Essentially, The Court is allowing third parties (in this case 'countries as a third party') to provide a contract with users that is supposed to afford the same protections as the GDPR but here in the US and other countries.
My interpretation of this new decision is that they are now creating a loophole to allow the "Terms of Agreement" to function as a "privacy shield".
My experience with the terms of agreement is that users don't read them and website owners use the terms to hide protection for themselves. How will relaxing the privacy shield policy make a user's data more safe?
I think we're headed for trouble by turning over the power to create individual, contractural agreements for users that come from website owners (whether they are tech giants or small businesses).
Generally, I believe most websites will try their best to comply with GDPR and provide their users with the information they need regarding the transfer of their data.
It's also possible that some websites won't know what they are supposed to do; or how to provide the necessary information to their users. This begs the question: Should service providers rely on the site owners to comply or are they ultimately responsible?
And I also believe there are those companies that will throw in some legal gymnastics into the "terms" and then we will be right back where we started before GDPR.
There is a lot of room for interpretation of this decision and how it will affect users in the future. My hope is that, those of us in the software development community will see this as a potential red flag. We ultimately represent the users - especially those users who don't know they have rights regarding their data; or how to protect their data even when notified through a 'terms of agreement contract'.