Re: How long has this been going on?
Yes, but it took several years to reach the point of Privacy ShieldFigleaf getting struck down. As already pointed out, we can look forward to another version, which is patently unfit but will keep the data moving for another few years while a Shrems III case grinds it's way through the system.
Now, what it needs is for a case to be brought which punishes ${somescapegoat} for data transfers which broke the law - even if it was within the guidelines at the time or even the Safe Harbour, Privacy ShieldFigleaf, whatever the current incarnation is. Because as long as people can get away with breaking the law simply because they can point at something official that says acting illegally is legal, then it'll carry on.
The thing is, the law is the law, and it's fairly clear. Guidance is just that, agreements are just that - in theory they cannot over-ride the law.
Trouble is, for it to send a real message, somescapegoat needs to be one of the big "professional criminal" type organisations like Faecesborg - but they have the wherewithal to fight things all the way. In practice, it would be some small outfit that can't afford the legal clout to truly look behind what they are being sold by the big outfits.