In the case of avenues of redress for undue access and use of data by US public authorities for national security purposes, the following are the main avenues open to individuals mentioned in the EC’s implementing decision on the PS:
(1) Under the Foreign Intelligence Surveillance Act (FISA), non-US citizens may have redress to challenge unlawful electronic surveillance. Nevertheless, FISA’s redress reach remains limited, and standing requirements for FISA claims have proved difficult to achieve. FISA is complemented by the Freedom of Information Act (FOIA), which allows individuals to seek access to federal agency records; however, the possibilities are limited, for instance by exceptions in case of classified national security information or those concerning law enforcement investigations.
(2) Other specific legal bases exist under the Computer Fraud and Abuse Act, Electronic Communications Privacy Act and the Right to Financial Privacy Act. These avenues only refer to specific data, targets and types of access to the data. There is a more general administrative redress to seek judicial review whenever any person suffers ‘legal wrong because of agency action, or adversely affected or aggrieved by agency action’. However, there is no mention in the implementing decision regarding the level of proof required to make a case under this more general administrative redress.
(3) The Privacy Shield creates a new Privacy Shield Ombudsperson mechanism, which should ensure that individual complaints are duly investigated and addressed. The Ombudsperson is assisted by (existing) independent investigation structures such as the Inspectors-General and the Privacy and Civil Liberties Oversight Board (PCLOB), which was established as an independent bipartisan agency within the executive branch, and whose main role is to ensure that the US executive actions in the field of terrorism respect privacy and civil liberties, and has statutory public transparency requirements.