Foreign nationals present on US soil only. This is why we Europeans have such a problem with having our data transferred to you, i.e. because we don't actually have any rights in the US.
I would characterise our lack of rights as complete. Some years ago Americans began torturing people who had been handed over to them on the promise that they would not be tortured already at Bromma airport, so here in Sweden, and this was presumably legal. I assume that if it had been done to me, it would have been legal as well.
The American constitution prohibits torture [1] so no one should be getting tortured by the government anywhere in the world. Of course, you could get around this by redefining what constitutes torture and getting a pliant attorney to sign off and away you go.
Data rights are not embedded in the constitution and so the US is currently in the process of creating a patchwork of (mostly state driven) legislation to define how user data can be treated. Hopefully, the Federal government will step in at some point and create some consistency and clarity with rules that are both practical and efficacious.
No, only Americans and US permanents residents are protected from torture outside of the US. Others have no constitutional protections whatsoever.
There is an inferred right to privacy though, and that is for this same reason not something applicable in cases of non-Americans and non-US residents when outside of the US.
There are already rules, there's the EU–US Data Privacy Framework, but it's implemented by an executive order, so there's nothing preventing there existing some other executive order secretly negating it.
I would characterise our lack of rights as complete. Some years ago Americans began torturing people who had been handed over to them on the promise that they would not be tortured already at Bromma airport, so here in Sweden, and this was presumably legal. I assume that if it had been done to me, it would have been legal as well.