This can't work.
Suppose that an intelligence agency in the USA illegally gets my data and then uses it to, say, hack some service related to me, grab some proprietary research, and pass it to a friendly company which can then clone my tech and beat me to market. This is just an example, feel free to come up with more.
It's very unlikely that I will be able to even figure out what happened. It's all but impossible that I'll be able to point the finger at which agency did it. It's definitely impossible that I'll be able to prove it.
And even if I somehow, and I honestly can't imagine how, am able to do that, what teeth would this independent body have? There's no way these complaints are frequent, and they would be very difficult to investigate. Getting fined once in a blue moon would not be a deterrent at all.
Fact is, the relationship between privacy violations and damage is indirect; it's a lot like environmental pollution. It cannot possibly be something you only notice when someone complains, because by that time it's far too late. It has to be a crime in itself, regardless of whether someone has already been hurt or not.
The only way this can possibly work is if the terms are that the independent body can act on its own initiative, can get access to classified info (fat chance), and it's made clear that every single time it finds a violation, the agreement must be revised to ensure the violation cannot happen again, or it becomes null and void.
In turn, I don't see that happening while the current surveillance climate in the USA persists.