Or, IIRC, if the destination country has privacy protections that are at least as strict as those in the EU, which the US legal regime for foreign intelligence definitely doesn’t provide (a non-US-citizen wouldn’t even have standing to sue wrt their personal data).
> a non-US-citizen wouldn’t even have standing to sue wrt their personal data
Sure they would, I think? They would just have to foot the bill to travel and file in a US court. And whatever user agreements they 'agreed' to might come in to play without legislation to supersede it. But they would have standing, I'm pretty sure.
Not a lawyer and not going to find the relevant references in the US’s vast body of law in reasonable time, so let’s check what the CJEU concluded?
Schrems I [1] (the old CJEU judgment invalidating Safe Harbor) endorses (§90) the opinion that:
> [D]ata subjects [whose personal data was transferred to the US] had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.
In what reads like a reference to FISA, it continues (§95):
> Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter [of Fundamental Rights of the European Union].
It then stops short of calling out FISA by name, instead (IIUC) invalidating on the basis that the adequacy of the legal regime was not addressed in the Safe Harbour decision to begin with. Privacy Shield came next and did, so Schrems II [2] (the newer judgment invalidating Privacy Shield) states (§181–2):
> According to the findings in the Privacy Shield Decision, the implementation of the surveillance programmes based on Section 702 of the FISA is, indeed, subject to the requirements of PPD‑28. However, although the Commission stated, in recitals 69 and 77 of the Privacy Shield Decision, that such requirements are binding on the US intelligence authorities, the US Government has accepted, in reply to a question put by the Court, that PPD‑28 does not grant data subjects actionable rights before the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of protection essentially equivalent to that arising from the Charter [...].
> As regards the monitoring programmes based on E.O. 12333, it is clear from the file before the Court that that order does not confer rights which are enforceable against the US authorities in the courts either.
It sounds like the official legal position of the US executive is that individual foreigners do not have standing to contest FISA 702 surveillance of them. (I could not quickly find the text of that position.) This is a 2020 judgment in a case from July 2018 regarding a European Commission decision from 2016, so the implications of the CLOUD Act, signed in March 2018, do not look to be in scope.
I think you are right. I lost the context the original comment was made in, and was thinking more about damage coming from company negligence, and not government sanctioned surveillance.
