surveillance against the individual in judicial or administrative proceedings in the United
States …
(113)
Second, the U.S. government referred the Commission to a number of additional avenues that
EU data subjects could use to seek legal recourse against government officials for unlawful
government access to, or use of, personal data, including for purported national security
purposes …
(114)
Finally, the U.S. government has pointed to the [Freedom of Information Act (FOIA)] as a
means for non-U.S. persons to seek access to existing federal agency records, including where
these contain the individual’s personal data … Given its focus, the FOIA does not provide an
avenue for individual recourse against interference with personal data as such, even though it
could in principle enable individuals to get access to relevant information held by national
intelligence agencies. …
(115)
While individuals, including EU data subjects, therefore have a number of avenues of redress
when they have been the subject of unlawful (electronic) surveillance for national security
purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may
use (e.g. E.O. 12333) are not covered. Moreover, even where judicial redress possibilities in
principle do exist for non-U.S. persons, such as for surveillance under FISA, the available causes
of action are limited … and claims brought by individuals (including U.S. persons) will be
declared inadmissible where they cannot show “standing” …, which restricts access to ordinary
courts …
(116)
In order to provide for an additional redress avenue accessible for all EU data subjects, the
U.S. government has decided to create a new Ombudsperson Mechanism as set out in the letter
from the U.S. Secretary of State to the Commission which is contained in Annex III to this
decision. This mechanism builds on the designation, under PPD‑28, of a Senior Coordinator (at
the level of Under-Secretary) in the State Department as a contact point for foreign governments
to raise concerns regarding U.S. signals intelligence activities, but goes significantly beyond this
original concept.
…
(120)
… the U.S. government commits to ensure that, in carrying out its functions, the Privacy
Shield Ombudsperson will be able to rely on the cooperation from other oversight and
compliance review mechanisms existing in U.S. law. … Where any non-compliance has been
found by one of these oversight bodies, the Intelligence Community element (e.g. an intelligence
agency) concerned will have to remedy the non-compliance as only this will allow the
Ombudsperson to provide a “positive” response to the individual (i.e. that any non-compliance
has been remedied) to which the U.S. government has committed. …
…
(136)
In the light of [those] findings, the Commission considers that the United States ensures an
adequate level of protection for personal data transferred from the Union to self-certified
organisations in the United States under the EU-U.S. Privacy Shield.
…
(140)
Finally, on the basis of the available information about the U.S. legal order, including the
representations and commitments from the U.S. government, the Commission considers that any
interference by U.S. public authorities with the fundamental rights of the persons whose data are
transferred from the Union to the United States under the Privacy Shield for national security,
law enforcement or other public interest purposes, and the ensuing restrictions imposed on selfcertified organisations with respect to their adherence to the Principles, will be limited to what is
strictly necessary to achieve the legitimate objective in question, and that there exists effective
legal protection against such interference.’