Steam · Steam Privacy Policy

Data Privacy Framework (DPF) Certification for EU/UK/Swiss Data Transfers

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

Valve has certified under the EU-U.S. Data Privacy Framework, meaning it has committed to specific data protection standards when transferring your personal data from the EU, UK, or Switzerland to its US servers. If Steam's privacy policy ever conflicts with these Framework principles, the Framework principles win.

Consumer impact (what this means for users)

EU, UK, and Swiss users' personal data is transferred to Valve's US infrastructure under the DPF certification framework, which provides some protections but remains subject to ongoing legal challenges regarding US surveillance law access to transferred data.

Cross-platform context

See how other platforms handle Data Privacy Framework (DPF) Certification for EU/UK/Swiss Data Transfers and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

This certification is the legal mechanism that allows Valve to transfer EU, UK, and Swiss users' personal data to the United States — without it, those transfers could be unlawful under GDPR, potentially exposing users' data to US government access under laws like FISA 702.

View original clause language
Valve and its subsidiary TR Technical Inc. comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Valve has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: This provision directly implicates GDPR Art. 45 (adequacy decisions), Art. 46 (appropriate safeguards), and Chapter V generally (restrictions on international transfers). The EU-U.S. DPF was adopted by the European Commission on July 10, 2023 (Implementing Decision C(2023) 4745). It also engages UK GDPR international transfer rules and the UK adequacy decision for the US DPF extension. The FTC is the primary US enforcement authority for DPF compliance under FTC Act Section 5.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC is the primary US enforcement authority for EU-U.S. Data Privacy Framework compliance under FTC Act Section 5.
    File a complaint →

Provision details

Document information
Document
Steam Privacy Policy
Entity
Steam
Document last updated
April 29, 2026
Tracking information
First tracked
April 18, 2026
Last verified
April 18, 2026
Record ID
CA-P-002927
Document ID
CA-D-00182
Evidence Provenance
Source URL
https://store.steampowered.com/privacy_agreement/
Wayback Machine
View archived versions →
SHA-256
63210b28892392d9dae07097221e6ab8458f850d4edd68ce4be0bc540f120bb5
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Steam | Document: Steam Privacy Policy | Record: CA-P-002927
Captured: 2026-04-18 10:57:26 UTC | SHA-256: 63210b28892392d9…
URL: https://conductatlas.com/platform/steam/steam-privacy-policy/data-privacy-framework-dpf-certification-for-euukswiss-data-transfers/
Accessed: May 2, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document