I'm not entirely sure GDPR covers, or intends to cover, hiring a private investigator. A PI who is likely to use a great deal of other avenues than cracking a hashed database for a Steam ID.From what I understand, if you gave someone with enough expertise the information I quoted from the EULA above (which isn't comprehensive) there's a reasonable chance that someone could knock on said "unidentifiable" person's front door.
It's unlikely to happen for numerous reasons.
(your browser, OS, font choices . . . none of these even remotely pinpoint your physical location. Or even your digital one)
That's what I mean when I say this doesn't contravene GDPR. This doesn't mean the personal issue of data privacy is voided - everyone has their own standards. I mean GDPR is not the door to be knocking on here, and yet unfortunately it's just another initialism people are going to throw out on the Web to make some vague threat of legal action.
The amount of companies that flat out shut down their sites for anyone living in the EU indicate that this is a law not to be trifled with. Nobody with any sense, for any amount of money, is going to be anywhere near contravening it.
That should hopefully cover that angle from me.