Both were illegal because they did not address the core issue. The EU commission (representing EU country governments) is more business driven and wants it to work, so they created Safe Harbour etc. They also drove the standard clauses which are illegal too (or better: If as an EU company you sign them, it's your responsibility to make sure the US three letter agencies do not access the data of your customers, good luck with that).

The EU parliament have the people in mind, so they don't think it works and drove the GDPR. The EU courts look at the law and see it's not possible to create contracts, so shot down Safe Harbour and Privacy Shields. The EU courts say standard clauses could work in principle, but see above.