Legal guarantees of privacy would be empty platitudes. We used to have a legal expectation of privacy on the phone, and look how easily that crumbled. The NSA's not going to unplug themselves from the backbone of the internet any time soon. Fortunately, this is an area where we don't need to depend on legislators' promises. Privacy can be ensured by end-to-end encryption, and the technical solution requires a lot less trust in parties that consistently prove themselves untrustworthy in such matters. A lot of sites have been finally been moving to mandatory (or at least default) SSL. SSL isn't perfect, though; it seems more or less certain that major governments have access to root keys, and could effectively write their own certificates and MITM at will. I don't know how we can go about fixing or replacing SSL to take it out of government hands, but it seems like it's the narrowest part of the river on the path to privacy online.