We are a global membership organisation and we market to our members around the world by email from our UK HQ.
We apply UK GDPR to all of our activities, regardless of whether the data subject resides in the UK, because we are carrying out activities from a UK establishment.
The question has arisen whether the same applies to the PECR requirements or whether we should only apply local requirements to target populations outside of the UK and the EU. For example, where we are only marketing to data subjects in the USA.
Yorkie82
The territorial scope of Directive 2002/58/EC (the EU ePrivacy Directive) and its UK implementing legislation, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003), SI 2003/2426 is unclear; a position caused primarily by the absence of specific wording in the legislation and exacerbated by conflicting opinions from various bodies.
In the context of most aspects of the EU ePrivacy Directive, including direct marketing, it is impossible to say with any certainty whether a ‘country of origin’ principle (ie UK laws) or a ‘country of destination principle (the local laws of the country in which the recipient is based) or some other rule, applies.
Most prudent of course is to comply with PECR and local laws. But you could amend your setup to e.g. be a resident in the US to just apply US to US legislations…