Valve has self-certified under the EU-U.S. Data Privacy Framework, which is one of the approved legal mechanisms for transferring personal data from the EU, UK, and Switzerland to the U.S.; if this policy conflicts with those Framework Principles, the Principles take precedence.
This analysis describes what Steam's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
EU, UK, and Swiss users' data transferred to the U.S. is covered by the DPF certification, and the Principles supersede this policy in cases of conflict, providing a meaningful legal backstop for cross-border data transfers.
EU, UK, and Swiss Steam users have their personal data transferred to the U.S. under Valve's DPF certification, which provides enforceable privacy protections through the U.S. Department of Commerce and FTC. This is a more protective transfer mechanism than standard contractual clauses alone, though the DPF's long-term legal stability has been subject to ongoing political and legal developments.
How other platforms handle this
Datadog complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Datadog has certified to the U.S. Department of Commerce that it adheres to the EU-...
Zendesk complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. When Zendesk transfers personal data from the EU, UK, or Switzerland to the United ...
In addition to the above rights, your local laws (including those in the EU, UK, Japan, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Virginia, or Utah) may afford you f...
Monitoring
Steam has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Valve and its subsidiary TR Technical Inc. comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Valve has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.— Excerpt from Steam's Steam Privacy Policy
(1) REGULATORY LANDSCAPE: The EU-U.S. DPF was adopted by the European Commission in July 2023 as an adequacy decision. It is enforced by the U.S. FTC and DOT for certified organizations. EU supervisory authorities retain oversight jurisdiction. The DPF has been subject to legal challenges in the EU Court of Justice, and its long-term stability should be monitored. The UK Extension operates under a separate UK adequacy mechanism. (2) GOVERNANCE EXPOSURE: Low to Medium. Self-certification under the DPF creates binding obligations on Valve to adhere to the DPF Principles, including onward transfer obligations, data integrity requirements, and individual redress mechanisms. Non-compliance with the DPF Principles after certification constitutes an unfair or deceptive practice under FTC Act Section 5. The policy correctly notes that DPF Principles govern in cases of conflict with policy terms. (3) JURISDICTION FLAGS: EU and EEA users benefit from the adequacy decision underpinning the DPF. UK users are covered by the UK Extension, which is a separate but parallel mechanism. Swiss users are covered by the Swiss-U.S. DPF. Organizations in sectors outside FTC jurisdiction (e.g. banking, telecommunications) are not eligible for DPF certification, which is not a concern for Valve's core business. (4) CONTRACT AND VENDOR IMPLICATIONS: Valve's DPF certification extends to TR Technical Inc. as a subsidiary. Onward transfers from Valve to third parties under the DPF must be covered by contracts requiring equivalent protections. Compliance teams should verify the certification listing at dataprivacyframework.gov and confirm the scope covers all relevant processing activities. (5) COMPLIANCE CONSIDERATIONS: Annual DPF recertification should be tracked to confirm continued validity. If the DPF is invalidated by future EU Court of Justice rulings, Valve would need to implement alternative transfer mechanisms such as Standard Contractual Clauses. Legal teams should maintain contingency transfer mechanism documentation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
EU, UK, and Swiss users' data transferred to the U.S. is covered by the DPF certification, and the Principles supersede this policy in cases of conflict, providing a meaningful legal backstop for cross-border data transfers.
EU, UK, and Swiss Steam users have their personal data transferred to the U.S. under Valve's DPF certification, which provides enforceable privacy protections through the U.S. Department of Commerce and FTC. This is a more protective transfer mechanism than standard contractual clauses alone, though the DPF's long-term legal stability has been subject to ongoing political and legal developments.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Steam.