There needs to be a separation of powers here - business or personally identifiable metadata captured by any government agency must be encrypted and the Judiciary must hold the keys - the state police, FBI or NSA must request the keys from the Courts on the grounds of probable cause. Each citizen must have a public key and a private key issued at the rate of one a day, and any business records or personally identifiable information that needs to be retained for putative surveillance reasons or 'terrorist prevention' must be stored encrypted with the public key of the person.
The NSA or CIA can build a database of encrypted data only, and should approach the courts with a warrant to gain the private keys of a suspected individual for whom they've demonstrated probable cause, for the times required for their investigation, if they can demonstrate probable cause to a judge.
The judiciary must keep a track of the number of keys they issue, and a law must be put in place (or a financial charge for issuing keys must be made). If say, less than 1% of requests produce a prosecution in a 1 year period, sanctions must be enforced against the requesting agency.
If the USA can afford to build a massive database of everyone's transactions for the past 5 years, it can afford to build a system that faithfully preserves the constitutional rights of their citizens.
The problem with PRISM is that it ignores the separation of powers between the courts, the police and the prosecution - it has no legitimacy under the US constitution.