and safeguards applicable to access and use of data by public authorities for law enforcement and other
public interest purposes. In order to enhance transparency and to reflect the legal nature of these
commitments, each of the documents listed and annexed to this decision will be published in the U.S.
Federal Register.’
44
The Commission’s assessment of those limitations and guarantees is summarised in recitals 67 to 135
of the Privacy Shield Decision, while the Commission’s conclusions on the adequate level of
protection in the context of the EU-US Privacy Shield are set out in recitals 136 to 141 thereof.
45
In particular, Recitals 68, 69, 76, 77, 109, 112 to 116, 120, 136 and 140 of the Privacy Shield Decision
state:
‘(68)
Under the U.S. Constitution, ensuring national security falls within the President’s authority as
Commander in Chief, as Chief Executive and, as regards foreign intelligence, to conduct U.S.
foreign affairs … While Congress has the power to impose limitations, and has done so in
various respects, within these boundaries the President may direct the activities of the U.S.
Intelligence Community, in particular through Executive Orders or Presidential Directives. … At
present, the two central legal instruments in this regard are Executive Order 12333
(“E.O. 12333”) … and Presidential Policy Directive 28.
(69)
Presidential Policy Directive 28 (“PPD‑28”), issued on 17 January 2014, imposes a number of
limitations for “signals intelligence” operations … This presidential directive has binding force
for U.S. intelligence authorities … and remains effective upon change in the U.S.
Administration … PPD‑28 is of particular importance for non-US persons, including EU data
subjects. …
…
(76)
Although not phrased in … legal terms, [the] principles [of PPD‑28] capture the essence of the
principles of necessity and proportionality. …
(77)
As a directive issued by the President as the Chief Executive, these requirements bind the entire
Intelligence Community and have been further implemented through agency rules and
procedures that transpose the general principles into specific directions for day-to-day
operations. …
…
(109)
Conversely, under Section 702 [of the Foreign Intelligence Surveillance Act (FISA)], the
[United States Foreign Intelligence Surveillance Court (FISC)] does not authorise individual
surveillance measures; rather, it authorises surveillance programs (like PRISM, UPSTREAM) on
the basis of annual certifications prepared by the [US] Attorney General and the Director of
National Intelligence [(DNI)]. … As indicated, the certifications to be approved by the FISC
contain no information about the individual persons to be targeted but rather identify categories
of foreign intelligence information … While the FISC does not assess — under a probable cause
or any other standard — that individuals are properly targeted to acquire foreign intelligence
information …, its control extends to the condition that “a significant purpose of the acquisition
is to obtain foreign intelligence information” …
…
(112)
First, the [FISA] provides a number of remedies, available also to non-U.S. persons, to
challenge unlawful electronic surveillance … This includes the possibility for individuals to
bring a civil cause of action for money damages against the United States when information
about them has been unlawfully and wilfully used or disclosed …; to sue U.S. government
officials in their personal capacity (“under colour of law”) for money damages …; and to
challenge the legality of surveillance (and seek to suppress the information) in the event the U.S.
government intends to use or disclose any information obtained or derived from electronic