I couldn't tell you the exact clause but I know under GDPR that personal data is defined as:
"any information relating to an identified or identifiable natural person ('data subject').
"An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
Essentially anything that can be used to identify an individual, even just age or gender, doesn't even have to be an individuals name, as it says, it can be an "online identifier"
A data breach under GDPR (which is what I believe Valve will be in breach of with this) is as follows:
"personal data breach" is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."
From what I can tell there, that would mean, by Epic getting this information and storing it, even if it isn't processed, Valve would be in breach of GDPR.
I could be completely wrong here so don't take my word as factual, I am not an expert on this, I would be interested to know if we do have any experts here on this though so I can confirm if I am right in my assumptions?
