From 07916df3307bcf1ef3bb9668127adf548585e8d7 Mon Sep 17 00:00:00 2001 From: Benjamin Admin Date: Sat, 27 Jun 2026 07:19:00 +0200 Subject: [PATCH] =?UTF-8?q?feat(ai-sdk):=20ePrivacy/cookie=20topic=20?= =?UTF-8?q?=E2=80=94=20=C2=A725=20TDDDG=20co-primary=20for=20cookie=20ques?= =?UTF-8?q?tions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The TDDDG (ex-TTDSG) pilot revealed §25 TDDDG (terminal-equipment / cookie consent) ranked #3 on a cookie query — the subsidiarity rule demoted it as DE law subsidiary to the DSGVO, but TDDDG is lex specialis (ePrivacy) for cookies. Topic-based fix (NOT blanket TDDDG > DSGVO): - cookie/ePrivacy topic (cookie/endeinrichtung/endgeraet/tracking -> §25 TDDDG) so it is co-primary (topic-matched -> topicGain, no subsidiarity demote). - TDDDG/TTDSG added to the data_protection domain (chunkDomain recognition). - cookie-specific keywords (NOT bare 'Einwilligung') so a general consent question still resolves to Art. 7 DSGVO. Acceptance on the DSGVO+BDSG+TDDDG build: cookie -> §25 TDDDG top-1; Rechtsgrundlage -> DSGVO; DSB -> Art.37+§38 BDSG (not TDDDG); degraded=0, must_not=0. go build/vet/test green; 2 new table tests. Co-Authored-By: Claude Opus 4.7 --- ai-compliance-sdk/internal/ucca/authority.go | 10 +++++++-- .../internal/ucca/authority_rerank_test.go | 22 +++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/ai-compliance-sdk/internal/ucca/authority.go b/ai-compliance-sdk/internal/ucca/authority.go index 691fea4b..d80eb178 100644 --- a/ai-compliance-sdk/internal/ucca/authority.go +++ b/ai-compliance-sdk/internal/ucca/authority.go @@ -110,9 +110,10 @@ type domainDef struct { // Deterministic order (slice, not map) — important for stable classification + tests. var domains = []domainDef{ {"data_protection", - []string{"DSGVO", "GDPR", "BDSG", "EDPB", "DSK", "BfDI", "BayLfD", "DPF"}, + []string{"DSGVO", "GDPR", "BDSG", "TDDDG", "TTDSG", "EDPB", "DSK", "BfDI", "BayLfD", "DPF"}, []string{"personenbezogen", "betroffene", "datenschutz", "datenschutzbeauftrag", "dsb", - "datenpanne", "auskunft", "loesch", "lösch", "einwilligung", "besondere kategorien", "auftragsverarbeit"}}, + "datenpanne", "auskunft", "loesch", "lösch", "einwilligung", "besondere kategorien", "auftragsverarbeit", + "cookie", "endeinrichtung", "endgerät", "endgeraet", "tracking"}}, {"cyber", []string{"CRA", "NIS2", "NIS-2", "ENISA", "DORA", "EUCC"}, []string{"security update", "sicherheitsupdate", "sicherheitsaktualisierung", "schwachstelle", "sbom", @@ -200,6 +201,11 @@ var topics = []topicDef{ {[]string{"bussgeld", "geldbusse"}, []string{"Art. 83"}}, {[]string{"security update", "sicherheitsupdate", "schwachstelle", "sbom", "cybersicherheitsanforderung"}, []string{"CRA Anhang I"}}, {[]string{"meldepflicht", "sicherheitsvorfall"}, []string{"Art. 14 CRA"}}, + // ePrivacy / cookies: § 25 TDDDG (ex-TTDSG) is lex specialis for terminal-equipment access / + // cookie consent. Co-primary on a cookie/tracking query, so the subsidiarity rule does NOT + // demote it like general-DP DE law subsidiary to the DSGVO. Keywords are cookie-specific + // (NOT bare "Einwilligung") so a general consent question still resolves to Art. 7 DSGVO. + {[]string{"cookie", "endeinrichtung", "endgerät", "endgeraet", "tracking", "speicherung von informationen", "zugriff auf informationen"}, []string{"§ 25 TDDDG"}}, } // resultMatchesTopic reports whether the result is a preferred norm of a topic the query hits. diff --git a/ai-compliance-sdk/internal/ucca/authority_rerank_test.go b/ai-compliance-sdk/internal/ucca/authority_rerank_test.go index 3da6acf7..857b1a01 100644 --- a/ai-compliance-sdk/internal/ucca/authority_rerank_test.go +++ b/ai-compliance-sdk/internal/ucca/authority_rerank_test.go @@ -123,6 +123,28 @@ func TestRerankByAuthority_Acceptance(t *testing.T) { } }) + t.Run("ePrivacy: a cookie query lifts §25 TDDDG above DSGVO consent (lex specialis topic)", func(t *testing.T) { + in := []LegalSearchResult{ + bindingRes("Art. 7 DSGVO", "DSGVO", "EU", 0.70), // higher semantic + bindingRes("§ 25 TDDDG", "TDDDG", "DE", 0.66), + } + out := rerankByAuthority("Wann ist eine Einwilligung fuer das Speichern von Cookies auf Endgeraeten erforderlich?", in) + if out[0].RegulationShort != "TDDDG" { + t.Fatalf("§25 TDDDG must win a cookie question (lex specialis topic), got %q", out[0].ArticleLabel) + } + }) + + t.Run("a general consent question still resolves to DSGVO, not §25 TDDDG", func(t *testing.T) { + in := []LegalSearchResult{ + bindingRes("§ 25 TDDDG", "TDDDG", "DE", 0.70), // higher semantic but no cookie topic + bindingRes("Art. 7 DSGVO", "DSGVO", "EU", 0.66), + } + out := rerankByAuthority("Welche Anforderungen gelten an eine wirksame Einwilligung?", in) + if out[0].RegulationShort != "DSGVO" { + t.Fatalf("a general consent question must resolve to DSGVO (TDDDG demoted), got %q", out[0].ArticleLabel) + } + }) + t.Run("co-primary dp_01: BDSG §38 stays top on a DSB question (national special rule)", func(t *testing.T) { in := []LegalSearchResult{ bindingRes("§ 38 BDSG", "BDSG", "DE", 0.66),