Valve has certified under the EU-U.S. Data Privacy Framework, meaning it has committed to specific data protection standards when transferring your personal data from the EU, UK, or Switzerland to its US servers. If Steam's privacy policy ever conflicts with these Framework principles, the Framework principles win.
This analysis describes what Steam's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes Valve's regulatory certification status for transatlantic data transfers and creates a hierarchical governance structure where DPF Principles take precedence over the privacy policy in the event of inconsistency. This affects the legal framework applicable to personal data processing from EU, UK, and Swiss users.
EU, UK, and Swiss users' personal data is transferred to Valve's US infrastructure under the DPF certification framework, which provides some protections but remains subject to ongoing legal challenges regarding US surveillance law access to transferred data.
How other platforms handle this
When we transfer your personal data outside the EEA or UK, we ensure an adequate level of protection is afforded to it by ensuring at least one of the following safeguards is implemented: transfers are to countries that have been deemed to provide an adequate level of protection for personal data; w...
Epic Games, Inc. is headquartered in Cary, North Carolina. We and our subsidiaries have offices and operations located around the world that help create and deliver some of your favorite products and services, including games like Fortnite and developer tools like Unreal Engine.
Where Zendesk transfers personal data outside of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses approved by the European Commission, to ensure that your personal data receives an adequate level of pro...
Monitoring
Steam has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Valve and its subsidiary TR Technical Inc. comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Valve has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.— Excerpt from Steam's Steam Privacy Policy
REGULATORY FRAMEWORK: This provision directly implicates GDPR Art. 45 (adequacy decisions), Art. 46 (appropriate safeguards), and Chapter V generally (restrictions on international transfers). The EU-U.S. DPF was adopted by the European Commission on July 10, 2023 (Implementing Decision C(2023) 4745). It also engages UK GDPR international transfer rules and the UK adequacy decision for the US DPF extension. The FTC is the primary US enforcement authority for DPF compliance under FTC Act Section 5.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes Valve's regulatory certification status for transatlantic data transfers and creates a hierarchical governance structure where DPF Principles take precedence over the privacy policy in the event of inconsistency. This affects the legal framework applicable to personal data processing from EU, UK, and Swiss users.
EU, UK, and Swiss users' personal data is transferred to Valve's US infrastructure under the DPF certification framework, which provides some protections but remains subject to ongoing legal challenges regarding US surveillance law access to transferred data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Steam.