Privacy-Preserving Data Synthesis (PPDS)

Updated 7 July 2025

Privacy-Preserving Data Synthesis (PPDS) is a methodology that creates artificial data records mirroring original statistical patterns while safeguarding individual privacy.
It employs advanced techniques such as generative modeling, differential privacy, and plausible deniability tests to balance data utility and privacy risks.
PPDS is applied in sectors like healthcare, finance, and public policy to enable secure data sharing and reliable machine learning without exposing sensitive information.

Privacy-Preserving Data Synthesis (PPDS) is a field that addresses the critical challenge of sharing or analyzing data containing sensitive attributes while providing formal privacy guarantees and retaining meaningful statistical utility. PPDS has become central in domains such as healthcare, finance, public policy, and machine learning, where data-driven research is essential but subject to regulatory and ethical privacy constraints.

1. Foundations and Key Principles

At its core, PPDS aims to generate synthetic datasets—data records that do not directly correspond to any real individual but preserve properties of the original data—while ensuring rigorous privacy protections against adversarial inference. Traditional approaches like data de-identification are increasingly inadequate due to their dependence on the adversary’s background knowledge, which can enable re-identification. Differential privacy (DP), formalized by the $(\epsilon, \delta)$ -DP definition, offers a mathematical framework that bounds the risk to any individual from inclusion in a dataset. However, direct application of DP (such as the Laplace or exponential mechanisms) often struggles to preserve utility without heavy data perturbation, especially in high-dimensional settings (Bindschaedler et al., 2017).

Plausible deniability is introduced as an alternative criterion for synthetic data release: a synthetic record is only released if at least $k$ different records in the input dataset could have plausibly produced it, with their generation probabilities being within a factor $\gamma$ of each other. This “indistinguishability set” approach does not rely on any specific adversary model; instead, it directly limits the maximum confidence with which an adversary can ascribe a synthetic record to any single input (Bindschaedler et al., 2017, Mei et al., 2022).

2. Methodologies for Synthetic Data Generation

A variety of methodologies underlie PPDS:

Generative Modeling with Privacy Tests: A common architecture is a two-stage process. First, a generative model (e.g., a Bayesian network) is trained to learn the joint distribution of the real data, potentially using DP techniques for parameter learning. Then, a privacy test (such as the plausible deniability test) determines whether each candidate synthetic record may be released, based on its indistinguishability among input records and privacy parameters $(k, \gamma)$ . This decouples statistical modeling from privacy enforcement (Bindschaedler et al., 2017).
Randomized Marginals and Domain Modeling: For categorical or weakly constrained domains, algorithms add DP noise to category counts (histograms) and adjust the output to ensure that both seen and unseen domain values receive nonzero probability, thereby preventing adversaries from inferring the absence of rare classes (Rodriguez et al., 2018). The “tolerance for randomness” parameter ( $\rho$ ) directly balances the likelihood of noisy bins from the inactive domain appearing in the output, providing a practical utility–privacy tradeoff.
Bayesian and Probabilistic Models: Hierarchical Bayesian modeling combines smoothing through priors and the integration of DP either in the generative process or the learning phase. Mixture models, VAEs, and autoencoding Bayesian networks are used to synthesize complex data structures while supporting privacy (Jälkö et al., 2019, Guo et al., 2021, Takagi et al., 2020).
Deep Generative Models: Privacy-preserving VAEs, GANs, and diffusion models are trained with mechanisms such as DP-SGD or advanced regularization and noise injection to mitigate overfitting and memorization. The phased generative model (P3GM) structure, for instance, performs differentially private dimensionality reduction before decoding to the data space, reducing the search space and improving robustness to DP noise (Takagi et al., 2020).
Particle Gradient and Optimal Transport: For high-dimensional tabular data, margin-based synthesis methods such as PrivPGD use collections of particles refined via gradient descent to match privatized marginal distributions using metrics like the sliced Wasserstein distance (Donhauser et al., 31 Jan 2024).
Specialized Approaches for Structured Data: Generating synthetic location data employs partitioning, clustering, and DP kernel density estimation, often enhanced with public information such as road networks to constrain outputs (Cunningham et al., 2021). For relational data, probabilistic relational models and factor graphs enable the synthesis of entire relational databases while abstracting away individual identities (Luttermann et al., 6 Sep 2024).

3. Privacy Guarantees and Theoretical Analysis

Rigorous privacy assurances in PPDS are typically provided through differential privacy, plausible deniability, or their randomization variants. For plausible deniability, the mechanism only releases synthetic records if the probability ratio condition

$\gamma^{-1} \leq \frac{P(y=\mathcal{M}(d_i))}{P(y=\mathcal{M}(d_j))} \leq \gamma$

holds for all $k$ indistinguishable records. When the threshold parameter $k$ is randomized (e.g., by adding Laplacian noise), the result is an $(\epsilon,\delta)$ -DP mechanism (Bindschaedler et al., 2017).

For mechanisms based on DP noise addition (e.g., marginal- or histogram-based), each noise channel is calibrated to the sensitivity of the statistic and privacy budget $\epsilon$ , often adding Laplace or Gaussian noise to category counts, histogram bins, and model parameters (Rodriguez et al., 2018, Donhauser et al., 31 Jan 2024). More advanced analyses employ Rènyi Differential Privacy (RDP) to tightly track cumulative privacy loss across iterative procedures, such as in deep generative modeling (Takagi et al., 2020).

Theoretical results show that parameter tuning (choice of $k, \gamma, \epsilon_0$ for the plausible deniability mechanism; $\rho$ for the randomness-tolerance parameter) is critical to balance the rejection rate of synthetic candidates, the amount of noise necessary, and the overall data utility.

4. Empirical Evaluation and Utility Assessment

PPDS methods report experimental evaluations spanning statistical similarity, utility in machine learning, and resilience to adversarial attacks:

Statistical Similarity: Synthetic datasets are assessed for their fidelity to the original data in terms of marginal distributions, pairwise and higher-order joint statistics, and summary statistics. For example, plausible deniability mechanisms yield synthetic data that preserve not just marginals, but also important dependencies among attributes (Bindschaedler et al., 2017).
Machine Learning Utility: The performance of downstream models (such as classifiers and regressors) trained on synthetic data is compared to those trained on the original data. Measures such as accuracy, AUROC, and AUPRC are standard; in multiple studies, utility loss is often within a few percentage points, and in some setups, direct comparison to non-private or differentially private models shows near-equivalent performance (Bindschaedler et al., 2017, Takagi et al., 2020, Ling et al., 2023).
Attack Resistance: Adversaries’ ability to distinguish synthetic from real data or to conduct re-identification or membership inference attacks is critically assessed. Experiments, including “distinguishing games” where classifiers attempt to tell apart real and synthetic records, report that plausible deniability or advanced noise-injection methods make such attacks difficult—e.g., classifiers cannot reliably distinguish synthetic records, with distinguishing accuracy close to chance (Bindschaedler et al., 2017, Rodriguez et al., 2018).

5. Comparison to Traditional Techniques and Practical Considerations

PPDS contrasts with de-identification and direct DP perturbation in several respects:

De-identification provides weak privacy guarantees, especially in the face of adversaries with auxiliary data. Re-identification attacks remain possible if the data retains enough structure, even after the removal of direct identifiers (Bindschaedler et al., 2017, Vie et al., 2022).
Direct Differential Privacy often requires adding noise proportional to the domain size or the number of published aggregates, making high-dimensional data synthesis challenging. Plausible deniability and advanced DP-based strategies substantially mitigate utility loss by relaxing the need to inject noise into every synthesized record (Bindschaedler et al., 2017, Rodriguez et al., 2018, Takagi et al., 2020).
Trade-Off Management: Many methodologies introduce explicit or implicit utility–privacy tradeoff parameters (e.g., $\rho$ in random domain algorithms, $l$ in random mixing frameworks, regularization coefficients in neural generative models) allowing practitioners to tune privacy versus accuracy for specific applications (Rodriguez et al., 2018, Saha et al., 25 Nov 2024, Ling et al., 2023).

Practical implementations highlight efficient parallelization, decoupled privacy tests, and parameter settings that lead to scalable synthetic data generation for datasets of millions of records without loss of privacy guarantees.

6. Limitations, Open Challenges, and Future Directions

Limitations in PPDS include:

The difficulty of tuning parameters for optimal privacy–utility balance, especially as the acceptance rate of privacy tests in plausible deniability mechanisms can become low when privacy parameters are strict (Bindschaedler et al., 2017).
The challenge of learning high-dimensional or complex dependency models under differential privacy, including computational costs or degraded model fitting.
The loss of rare-category information when aggressive noise addition or high thresholds for privacy risk exclusion are required, impacting domain-specific applications (Rodriguez et al., 2018).

Open problems include formalizing privacy guarantees for lifted probabilistic relational models, developing more intuitive tradeoff controls, and improving the scalability of privacy-preserving algorithms for extremely large or unstructured domains (Luttermann et al., 6 Sep 2024).

The field continues to explore more advanced model architectures (e.g., deep generative models, diffusion models, privacy-aware relational models), new theoretical compositions of privacy, and the incorporation of adversarial resilience and compliance with evolving regulatory frameworks (Hu et al., 2023, Kotal et al., 2023).

7. Applications and Impact

PPDS supports secure data sharing and analysis in a range of domains:

Healthcare and Epidemiology: Synthetic health records enable collaborative research on sensitive medical data with strong privacy guarantees (Jälkö et al., 2019, Nahid et al., 30 Dec 2024).
Census and Public Policy: Agencies release synthetic population datasets, preserving aggregate statistics for planning and research without disclosure risk (Bindschaedler et al., 2017, Boedihardjo et al., 2021).
Finance and Education: Synthetic records are generated for analytics, fraud detection, and educational research, enabling safe innovation (Ling et al., 2023, Vie et al., 2022, Saha et al., 25 Nov 2024).
Recommendation Systems and Location Analytics: PPDS frameworks facilitate privacy-preserving synthetic user interaction and geospatial data for commercial and academic applications (Cunningham et al., 2021, Liu et al., 2022).
Machine Learning: Synthetic data serves as a privacy-preserving substitute or supplement for model training pipelines, supporting fairness and robustness research without leaking sensitive instances (Takagi et al., 2020, Chung et al., 24 Jun 2025).

PPDS provides a unifying paradigm for reconciling the competing demands of data utility and privacy, offering statistical validity, formal protection, and scalable methods essential for responsible data-driven science and technology.