As the blockchain develops and becomes more accessible, businesses increasingly incorporate this technology into their day-to-day activities. However, the immutable nature of the blockchain may potentially place this technology at odds with the rights individuals hold under relevant privacy laws, including the Privacy Act 1998 (Cth) (Privacy Act) in Australia and the General Data Protection Legislation (GDPR) in the European Union. This article considers some privacy issues to consider if you are a business owner looking to incorporate blockchain technology into your business.
What is Blockchain Technology?
Blockchain is a distributed ledger technology. It operates as an online ledger that allows you to track every transaction through peer-to-peer authentication. However, information recorded in the ledger remains there permanently and you cannot delete it. Accordingly, you must consider the usefulness of blockchain technology against individuals’ rights under relevant privacy laws.
General Data Protection Legislation
Unlike Australia, under the GDPR, individuals have a legal right to erase their personal information. This is known as the ‘right to be forgotten’. An individual can exercise this right:
- upon the withdrawal of their consent to the collection; or
- upon their objection to the processing of their information.
The GDPR recognises that, in some cases, an individual’s right to be forgotten can be overridden by:
- a business’s legal or legitimate grounds to process personal information; or
- a business’s compliance with a legal obligation.
Depending on the context, including what the business does and why they collect information, it may be able to rely on the grounds listed above to justify the inability to erase information.
Continue reading this article below the formAustralian Privacy Law
When collecting information to store on the blockchain, businesses should ensure that they present a clear privacy collection notice. Accordingly, you should present the privacy collection notice before or at the time of collection and should include the following:
- the information the business is collecting;
- why the business is collecting it;
- who you will share the information with; and
- importantly, that once collected, the business cannot delete the information due to the immutable nature of blockchain technology.

This fact sheet outlines your rights and obligations as an AI artist regarding intellectual property and copyright.
Changes to Australia’s Privacy Laws
There are many discussions regarding reforms to Australia’s Privacy Act. The suggested reform includes introducing a right to erasure in Australia, similar to that under the GDPR. If introduced, Australian businesses implementing blockchain technology would need to similarly grapple with the conflict between blockchain technology and the right for individuals to be forgotten.
Key Takeaways
The immutable nature of the blockchain may place this technology at direct odds with relevant privacy laws. Whilst there is no specific right to erasure in Australia, businesses must destroy and de-identify personal information as soon as they no longer need it. Businesses should ensure they comply with best practice processes by presenting a clear privacy collection notice to individuals before collecting information and storing it on the blockchain.
If you need advice about your privacy obligations, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Blockchain is a distributed ledger technology that records transactions on a digital ledger. The digital ledger is distributed to every computer that has access to the platform, thereby creating a common record of all transactions occurring on the platform.
Under the Privacy Act 1998 (Cth), individuals do not have an express right to request the erasure of their personal information. However, the Privacy Act requires businesses to de-identify or destroy personal information once it no longer needs it for the purpose stated upon collection.
We appreciate your feedback – your submission has been successfully received.