 708); and 
a rights management component (paragraphs 735 and 784 reveal consent receipt management system) that, determines, a set of rights of a user with regard to a first subset of data and a second subset of data (paragraph 710 reveals the first subset of the item of user data pertains to personal data; paragraph 713 reveals the second subset of the information that are related to the user pertains to  attributes of user data ;paragraphs 735 and 784 reveal consent receipt management system that implements/determines and ensures compliance of the privacy and security policies  of the collection/storage of private information and attributes of users/individuals; therefore, rules and rights are assigned to the first subset and second subset of data) wherein the set of [rights] is determined based on a set obligations associated with the set of data stores and related to data privacy and security (paragraphs 735 and 784 reveal consent receipt management system that implement and determine rules/permission rights based on set of obligations such as compliance of the collection/storage of data according to privacy and security policies).
Brannon does not teach determines, based on a set of rules, a set of rights of a user with regard to a first subset of the items of data and a second subset of the information that are related to the user, wherein the set of rules is determined based on a set obligations associated with the set of data stores and related to data privacy and security.
Vax teaches a rights management component (Figure 12 and paragraphs 160-162 reveal a compliance rules management interface that determines the set of rules/regulation, set of rights of users) that, determines, based on a set of rules, a set of rights of a user with regard to a first subset of the items of data (Figure 12 and paragraphs 161-162 reveal based on rules/regulation associated with European Union’s General Data Protection Regulation-GDPR, a set of rights/rules of the user is generated/determined, such as “Rule 1: Data from China cannot leave China”, wherein the first subset of data is reference number 1273 shown in Figure 12 being “SSN” )  and a second subset of the information that are related to the user(Figure 12 and paragraphs 161-162 reveal based on rules/regulation of GDPR/HIPAA, a set of rights/rules of the user, such as “Rule 2”, wherein the second subset of data is in Figure 11, wherein  the example of second subset of data being zip code)  , wherein the set of rules is determined based on a set obligations associated with the set of data stores and related to data privacy and security (paragraph 164 reveals one or more rules may be associated with residency information when the rule/regulation applies only to personal information that is stored in a specific location; paragraph 165 reveals rules/regulations may relate to the type of application accessing personal information and the obligation associated with the data in the data stores, such as a first rule allow personal information such as zip code to be viewed by applications tagged as accounting but not by applications tagged as sales).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Brannon’s consent interface management system with Vax’s rights management component such that the system can automatically detect any action associated with the violated compliance regulation(s)/rule(s) (paragraph 168 of Vax).

As to claim 2, the combination of Brannon in view of Vax teaches wherein the items of data comprise a first item of data and a second item of data (Brannon: Figure 26 reference number 2620 and 2630 reveals the items of data retrieved from the scanned includes a first item of data/one or more pieces of personal information and a second item of data/one or more attributes of data; Vax also reveals in Figure 11 and paragraphs 68-69 that the first item of data pertains to Full Name and the second item of data can be address), wherein the scanner component scans the first item of data from a first data store of the set of data stores associated with a first entity (Brannon: Figure 26 reference number 2610 reveals scan of one or more databases takes place on first item of data/personal information and paragraph 709 reveals the database is associated with a particular organization paragraph 633 also reveal the scan is done to identify first data asset; Vax: paragraph 49-50 reveal primary data source is scanned/searched with example of primary entities such as Apache Hadoop, RDB, CRM systems) and scans the second item of data from a second data store of the set of data stores associated with a second entity(Brannon: Figure 26 reference number 2620 reveals scan of one or more repositories takes place on second item of data/attribute of data and paragraph 777 reveals the data repository can be for/from a plurality of different entities; Vax: paragraph 49-50 reveal secondary data source is scanned/searched with example of secondary entities such as DLP, and IBM GUARDIUM).

As to claim 3, the combination of Brannon in view of Vax teaches wherein the first item of data is associated with a first jurisdiction associated with a first legal standard (Brannon: paragraph 838 reveals a data subject is associated with a first jurisdiction  with respective regulations; Vax: Figure 12 reveals assigning 1261, attribute 1273, SSN first item of data associated with jurisdiction of Germany with a first legal standard GDPR ), wherein the second item of data is associated with a second jurisdiction associated with a second legal standard(Vax: Figure 12 reveals second potential attribute 1273, also  Figure 11, reference number 1142, zip-code item of data associated with jurisdiction of Russia; wherein according to Figure 12, second legal standard can be associated with another jurisdiction ), wherein the set of rights of the user is a first set of rights of a first user (Brannon: paragraph 754 reveals different individuals such as a first user has a first set of rights; Vax: paragraphs 33 and 58 reveal set of rights of create, delete, update, and/or replace information of a customer/user), and 
wherein the rights management component determines the first set of rights of the first user with regard to the first item of data stored in the first data store or the secure data store based on a first subset of rules of the set of rules, in accordance with a first subset of obligations of the set of obligations (Vax: paragraphs 38-39 reveal the system receives/determines one or more personal information rules that can be mapped to a user first data such as SSN in a first data source. The rules can be set by the user in accordance with proximity rules and/or privacy data compliance/regulation/obligations such as GDPR -EU or NIST) , and determines a second set of rights of a second user with regard to the second item of data stored in the second data store or the secure data store based on a second subset of rules of the set of rules, in accordance with a second subset of obligations of the set of obligations(Vax: paragraphs 38-39 reveal the system receives/determines one or more personal information rules that can be mapped to user(s), thus a second user, second data such as SSN or phone-number in a data source. The rules can be set by the user in accordance with proximity rules and/or privacy data compliance/regulation/obligations such as GDPR -EU. Figure 10, reveals the detected PI records detected for three users 1031, in three different data sources), wherein the first subset of obligations is determined based on the first legal standard (Vax: Figure 12, and paragraph 39 reveal SSN can be mapped to first subset of obligations corresponds to the first legal standard/regulation such as GDPR), and wherein the second subset of obligations is determined based on the second legal standard(Vax: paragraphs 38-39 personal information of additional users can be obtained/identified and mapped to second/other subset of obligations corresponds to the second legal standard/regulation such as NIST).

As to claim 4, the combination of Brannon in view of Vax teaches wherein the set of rights comprises a right of access to allow the user access to the first subset of the items of data of the user stored in the set of data stores (Brannon: paragraph 734 reveals data subject access request module receives a data subject access request by a user; paragraph 735 discloses “a right to obtain a copy of any personal data being processed (e.g., a right to receive a copy of their personal data in a commonly used, machine-readable format)”; paragraph 784 discloses “a right to receive the personal data concerning the data subject, which he or she has provided to an entity”), a right to information relating to types of data collected by a device of an entity associated with the set of data stores (Brannon: paragraph 735 discloses “a right to obtain information about one or more categories of data being processed (e.g., what type of personal data is being collected, stored”), a right to rectification that allows the user to modify or request modification of an item of data of the user that is inaccurate or otherwise not valid (Brannon: paragraph 735 discloses “a right to request … rectification (e.g., correction or deletion of inaccurate data)”), or a right of erasure that allows the user to request that the entity delete at least a portion of the first subset of the items of data of the user from the set of data stores( Brannon: paragraph 735 discloses “a right to request erasure (e.g., the right to be forgotten),”; paragraph 784 discloses “a right to erasure of the data subject's personal data (e.g., in cases where no legal basis applies to the processing and/or collection of the personal data”).

As to claim 6, the combination of Brannon in view of Vax teaches wherein the first subset of the items of data comprises an item of data of the user (Brannon: paragraph 734 discloses personal data/first subset of item of data is data of the user that an organization or corporation has stored), wherein the rights management component receives, from a communication device of the user, a request to modify the item of data to due to inaccuracy of the item of data(Brannon: paragraph 734 discloses a “Data subject Access Request Fulfillment Module”  which can be the rights management components that receives data rights request by users; paragraph 735 discloses “a right to request … rectification (e.g., correction or deletion of inaccurate data)”), and initiates processing of the request to modify the item of data(Brannon: paragraph 734 discloses a “Data subject Access Request Fulfillment Module”  initiates/process the request and fulfil the user request).

As to claim 7, the combination of Brannon in view of Vax teaches wherein, in response to the request to modify, the rights management component modifies or facilitates modification of the item of data(Brannon: paragraph 734 discloses a “Data subject Access Request Fulfillment Module”  initiates/process the request and fulfil the user request) to generate an updated item of data that is stored in a data store of the set of data stores (Brannon: paragraphs 740- 741 reveal the system is facilitates the request to correct the personal data that is stored in the data store upon per the user’s request, by overwriting the data in memory).  

As to claim 10, the combination of Brannon in view of Vax teaches wherein the items of data comprise an item of data, wherein the computer-executable components further comprise a classifier component that analyzes the item of data, and based on the analysis, recognizes and identifies characters in the item of data, a language associated with the characters, or a data type of the item of data (Brannon: paragraphs 708 and 718 reveal that after scanning the data, the intelligent identity scanning module analyze the identified personal data and classify the data elements/personal data based on machine learning techniques to score the probability the data belongs to a particular user; paragraph 710 further reveal the system can identify the one or more pieces of data in the following categories : name, address, telephone number, email address, SSN etc.;. Paragraph 739 further reveals the system uses machine learning techniques to identify personal data).

As to claim 11, the combination of Brannon in view of Vax teaches wherein the computer-executable components further comprise an artificial intelligence component that learns to identify types of characters, types of languages associated with the types of characters, or data types of the items of data, based on an artificial intelligence or machine learning analysis of historical information relating to the types of characters, the types of languages, or the data types(Brannon: paragraphs 708 and 718 reveal that after scanning the data, the intelligent identity scanning module analyzes the identified personal data and classify/categorize the data elements/personal data from the generated catalog based on machine learning techniques to score the probability the data belongs to a particular user; paragraph 710 further reveal the system can identify the one or more pieces of data in the following data type categories : name, address, telephone number, email address, SSN etc.;. Paragraph 739 further reveals the system uses machine learning techniques to identify personal data. Machine learning uses historical data as input to predict/classify data), and wherein, based on the learning and results of the artificial intelligence or machine learning analysis of the historical information, the capability of the classifier component to identify the characters in the item of data, the language associated with the characters, or the data type of the item of data is enhanced(Brannon: paragraphs 708 and 718 reveal that after scanning the data, the intelligent identity scanning module analyzes the identified personal data and classify/categorize the data elements/personal data from the generated catalog based on machine learning techniques to score the probability the data belongs to a particular user; paragraph 710 further reveal the system can identify the one or more pieces of data in the following data type categories : name, address, telephone number, email address, SSN etc.;. The machine learning technique enhances via probability score the identification/categorization of the data type  to the respective user(s)).

As to claim 13, Brannon teaches a computer-implemented method(Figure 2, “Instructions” and paragraph 621 reveal the instructions are executed on the processing device 202; Figure 26 reveals method  of collecting personal data of users from one or more databases), comprising: 
scanning, by a system having a processor and a memory, items of data stored in a group of database components(Figure 26, step 2610 “Connect to one or more databases, and scan the one or more databases to generate catalog of one or more individuals and one or more pieces of personal information associated with the one or more individuals”, see paragraph 708); 
storing, by the system, information relating to the items of data in a secure data store, wherein the information is determined based on the scanning of the items of data(paragraph 712 reveals the scanned data items which can include personal information associated with one or more individuals are stored in a catalog which is in the format of a data table. The cataloged in the data table/store is the secure data store. Access to the data in the data store(s) is per user consent, thus the data store(s) is/are secure data store(s). The individual(s) information comes from one or more databases); and 
determining, by the system, a group of rights of a user with regard to a first subset of the items of data and a second subset of the information relating to data protection(paragraph 710 reveals the first subset of the item of user data pertains to personal data; paragraph 713 reveals the second subset of the information that are related to the user pertains to  attributes of user data ;paragraphs 735 and 784 reveals consent receipt management system that implement/determine and ensure compliance of the privacy and security policies  of the collection/storage of private information and attributes of users/individuals; therefore, rules and rights are assigned to the first subset and second subset of data), wherein the set of rules is determined based on a set of provisions associated with the group of database components and related to the data protection(paragraphs 735 and 784 reveal consent receipt management system that implement/determine rules based on set of obligations such as compliance of the privacy and security policies  of the collection/storage of the information).
Brannon does not teach determining, by the system, a group of rights of a user with regard to a first subset of the items of data and a second subset of the information based on a set of rules, wherein the set of rules is determined based on a set of provisions associated with the group of database components and related to the data protection.
Vax teaches determining, by the system(Figure 12 and paragraphs 160-162 reveal a compliance rules management interface determines the set of rules/regulations of users), a group of rights of a user with regard to a first subset of the items of data (Figure 12 and paragraphs 161-162 reveal based on rules/regulation of GDPR, a set of rights/rules of the user, such as “Rule 1: Data from China cannot leave China”, wherein the first subset of data is shown reference number 1273 shown in Figure 12 being “SSN” )  and a second subset of the information based on a set of rules (Figure 12 and paragraphs 161-162 reveal based on rules/regulation of GDPR/HIPAA, a set of rights/rules of the user, such as “Rule 2”, wherein the second subset of data is shown in Figure 12, and Figure 11 shows, the example of second subset of data being zip code), wherein the set of rules is determined based on a set of provisions associated with the group of database components and related to the data protection(paragraph 164 reveals one or more rules may be associated with residency information when the rule/regulation applies only to personal information that is stored in a specific location; paragraph 165 reveals rules/regulations may relate to the type of application accessing personal information and the provision associated with the data in the data stores, such as a first rule may allow personal information such as zip code to be viewed by applications tagged as accounting but not by applications tagged as sales).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Brannon’s consent interface management system with Vax’s rights management component such that the system can automatically detect/trigger any action associated with the violated compliance regulation(s)/rule(s) (paragraph 168 of Vax).

As to claim 14, the combination of Brannon in view of Vax teaches wherein the items of data comprise a first item of data and a second item of data(Brannon: Figure 26 reference number 2620 and 2630 reveals the items of data retrieved from the scanned includes a first item of data/one or more pieces of personal information and a second item of data/one or more attributes of data; Vax also reveals in Figure 11 and paragraphs 68-69 that the first item of data pertains to Full Name and the second item of data can be address), wherein the group of database components comprise a first database component associated with a first entity(Brannon: Figure 26 reference number 2610 reveals one or more databases potentially have on first item of data/personal information and paragraph 709 reveals the database is associated with a particular organization; Vax: paragraph 49-50 reveal primary data source is scanned/searched with example of primary entities such as Apache Hadoop, RDB, CRM systems) and a second database component associated with a second entity(Brannon: Figure 26 reference number 2620 reveals one or more repositories potentially have second item of data/attribute of data and paragraph 777 reveals the data repository can be for/from a plurality of different entities; Vax: paragraph 49-50 reveal secondary data source is scanned/searched with example of secondary entities such as DLP, and IBM GUARDIUM), and wherein the scanning comprises scanning the first item of data from the first database associated with the first entity(Brannon: Figure 26 reference number 2610 reveals scan of one or more databases takes place on first item of data/personal information and paragraph 709 reveals the database is associated with a particular organization paragraph 633 also reveal the scan is done to identify first data asset; Vax: paragraph 49-50 reveal primary data source is scanned/searched with example of primary entities such as Apache Hadoop, RDB, CRM systems;), and scanning the second item of data from the second database associated with the second entity(Brannon: Figure 26 reference number 2620 reveals scan of one or more repositories takes place on second item of data/attribute of data and paragraph 777 reveals the data repository can be for/from a plurality of different entities; Vax: paragraph 49-50 reveal secondary data source is scanned/searched with example of secondary entities such as DLP, and IBM GUARDIUM).

As to claim 15, the combination of Brannon in view of Vax teaches wherein the group of rights of the user is a first group of rights of a first user, and wherein the method further comprises: 
determining, by the system, the first group of rights of the first user with regard to the first item of data based on a first rule of the set of rules, in accordance with a first law or a first agreement(Vax: paragraphs 38-39 reveal the system receives/determines one or more personal information rules that can be mapped to a user first data such as SSN in a first data source. The rules can be set by the user in accordance with proximity rules and/or privacy data compliance/regulation/obligations such as GDPR -EU or NIST), wherein the first item of data and the first database component are associated with a first jurisdiction associated with the first law, and wherein at least a first provision of the set of provisions corresponds to the first law(Brannon: paragraph 838 reveals a data subject is associated with a first jurisdiction  with respective regulations; Vax: Figure 12 reveals assigning 1261, attribute 1273, SSN first item of data associated with jurisdiction of Germany with a first legal standard GDPR; Vax: Figure 12, and paragraph 39 reveal SSN can be mapped to first subset of obligations corresponds to the first legal standard/regulation such as GDPR) ); and 
determining, by the system, a second group of rights of a second user with regard to the second item of data stored based on a second rule of the set of rules, in accordance with a second law or a second agreement(Vax: paragraphs 38-39 reveal the system receives/determines one or more personal information rules that can be mapped to user(s), thus a second user, second data such as SSN or phone-number in a data source. The rules can be set by the user in accordance with proximity rules and/or privacy data compliance/regulation/obligations such as GDPR -EU. Figure 10, reveals the detected PI records detected for three users 1031, in three different data sources), wherein the second item of data and the second database component are associated with a second jurisdiction associated with the second law(Vax: Figure 12 reveals second potential attribute 1273, also  Figure 11, reference number 1142, zip-code item of data associated with jurisdiction of Russia; wherein according to Figure 12, second legal standard can be associated with another jurisdiction ), and wherein at least a second provision of the set of provisions corresponds to the second law(Vax: paragraphs 38-39 personal information of additional users can be obtained/identified and mapped to second/other subset of obligations corresponds to the second legal standard/regulation such as NIST).

As to claim 16, the combination of Brannon in view of Vax teaches wherein the items of data comprise an item of data of the user (Brannon: paragraph 734 discloses personal data/first subset of item of data is data of the user that an organization or corporation has stored), and wherein the computer-implemented method further comprises: receiving, by the system, from a communication device of the user, a request to change the item of data due to invalidity of the item of data based on a right of the group of rights(Brannon: paragraph 734 discloses a “Data subject Access Request Fulfillment Module”  which can be the rights management components that receives requests to data rights request by users; paragraph 735 discloses “a right to request … rectification (e.g., correction or deletion of inaccurate data)”; paragraph 735 discloses the right of rectification from a group of rights); and in response to the request, initiating, by the system, processing of the request to change the item of data(Brannon: paragraph 734 discloses a “Data subject Access Request Fulfillment Module”  initiates/process the request and fulfil the user request).

As to claim 19, the combination of Brannon in view of Vax teaches further comprising: performing, by the system, an artificial intelligence or machine learning analysis on the items of data and historical data; based on a result of the artificial intelligence or machine learning analysis(Brannon: paragraphs 708 and 718 reveal that after scanning the data, the intelligent identity scanning module analyze the identified personal data and classify/categorize the data elements/personal data from the generated catalog based on machine learning techniques to score the probability the data belongs to a particular user), at least one of: determining or inferring, by the system, a character of an item of data of the items of data, determining or inferring, by the system, a language of the item of data, or determining or inferring, by the system, a data type of the item of data(Brannon: paragraph 710 further reveal the system can identify the one or more pieces of data in the following data type categories : name, address, telephone number, email address, SSN etc.;. Paragraph 739 further reveals the system uses machine learning techniques to identify personal data. Machine learning uses historical data as input to predict/classify data).

	As to claim 20, Brannon teaches a machine-readable storage medium(Figure 2, “Main Memory”, paragraph 621), comprising executable instructions (Figure 2, “Instructions” and paragraph 621 reveal the instructions are executed on the processing device 202) that, when executed by a processor(Figure 2, reference number 202 “Processor”), facilitate performance of operations(paragraph 621), comprising:
scanning items of data stored in a set of data storage components (Figure 26, step 2610 “Connect to one or more databases, and scan the one or more databases to generate catalog of one or more individuals and one or more pieces of personal information associated with the one or more individuals”, see paragraph 708);
 storing information relating to the items of data in a secure data store, wherein the information is generated based on the scanning of the items of data stored in the set of data storage components(paragraph 712 reveals the scanned data items which can include personal information associated with one or more individuals are stored in a catalog which is in the format of a data table. The cataloged in the data table/store is the secure data store. Access to the data in the data store(s) is per user consent, thus the data store(s) is/are secure data store(s). The individual(s) information comes from one or more databases), and 
identifying a set of rights of a user with regard to a first subset of the items of data and a second subset of the information based on a set of rules relating to data privacy and security(paragraph 710 reveals the first subset of the item of user data pertains to personal data; paragraph 713 reveals the second subset of the information that are related to the user pertains to  attributes of user data ;paragraphs 735 and 784 reveal consent receipt management system that implement/determine and ensure compliance of the privacy and security policies  of the collection/storage of private information and attributes of users/individuals; therefore, rules and rights are assigned to the first subset and second subset of data), wherein the set of [rights] is determined based on a set of legal or contractual obligations associated with the set of data storage components and related to the data privacy and security(paragraphs 735 and 784 reveal consent receipt management system that implement/determine rules based on set of obligations such as compliance of the privacy and security policies  of the collection/storage of the information).
Brannon does not teach scanning items of data stored in a set of data storage components associated with respective geographical jurisdictions; identifying a set of rights of a user with regard to a first subset of the items of data and a second subset of the information based on a set of rules, wherein the set of rules is determined based on a set of legal or contractual obligations.
Vax teaches scanning items of data stored in a set of data storage components associated with respective geographical jurisdictions (paragraphs 131, 133 and Figure 10 reveal dashboard of a scan that was performed on information relating to the location of various sources and the countries/geographical jurisdiction of the data sources that has the personal information); identifying a set of rights of a user with regard to a first subset of the items of data (Figure 12 and paragraphs 161-162 reveal based on rules/regulation of GDPR, a set of rights/rules of the user, such as “Rule 1: Data from China cannot leave China”, wherein the first subset of data is shown reference number 1273 shown in Figure 12 being “SSN” )  and a second subset of the information based on a set of rules(Figure 12 and paragraphs 161-162 reveal based on rules/regulation of GDPR/HIPAA, a set of rights/rules of the user, such as “Rule 2”, wherein the second subset of data is shown in Figure 11 shows, the example of second subset of data being zip code)  , wherein the set of rules is determined based on a set of legal or contractual obligations(paragraph 164 reveals one or more rules may be associated with residency information when the rule/regulation applies only to personal information that is stored in a specific location; paragraph 165 reveals rules/regulations may relate to the type of application accessing personal information and the obligation associated with the data in the data stores, such as a first rule may allow personal information such as zip code to be viewed by applications tagged as accounting but not by applications tagged as sales).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Brannon’s consent interface management system with Vax’s rights management component such that the system can automatically detect/trigger any action associated with the violated compliance regulation(s)/rule(s) (paragraph 168 of Vax).

Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brannon et al US 20200356697 (hereinafter Brannon) in view of Vax et al US 20220179993 (hereinafter Vax) in further view of Piecko US 20200320216 (hereinafter Piecko).

As to claim 5, the combination of Brannon in view of Vax teaches all the limitations recited in claim 1 above, and further teaches wherein the set of rights comprises a right to restriction of processing of data that allows the user to request that the entity restrict processing of at least a portion of the first subset of the items of data of the user under first defined circumstances (Brannon: paragraph 735 reveals the set of  user rights includes a request of the user to restrict processing of personal data portion of data under privacy and security policies, the right is called “right of restriction”), a right to data portability that allows the user to obtain a copy of the first subset of the items of data under second defined circumstances(Brannon: paragraph 735 reveals the set of  user rights includes a request of the user to obtain a copy of any personal data/first subset of the items of data being processed under privacy and security policies ), a right to object that allows the user to object to the processing of at least the portion of the first subset of the items of data under third defined circumstances (Brannon: paragraph 784 reveals the user has the right to object that allows for the withdrawing of the processing of the user personal information/first subset of the items of data under privacy and security policies). 
The combination of Brannon in view of Vax does not teach a right to avoid automated decision making that allows the user to not be subject to a decision of the entity based solely on automated processing or decision making by a device of the entity.
Piecko teaches a right to avoid automated decision making that allows the user to not be subject to a decision of the entity based solely on automated processing or decision making by a device of the entity (paragraph 59 reveals rules of access rights/permission for data can include parameters that may not be executed based on the user, in which the access right/permission is performed automatically without user interference, thus the decision of the entity is based on automated process).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Brannon’s consent interface management system in view of Vax’s rights management component with Piecko’s automated processing to improve system performance by applying permission rules without user interference, and which does not require the stopping of one or more services for the modification/request (paragraphs 59 and 13 of Piecko). 
 
Claim(s) 8 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brannon et al US 20200356697 (hereinafter Brannon) in view of Vax et al US 20220179993 (hereinafter Vax) in further view of Brannon et al US 20200364369 (hereinafter Brannon’369).

As to claim 8, the combination of Brannon in view of Vax teaches all the limitations recited in claim 6 above. The combination of Brannon in view of Vax further teaches wherein the user is a first user(Brannon: paragraph 734 reveals the system receives an access request from an individual/first user), wherein the set of data stores is associated with an entity(Brannon: paragraphs 709 and 734 reveal the entity/organization stores personal data of users/individuals in one or more databases), wherein the set of rules comprises a rule that specifies the request to modify is to be processed(Brannon: paragraph 735 reveals the set of rules/rights for request to change/update user data are under privacy and security polices such as European Union’s General Data protection Regulation and other related policies) . 
The combination of Brannon in view of Vax does not teach wherein the set of rules comprises a rule that specifies the request to modify is to be processed and completed within a defined amount of time, wherein the rule corresponds to an obligation of the set of obligations, wherein the computer-executable components further comprise a notification component that generates notification messages, and wherein, in response to a determination that the request to modify has not been processed and completed within the defined amount of time based on the rule, the notification component communicates a notification message to a device of a second user associated with the entity to notify the second user that the request to modify has not been processed and completed within the defined amount of time in violation of the rule and the obligation.
Brannon’369 teaches wherein the user is a first user, wherein the set of data stores is associated with an entity, wherein the set of rules comprises a rule that specifies the request to modify is to be processed and completed within a defined amount of time, wherein the rule corresponds to an obligation of the set of obligations (paragraphs 3 and 207 reveal companies/entities fulfil data subject/first user request that comply with legal regulations /obligations  of user’s rights. Some request is required to be fulfilled with a defined amount of time such as 30 days ), wherein the computer-executable components further comprise a notification component that generates notification messages (paragraphs 207 and 212 reveal that upon the processed of the request, the system generates a data test/report/notification of the request status)  and wherein, in response to a determination that the request to modify has not been processed and completed within the defined amount of time based on the rule(paragraphs 209 and 212 reveal that upon determining that the data subject request-to modify/delete has not been complied/completed under the set provisioning rules/regulations), the notification component communicates a notification message to a device of a second user associated with the entity to notify the second user that the request to modify has not been processed and completed within the defined amount of time in violation of the rule and the obligation(paragraphs 209 and 212 reveal that upon determining that the data subject request-to modify/delete has not been complied/completed under the set provisioning rules/regulations , the system sends generates report/notification by the computing system to send to the user that the request has not been processed ) . 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Brannon’s consent interface management system in view of Vax’s rights management component  with Brannon’369 teachings of processing the user request within a specified period of time to provide an improved system and method for speedily complying with user data rights/access request (paragraph 3 of Brannon’369). 

As to claim 17, the combination of Brannon in view of Vax teaches all the limitations recited in claim 16 above. The combination of Brannon in view of Vax further teaches wherein the user is a first user (Brannon: paragraph 734 reveals the system receives an access request from an individual/first user), wherein a database component of the set of database components is associated with an entity (Brannon: paragraphs 709 and 734 reveal the entity/organization stores personal data of users/individuals in one or more databases), wherein the set of rules comprises a rule that indicates the request to change is to be processed(Brannon: paragraph 735 reveals the set of rules/rights for request to change/update user data are under privacy and security polices such as European Union’s General Data protection Regulation and other related policies)  wherein the rule corresponds to a provision of the set of provisions(Brannon: paragraph 735 reveals privacy and security policies provide data provision rights of individuals/users, these rights relate to the user’s personal data that is collected, stored, processed by an entity; Vax: Figure 12 and paragraphs 161-162 reveal a set of rights/rules of the user, such as “Rule 1: Data from China cannot leave China” which is a rule that corresponds to a provision of data elements ), and wherein the computer-implemented method further comprises: one of: in response to the request, changing the item of data to generate an updated item of data (Brannon: paragraph 741 reveals that in response to the request facilitate the request by overwriting the item of data with the update and thus updating the item of data), and storing, by the system, the updated item of data in the database component(Brannon: paragraph 741 reveals that in response to the request facilitate the request by overwriting the item of data in memory, thus storing the updated item of data in the database component).
The combination Brannon in view of Vax does not teach a rule that indicates the request to change is to be processed and completed within a defined period of time, or in response to determining that the request has not been processed and completed within the defined period of time based on the rule, transmitting, by the system, a notification message to a device of a second user associated with the entity to notify the second user that the request to change has not been processed and completed within the defined period of time in breach of the rule and the provision.
Brannon’369 teaches a rule that indicates the request to change is to be processed and completed within a defined period of time(paragraphs 3 and 207 reveal companies/entities fulfil data subject/first user request that comply with legal regulations /obligations  of user’s rights. Some request is required to be fulfilled with a defined amount of time such as 30 days ), or in response to determining that the request has not been processed and completed within the defined period of time based on the rule(paragraphs 209 and 212 reveal that upon determining that the data subject request-to modify/delete has not been complied/completed under the set provisioning rules/regulations), transmitting, by the system, a notification message to a device of a second user associated with the entity to notify the second user that the request to change has not been processed and completed within the defined period of time in breach of the rule and the provision(paragraphs 209 and 212 reveal that upon determining that the data subject request-to modify/delete has not been complied/completed under the set provisioning rules/regulations, the system sends generates report/notification by the computing system to send to the user that the request has not been processed ).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Brannon’s consent interface management system in view of Vax’s rights management component  with Brannon’369 teachings of processing the user request within a specified period of time to provide an improved system and method for speedily complying with user data rights/access request (paragraph 3 of Brannon’369). 

Claim(s) 9 and 18  is/are rejected under 35 U.S.C. 103 as being unpatentable over Brannon et al US 20200356697 (hereinafter Brannon) in view of Vax et al US 20220179993 (hereinafter Vax) in further view of Ford et al US 20210014214 (hereinafter Ford).
As to claim 9, the combination of Brannon in view of Vax teaches all the limitations recited in claim 1 above and further teaches wherein the user is a first user, wherein the set of data stores is associated with an entity (Brannon: paragraphs 767-769 reveal that a unique permanent identifier is assigned to each user(data subject), thus identifiers are assign to a first user, a second user, etc.…), wherein the computer-executable components further comprise an authenticator component that [provide consent to] a second user associated with the entity (Brannon: paragraphs 783, 792, and 794 reveal a consent receipt management system that confirms consent/authorization of users, which include a second user, based on user unique consent receipt key and the associated data types that the key is linked to) , and wherein, in response to the authenticator component [providing consent to] the second user, the rights management component grants the second user an access right to access a first portion of the information stored in the secure data store, based on the set of rules(Brannon: paragraphs 823-824 reveal an entity, second user, may enter a transaction that includes the processing of personal data, and this require consent by the data subject/first user. Thus the transaction may record and/or require one or more valid consents from the first user to provide access of the one or more pieces of information by the entity. Paragraph 825 reveal that this is done via authenticating via the unique receipt key/ID associated with the first user, the second user, and the transaction. This ID is based on a piece of personal data such as an email address. Based on the first user consent/authorization, the entity receives the access/right to process the one or more pieces of user data ), and prevents the second user from accessing [elements of the user data], based on the set of rules(Brannon: paragraphs 832-833 reveal that based on the privacy policies and the transaction request of the second user/entity,  according to the first  user consent, access is provided to certain data elements, such as a first portion, while the  second portion of the information is restricted/revoke from being collected/processed. Thus provides the teaching of preventing a second user/entity from accessing a second portion of the information of a first user based on the consent access record).
The combination of Brannon in view of Vax does not teach wherein the computer-executable components further comprise an authenticator component  that authenticates a second user associated with the entity based on an authentication credential; and wherein, in response to the authenticator component authenticating the second user, the rights management component grants the second user an access right to access a first portion of the information stored in the secure data store, based on the set of rules; and prevents the second user from accessing a second portion of the information stored in the secure data store, based on the set of rules.
Ford teaches wherein the computer-executable components further comprise an authenticator component(Figure 3, reference number 302 reveals “Host Administration Portal” and paragraph 35 provide the teachings of an access management server which is the authenticator component)  that authenticates a second user based on an authentication credential (Figure 3, reference number 320 “Is Second User Permitted to Access to Second Application” and paragraphs 43-44 reveal the access management server authenticates a second user based on credentials to access the data in the second application); and wherein, in response to the authenticator component authenticating the second user, the rights management component grants the second user an access right to access a first portion of the information stored in the secure data store, based on the set of rules (paragraphs 44-45 reveal that based on the rules from the permission server and the authentication of the second user, the second user is permitted access to the data of the second application); and prevents the second user from accessing a second portion of the information stored in the secure data store, based on the set of rules (paragraphs 6 and 71 reveal that per the permission data, the system can deny user request to access a given application, thus in Figure 3, the second user can be denied access to the first application, but granted access to the second application. Paragraph 71 also reveals that the permission data/rules include a list of applications which the user is permitted access to).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Brannon’s consent interface management system in view of Vax’s rights management component  with Ford’s authenticator component to facilitate more efficient and automatic authentication and access to data while securely maintaining the security policies of the data (paragraph 5 of Ford).

As to claim 18, the combination of Brannon in view of Vax teaches all the limitations recited in claim 13 above and further teaches  wherein the user is a first user(Brannon: paragraph 734 reveals the system receives an access request from an individual/first user), wherein the set of database components is associated with an entity(Brannon: paragraphs 709 and 734 reveals the entity/organization stores personal data of users/individuals in one or more databases; paragraphs 767-769 reveal that a unique permanent identifier is assigned to each user(data subject), thus identifiers are assign to a first user, a second user, etc.…), and wherein the computer- implemented method further comprises: authenticating, by the system, a second user associated with the entity based on [consent] information(Brannon: paragraphs 783, 792, and 794 reveal a consent receipt management system that confirms consent/authorization of users, which include a second user, based on user unique consent receipt key and the associated data types that the key is linked to)  ; in response to [providing consent to] the second user, determining, by the system, that the second user is to be granted an access right to access a first portion of the information stored in the secure data store, based on the set of rules(Brannon: paragraphs 823-824 reveal an entity, second user, may enter a transaction that includes the processing of personal data, and this require consent by the data subject/first user. Thus the transaction may record and/or require one or more valid consents from the first user to provide access of the one or more pieces of information by the entity. Paragraph 825 reveal that this is done via authenticating via the unique receipt key/ID associated with the first user, the second user, and the transaction. This ID is based on a piece of personal data such as an email address. Based on the first user consent/authorization, the entity receives the access/right to process the one or more pieces of user data ); and inhibiting, by the system, the second user from accessing [elements of the user data] (Brannon: paragraphs 832-833 reveal that based on the privacy policies and the transaction request, the user consent can have certain data elements, such as a second portion of the information, restricted/revoke from being collected/processed. Thus provides the teaching of preventing a second user/entity from accessing a second portion of the information of a first user based on the consent access record).
The combination of Brannon in view of Vax does not teach authenticating, by the system, a second user associated with the entity based on authentication information; in response to authenticating the second user, determining, by the system, that the second user is to be granted an access right to access a first portion of the information stored in the secure data store, based on the set of rules; and inhibiting, by the system, the second user from accessing a second portion of the information stored in the secure data store, based on the set of rules, wherein the access right does not extend to access of the second portion of the information.
Ford teaches authenticating, by the system(Figure 3, reference number 302 reveals “Host Administration Portal” and paragraph 35 provide the teachings of an access management server which is the authenticator component) , a second user associated with the entity based on authentication information(Figure 3, reference number 320 “Is Second User Permitted to Access to Second Application” and paragraphs 43-44 reveal the access management server authenticates a second user based on credentials to access the data in the second application); in response to authenticating the second user, determining, by the system, that the second user is to be granted an access right to access a first portion of the information stored in the secure data store, based on the set of rules(paragraphs 44-45 reveal that based on the rules from the permission server and the authentication of the second user, the second user is permitted access to the data of the second application); and inhibiting, by the system, the second user from accessing a second portion of the information stored in the secure data store, based on the set of rules, wherein the access right does not extend to access of the second portion of the information(paragraphs 6 and 71 reveal that per the permission data, the system can deny user request to access a given application, thus in Figure 3, the second user can be denied access to the first application, but granted access to the second application. Paragraph 71 also reveal that the permission data/rules include a list of applications which the user is permitted access to).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Brannon’s consent interface management system in view of Vax’s rights management component  with Ford’s authenticator component to facilitate more efficient and automatic authentication and access to data while securely managing the security policies of the data (paragraph 5 of Ford).

Claim(s) 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brannon et al US 20200356697 (hereinafter Brannon) in view of Vax et al US 20220179993 (hereinafter Vax) in further view of Saadi US 20150293900 (hereinafter Saadi).

As to claim 12, the combination of Brannon in view of Vax teaches all the limitations recited in claim 10 above. The combination of Brannon in view of Vax further teaches wherein the item of data is a first item of data (Brannon: Figure 26 step 2610 reveal the scan of one or more pieces of personal information. The one or more pieces of personal information is a first item of data), wherein the items of data comprises the first item of data scanned from a first data store of the set of data stores(Brannon: Figure 26 step 2610 reveal the scan of one or more pieces of personal information from one or more databases/datastores. The one or more pieces of personal information is a first item of data) and a second item of data scanned from a second data store of the data stores(Brannon: Figure 26 step 2620 reveal the scan of one or more attributes of data associated with the user from data repositories. The one or more attributes of data is a second item of data), wherein the classifier component analyzes the first item of data and the second item of data based on the analysis of the first item of data and the second item of data (Brannon: paragraphs 714-715 Figure 26 steps 2630 and 2640 reveal the system analyzes and correlate the first item of data/one or more pieces of information and the attributes of data, and uses machine learning methods to categorize/classify the data elements from the first item of data/one or more pieces of personal information and the second item of data/attributes of data).
The combination of Brannon in view of Vax does not teach the classifier component determines that the first item of data is formatted in a first language and the second item of data is formatted in a second language. 
Saadi teaches based on the analysis of the first item of data and the second item of data (paragraphs 4-5 reveals statistical analysis is performed on the classified groups of content words, thus the plurality of groups can consist of first item of data and second item of data), the classifier component determines that the first item of data is formatted in a first language (paragraph 5 reveals classifying /processing the content of words of the first language based on statistical analysis) and the second item of data is formatted in a second language (paragraph 5 reveals classifying the content of words of the second language based on statistical analysis).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Brannon’s consent interface management system in view of Vax’s rights management component  with Saadi’s language classifier to prevent inefficiencies and overhead of processing data when dealing with multiple languages (paragraph 3 of Saadi). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Lefor et al US 20190303611 (hereinafter Lefor).

Lefor teaches a secure data store (Figure 1, reference number 120 “Collection Component) that stores information relating to items of data associated with users that are stored in a set of data stores (paragraph 23), wherein the information is generated based on scanning the items of data in the set of data stores (paragraph 23 reveals the system retrieve the data from the one or more repositories and store the data in the collection component); and a rights management component (Figure 1, reference number 150 “Configuration Component” and reference number 140 “Modification Component”) that, determines, based on a set of rules, a set of rights of a user with regard [user data] (paragraphs 25-26), wherein the set of rules is determined based on a set obligations associated with the set of data stores and related to data privacy and security (paragraphs 32 and 37 reveal the rule-based components is employed based on machine learning regarding the attribution of personal data govern by governmental regulations/obligations).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to FELICIA FARROW whose telephone number is (571)272-1856. The examiner can normally be reached M - F 7:30--5:30pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571)272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/F.F/               Examiner, Art Unit 2437    
/KRISTINE L KINCAID/               Supervisory Patent Examiner, Art Unit 2437