init

docs/02-ai-act-classification.md

@@ -0,0 +1,37 @@
+# EU AI Act classification
+
+## Summary
+
+This system is classified as **high-risk** under the EU AI Act. The classification anchors on multiple Annex III categories rather than a single one — a deliberate framing taken in the sandbox application, because the classification ambiguity itself justifies sandbox testing.
+
+## Annex III mapping
+
+- **§5(a) — access to and enjoyment of essential public services.** When the system classifies a citizen complaint and routes it to a department, it materially affects *how* the citizen's right to be heard by the Ombudsman is fulfilled. The system does not control *whether* the citizen has access (any complaint reaches the Ombudsman regardless), but it shapes the path through the Office.
+- **§8(a) — administration of justice and democratic processes.** The Ombudsman exercises a quasi-judicial function — investigating complaints against public administration. AI systems that interpret normative acts (Iesniegumu likums, MK noteikumi) and apply them to concrete facts fall squarely under this category.
+
+## Article 6(3) preparatory-task argument
+
+The package's role can also be framed under Article 6(3)(c): a system that performs "a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III." When a public authority uses this package to algorithmate its complaint-handling process, the package is the *preparatory infrastructure*. Article 6 explicitly classifies such systems as high-risk.
+
+The derogation in Article 6(3) — "merely detects decision-making patterns... and is not meant to replace or influence the previously completed human assessment" — does **not** apply here, because the package is explicitly meant to influence the human classification (and, in regulated cases, may eventually replace it for the simplest topics).
+
+## Why this classification is appropriate
+
+Three reasons:
+
+1. **The outputs influence rights-related processes.** Even though no final administrative decision is automated, the priority and routing determine how quickly and by whom a citizen's complaint is examined. Wrong routing delays the response.
+2. **The data is sensitive.** Complaints often disclose personal information about health, family situations, financial hardship, discrimination, or interactions with law enforcement. Even with redaction, the system processes information that demands the highest data-protection care.
+3. **The reasoning is contestable.** A citizen has a right to understand how their complaint was classified. The DMN tables are auditable in a way that an opaque AI classifier wouldn't be — which is precisely why the system was structured this way.
+
+## What the sandbox protocol assesses
+
+The sandbox testing aims to validate, with regulator supervision (VARAM, DVI):
+
+- That the guardrails policy is enforceable in code and audited at every AI invocation.
+- That the audit chain is sufficient for a citizen requesting an explanation under GDPR Art. 15 or for a regulator under AI Act compliance review.
+- That the classification accuracy on real (anonymised) complaint data is materially better than human-only baseline, and that the error patterns are bounded and predictable.
+- That the human oversight required by Art. 14 is meaningful — that jurists genuinely have the information and time to review AI recommendations rather than rubber-stamping them.
+
+## What we are not claiming
+
+This package does not claim to make legally binding decisions. It does not claim to replace jurists. It does not claim to handle constitutional-rights cases without human review. It claims, narrowly, to make the intake and triage portion of the process algorithmically explicit, auditable, and faster.