Privacy Shield is declared invalid

[timse201]

This string is outdated:
​https://build.trac.wordpress.org/browser/trunk/wp-admin/includes/class-wp-privacy-policy-content.php?marks=604#L604

The EU-U.S. Privacy Shield was declared invalid by the European Court of Justice years ago. The current agreement is the Data Privacy Framework (DPF).

Trac ticket: https://core.trac.wordpress.org/ticket/65025

## Use of AI Tools
none

[masteradhoc]

Hey @timse201
Good catch! This definately needs some update.

The EU-U.S. Privacy Shield was invalidated by the CJEU in July 2020 (Schrems II, Case C-311/18) and is no longer a valid data transfer mechanism. The current replacement is the EU-U.S. Data Privacy Framework (DPF), adopted by the European Commission on 10 July 2023.

Proposed change:

Before:
...whether that is through an agreement such as Privacy Shield, model clauses in your contracts, or binding corporate rules.

After:
...whether that is through an agreement such as the EU-U.S. Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs), or binding corporate rules.

References:

• FTC on DPF replacing Privacy Shield: ​https://www.ftc.gov/business-guidance/privacy-security/data-privacy-framework
• European Commission DPF Q&A: ​https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752
• DPF programme website: ​https://www.dataprivacyframework.gov
• NOYB reaction to General Court ruling (Sept 2025): ​https://noyb.eu/en/eu-us-data-transfers-first-reaction-latombe-case

[masteradhoc]

Based on the feedback of @vikingtechguy (in Slack: #core-privacy) I adjusted the string further to also clarify which persons are protected under the transfer rules. The original "European residents" wording is legally imprecise — GDPR Article 3 is based on being in the EU/EEA at the time of data collection, not residency or citizenship. The updated text reflects this correctly and also adds EEA alongside EU.