I guess I'm used to a more technical definition of "can't" than politicians nowadays.
Apart from that, I'm German, and every time I read this "not to US citizens" excuse, all I understand is that they'll happily rape all my data without any questions asked.
Indeed, it is not at all reassuring; it is creepy that they think it ought to be reassuring.
My wife is not a US citizen, so the feds are apparently happy to admit they are spying on her, or could if they cared to. That's pretty bad in itself, but then consider the fact that more of my electronic messages go to or from her than any one else. They can't spy on her communications without spying on mine, too, and I am a US citizen. So are they spying on US citizens or not? Of course they are, en masse, no matter what denials they make about it.
Here's something interesting I found on wikipedia. According to the "General Data Protection Regulation", which is a data protection law and is supposed to take effect in 2016 in the EU:
the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents.
Further in the section "Discussion and challenges":
The new regulation conflicts with other non-European laws and regulations and practices (e.g. surveillance by governments). Companies in such countries should not be acceptable for processing EU personal data anymore.
Data on intra-european transactions and matters is often deliberately shared with the US for intelligence purposes OR is processed by companies in the US, which automatically means that it is used by the US for intelligence.
So, if I use Gmail as a non US citizen, I have to assume that the US government will read/analyze my emails. That's a well recognized fact that I've also been told by people working with classified (German) government data on multiple occasions.
But that does not address the fact that according to the GDPR in its current state, a company such as Google should not have the authority to process EU citizen's data unless it's fully compliant with GDPR.
How they're going to enforce that, I have no idea. Now if I've understood this correctly, this means that if a foreign company is fully complaint with this new law, we would have much greater access to data that is being collected, and we also have the power to request the removal of said data. The US government might still collect all those incoming data before it has the chance to be removed, but having a law such as GDPR being enforced would be a huge step forward.
However, it is a self-certification program and it isn't really a US law, just a regulation enforced by the FTC. So while it should protect your data from third parties, e.g., being sold to advertisers, etc., it most likely does not protect your data from the US government.
the Safe Harbor asks compliance with the Data Protection Directive which is supposed to become obsolete in the following few years. Not to mention that it's apparently opt-in, which is basically useless.
Apart from that, I'm German, and every time I read this "not to US citizens" excuse, all I understand is that they'll happily rape all my data without any questions asked.