Individual Differential Privacy Overview
- Individual differential privacy is a family of guarantees offering dataset-, record-, and personalized privacy budgets that refine conventional DP.
- It employs methods like local sensitivity calibration, per-instance accounting, and output-specific mechanisms to tune noise addition per data contribution.
- Empirical studies show that individualized protections can improve model utility and fairness while introducing challenges in group privacy and strategic interdependence.
Individual differential privacy denotes a family of refinements of differential privacy in which privacy is no longer expressed only by a single worst-case budget applying uniformly to all records. In the literature, the term covers dataset-conditioned guarantees around the actual dataset, personalized guarantees with a vector of per-user budgets, per-instance guarantees for a fixed dataset and a fixed data point, output-specific guarantees tied to a realized training trajectory, and record-level variants that retain the standard, individual-level interpretation while changing the geometry used to compare neighboring output distributions (Soria-Comas et al., 2016, Wang, 2017, Boenisch et al., 2023, Yu et al., 2022, Soto, 23 Aug 2025). The common thread is that privacy is indexed more finely than in standard global DP: by the actual dataset, by the individual, by the individual’s contribution, or by an individualized privacy contract.
1. Formal variants and shared semantics
One influential formulation defines individual differential privacy relative to the actual dataset , rather than over every pair of neighboring datasets. A mechanism satisfies -individual differential privacy for dataset if, for every neighbor of and every measurable event ,
This formulation is motivated by the claim that indistinguishability between the actual data set and its neighbor data sets should be enough, and it is presented as giving the same privacy guarantees as standard differential privacy to individuals, even though not to groups of individuals (Soria-Comas et al., 2016).
A second line of work uses personalized or heterogeneous privacy budgets. In this model, the privacy parameter is a vector , and a mechanism is 0-DP if
1
for all measurable 2, where 3 differs from 4 only at coordinate 5 (Chaudhuri et al., 2023). Closely related approximate formulations define 6-iDP by requiring, for every user 7, all neighboring databases 8, and all measurable 9,
0
where 1 and 2 are personalized privacy parameters chosen a priori (Kaiser et al., 19 Jan 2026).
A third line uses per-instance or output-specific semantics. Per-instance differential privacy fixes both a dataset 3 and a data point 4, and asks for an 5-bound only for the pair 6, rather than a supremum over all datasets and all individuals (Wang, 2017). Output-specific individual 7-DP for DP-SGD goes further by allowing 8 to depend on a data point 9 and an outcome set 0; the guarantee is conditioned on the realized training trajectory rather than being only worst-case over all trajectories (Yu et al., 2022).
These formalisms are not interchangeable. Some are prescriptive, in the sense that users choose budgets 1 in advance; others are descriptive, in the sense that they measure the privacy loss of a specific individual under a realized dataset, query history, or training run. This suggests that “individual differential privacy” is best understood as a family resemblance term rather than a single canonical definition.
2. Individual sensitivity, preprocessing, and feature-level attribution
A central technical object is individual sensitivity. For a function 2, the individual sensitivity with respect to individual 3 is
4
The global sensitivity satisfies 5 (Cummings et al., 2018). This notion is presented as an important metric in the variant definition of personalized differential privacy, and it permits a sensitivity profile 6 rather than a single worst-case constant.
The Sensitivity-Preprocessing framework constructs a new function 7 from a target function 8 and target individual sensitivity bounds 9. In one dimension, 0 is defined recursively as the closest point to 1 in the feasible interval
2
The resulting 3 satisfies 4 for all 5, and the general algorithm gives 6-time access to 7 when 8 can be evaluated in time 9 on size-0 databases (Cummings et al., 2018). For database-ordered functions such as mean, median, min, and max, the dynamic program reduces to 1, and for the median the paper gives an 2 implementation on presorted data (Cummings et al., 2018).
At a finer granularity, partial sensitivity decomposes an individual’s sensitivity across features. It is defined by
3
and for 4 with gradient components 5, its 6-th component is
7
The paper interprets this as the fractional contribution of the individual input attributes to the gradient norm of the function, which is the quantity controlling individual RDP in the Gaussian mechanism (Mueller et al., 2021).
A closely related construction for neural networks is the Privacy Loss–Input Susceptibility (PLIS). With per-subject privacy-loss proxy
8
PLIS is defined as
9
It provides a per-attribute contribution to individual privacy loss, and the paper places it alongside Fisher Information Loss and Jacobian Sensitivity as an input-level diagnostic for individual privacy exposure in DP neural networks (Mueller et al., 2022).
3. Composition, accountants, and geometric reformulations
A major development in individual privacy is the replacement of global, worst-case composition by per-individual accountants. In the Rényi-DP line, a mechanism 0 satisfies 1-individual RDP for a value 2 if, for all datasets containing 3,
4
The key composition result is a Rényi filter: if per-step individual RDP costs 5 satisfy 6, then the adaptive composition is 7-RDP. The associated filter is simply
8
This permits per-person budget enforcement by dropping an individual once their cumulative individual RDP loss reaches the threshold (Feldman et al., 2020).
For Gaussian mechanisms, the paper on individual privacy accounting with Gaussian differential privacy develops a GDP analog. If the per-step conditional GDP parameters satisfy
9
almost surely, then the fully adaptive composition is 0-GDP (Koskela et al., 2022). The corresponding individual GDP filter tracks 1 for each participant and stops using that individual once 2. Because 3-GDP is equivalent to an entire 4-curve, this yields per-user optimal Gaussian-style accounting rather than only an RDP upper bound (Koskela et al., 2022).
A descriptive accountant for DP-SGD is output-specific individual 5-DP. At each step, the individual Rényi cost 6 is computed from the norm of the example’s gradient, and over 7 steps
8
The realized privacy parameter for datapoint 9 and trajectory 0 is then
1
This formalizes the idea that a specific model trajectory can yield much smaller privacy loss for many datapoints than the global worst-case DP-SGD bound (Yu et al., 2022).
A distinct geometric reformulation is Rao differential privacy. Rao DP keeps the standard DP notion of adjacency—datasets 2 differ in exactly one observation—and defines privacy by
3
where 4 is the Fisher–Rao geodesic distance between output densities (Soto, 23 Aug 2025). For Laplace and Gaussian mechanisms with fixed scale 5,
6
so single-query calibration has the same “noise on the order of sensitivity” form as standard DP. The major change is composition: 7 which is tighter than linear composition and matches the GDP composition rule (Soto, 23 Aug 2025).
4. Mechanisms for individualized protection
The original dataset-conditioned iDP proposal shows that once privacy is required only between the actual dataset 8 and its neighbors, noise can be calibrated to local sensitivity
9
rather than global sensitivity. The paper gives both Laplace and discrete Laplace mechanisms calibrated to 0, and argues that this yields much better utility for medians, quantiles, and maxima, while counts and histograms gain no advantage because local and global sensitivity are both 1 (Soria-Comas et al., 2016).
In the PATE framework, individualized guarantees are implemented through per-point or per-group sensitivity adjustments. In individualized PATE, a data point 2 can have its own budget 3, and the individualized GNMax aggregator satisfies an individual 4-RDP bound regarding 5, where 6 is the individual sensitivity of the vote count (Boenisch et al., 2022). Two concrete mechanisms are introduced. In the upsampling method, each datapoint is duplicated 7 times and 8. In the weighting method, teacher 9 receives weight 00 and 01 (Boenisch et al., 2022).
IDP-SGD implements individualized budgets directly inside DP-SGD. A learning algorithm 02 satisfies 03-IDP for a point 04 if for all datasets 05 and all outputs 06,
07
The paper gives two constructions. Sample uses group-specific sampling rates 08 and a common noise multiplier 09, while Scale uses a common sampling rate 10 but per-group clipping norms 11 and effective noise multipliers 12. Both are proved to satisfy 13-IDP (Boenisch et al., 2023).
For mean estimation, the heterogeneous model is 14-DP with user-specific 15, and the ADPM algorithm computes affine weights plus Laplace noise. Its risk is characterized through the recursion
16
which yields a minimax-optimal estimator up to a universal constant factor (Chaudhuri et al., 2023). The resulting saturation phenomenon is that the privacy requirements of the most stringent users dictate the overall error rates, while privacy-indifferent users are given a nontrivial degree of privacy for free, without any sacrifice in the performance of the estimator (Chaudhuri et al., 2023).
5. Empirical heterogeneity, utility, and fairness
A recurring empirical finding is that individual privacy loss is highly heterogeneous. In output-specific accounting for DP-SGD, most examples enjoy stronger privacy guarantees than the worst-case bound, and the training loss and the privacy parameter of an example are well-correlated (Yu et al., 2022). On CIFAR-10, the average 17 of the class with the lowest test accuracy is 44.2% higher than that of the class with the highest accuracy, and on UTKFace-Gender the average 18 for the lowest-accuracy race group is 35.1% higher than for the highest-accuracy race group (Yu et al., 2022). The paper therefore identifies a double disadvantage: groups that are underserved in terms of model utility simultaneously experience weaker privacy guarantees.
Feature-level analyses connect this heterogeneity to memorization and reconstruction. In the PLIS study, samples with high subject-level PLIS are often atypical or out-of-distribution, and a high-PLIS sample in a gradient inversion experiment was reconstructed much more accurately than a low-PLIS sample, with SSIM 19 versus 20 and HaarPSI 21 versus 22 (Mueller et al., 2022). The same paper reports that with DP-SGD, no meaningful reconstruction was possible, and PLIS heatmaps became more diffuse and random-looking (Mueller et al., 2022). In the partial-sensitivity analysis, the distributions of the partial sensitivities are highly concentrated around specific values in the case of SGD, while being substantially more dispersed and centered around zero for DP-SGD; the authors conjecture a homogenisation of the partial sensitivity across the space of inputs (Mueller et al., 2021).
Individualized mechanisms can improve accuracy markedly when users accept heterogeneous budgets. In CIFAR-10 experiments with budgets 23, standard DP-SGD with global 24 achieved 25 test accuracy, while IDP-SGD Sample achieved 26 and IDP-SGD Scale achieved 27 (Boenisch et al., 2023). In individualized PATE on MNIST, weighting with 50% of the data at 28 produced 29 student accuracy, compared with 30 for the uniform-budget baseline at 31 (Boenisch et al., 2022). These results support the claim that a single uniform budget can be overly conservative for some users and not sufficiently protective for others (Boenisch et al., 2023).
The same empirical literature also shows that individualized privacy reallocates influence across groups. In individualized PATE on the Adult dataset, skewing higher budgets toward the underrepresented high-income class increased student accuracy on that class while decreasing accuracy on the low-income class (Boenisch et al., 2022). This suggests that individualized privacy design is not only a privacy question but also a question about how model utility is distributed across the training population.
6. Limitations, vulnerabilities, and unresolved issues
The first limitation is conceptual: not every individual-DP formalism preserves group privacy. The dataset-conditioned iDP proposal explicitly states that it offers the same privacy guarantees as standard differential privacy to individuals, even though not to groups of individuals, because the standard chaining argument across hypothetical neighboring datasets no longer applies when the mechanism can depend on the actual dataset (Soria-Comas et al., 2016). Per-instance and output-specific notions make a different trade-off: they refine the guarantee for a realized dataset or trajectory, but they do not replace the standard worst-case 32-DP guarantee needed to reason about all datasets and all trajectories (Wang, 2017, Yu et al., 2022).
The second limitation is that individualized quantities are themselves sensitive. The output-specific DP-SGD work notes that individual 33 depend on private data and should be released only to the owner of datapoint 34 or in sanitized aggregate form (Yu et al., 2022). The PLIS and partial-sensitivity analyses are likewise framed as internal diagnostics rather than public outputs (Mueller et al., 2022, Mueller et al., 2021).
A more recent challenge is strategic interdependence. In sampling-based iDP, an individual’s realized privacy risk is not solely governed by their own privacy budget, but critically depends on the privacy choices of all other data contributors (Kaiser et al., 19 Jan 2026). For a fixed target user budget 35, the paper reports theoretical membership-inference advantages ranging from about 36 to 37 for the same 38, depending on the proportion and budget of a second group (Kaiser et al., 19 Jan 2026). It further reports successful budget-manipulation attacks against 62% of targeted individuals and proposes 39-iDP, which uses 40-divergences to provide users with a hard upper bound on their excess vulnerability (Kaiser et al., 19 Jan 2026). This suggests that a per-user pair 41 may be insufficient when privacy profiles are coupled through shared global parameters such as sampling rates or noise multipliers.
Geometric reformulations bring their own caveats. Rao DP requires a parametric family with well-defined Fisher information, can require solving geodesic equations on the statistical manifold, and does not provide a universal implication to 42-DP for arbitrary mechanisms (Soto, 23 Aug 2025). Likewise, heterogeneous-budget mechanisms depend on hyperparameters, model architecture, initialization, and training randomness, so the distribution of individual losses is model- and run-specific (Yu et al., 2022).
Taken together, these developments indicate that individual differential privacy is a technically rich but non-uniform area. The decisive questions are not only whether a guarantee is “individual,” but also which neighbor relation it uses, whether the guarantee is prescriptive or descriptive, how composition is handled, whether budgets interact through shared mechanism parameters, and whether privacy is summarized by a single scalar or by an entire privacy profile.