Forget all the stuff out there that says the GDPR protects EU citizens. This is a question of jurisdiction and enforcement. Say I run a blog under a business registered in the US funded by advertisers in the US. A EU citizen that comments on posts issues a GDPR request that I ignore. Their government fines me. I tell them to get bent, I am out of their jurisdiction. What can they do at that point?
Just to clarify here: it’s not just the act of signing it that makes it US law. The executive branch negotiates and signs a treaty, but the treaty then has to be approved by a 2/3 majority of the Senate in order to become law.
Just wanted to make it clear that there are still checks-and-balances on this process and that it’s not a loophole around Congressional approval.