179
In that regard, as regards the surveillance programmes based on Section 702 of the FISA, the
Commission found, in recital 109 of the Privacy Shield Decision, that, according to that article, ‘the
FISC does not authorise individual surveillance measures; rather, it authorises surveillance programs
(like PRISM, UPSTREAM) on the basis of annual certifications prepared by the Attorney General and
the Director of National Intelligence (DNI)’. As is clear from that recital, the supervisory role of the
FISC is thus designed to verify whether those surveillance programmes relate to the objective of
acquiring foreign intelligence information, but it does not cover the issue of whether ‘individuals are
properly targeted to acquire foreign intelligence information’.
180
It is thus apparent that Section 702 of the FISA does not indicate any limitations on the power it
confers to implement surveillance programmes for the purposes of foreign intelligence or the existence
of guarantees for non-US persons potentially targeted by those programmes. In those circumstances
and as the Advocate General stated, in essence, in points 291, 292 and 297 of his Opinion, that article
cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter, as
interpreted by the case-law set out in paragraphs 175 and 176 above, according to which a legal basis
which permits interference with fundamental rights must, in order to satisfy the requirements of the
principle of proportionality, itself define the scope of the limitation on the exercise of the right
concerned and lay down clear and precise rules governing the scope and application of the measure in
question and imposing minimum safeguards.
181
According to the findings in the Privacy Shield Decision, the implementation of the surveillance
programmes based on Section 702 of the FISA is, indeed, subject to the requirements of PPD‑28.
However, although the Commission stated, in recitals 69 and 77 of the Privacy Shield Decision, that
such requirements are binding on the US intelligence authorities, the US Government has accepted, in
reply to a question put by the Court, that PPD‑28 does not grant data subjects actionable rights before
the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of
protection essentially equivalent to that arising from the Charter, contrary to the requirement in
Article 45(2)(a) of the GDPR that a finding of equivalence depends, inter alia, on whether data subjects
whose personal data are being transferred to the third country in question have effective and
enforceable rights.
182
As regards the monitoring programmes based on E.O. 12333, it is clear from the file before the Court
that that order does not confer rights which are enforceable against the US authorities in the courts
either.
183
It should be added that PPD‑28, with which the application of the programmes referred to in the
previous two paragraphs must comply, allows for ‘“bulk” collection … of a relatively large volume of
signals intelligence information or data under circumstances where the Intelligence Community cannot
use an identifier associated with a specific target … to focus the collection’, as stated in a letter from
the Office of the Director of National Intelligence to the United States Department of Commerce and to
the International Trade Administration from 21 June 2016, set out in Annex VI to the Privacy Shield
Decision. That possibility, which allows, in the context of the surveillance programmes based on
E.O. 12333, access to data in transit to the United States without that access being subject to any
judicial review, does not, in any event, delimit in a sufficiently clear and precise manner the scope of
such bulk collection of personal data.
184
It follows therefore that neither Section 702 of the FISA, nor E.O. 12333, read in conjunction with
PPD‑28, correlates to the minimum safeguards resulting, under EU law, from the principle of
proportionality, with the consequence that the surveillance programmes based on those provisions
cannot be regarded as limited to what is strictly necessary.
185
In those circumstances, the limitations on the protection of personal data arising from the domestic
law of the United States on the access and use by US public authorities of such data transferred from
the European Union to the United States, which the Commission assessed in the Privacy Shield
Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to
those required, under EU law, by the second sentence of Article 52(1) of the Charter.