(ε, δ)-Differential Privacy is a formal privacy definition where a randomized mechanism M guarantees that for all neighboring datasets D and D' and all output sets S, the probability Pr[M(D) ∈ S] ≤ e^ε · Pr[M(D') ∈ S] + δ. The parameter δ represents a small, typically cryptographically negligible, probability that the strict ε-privacy bound is violated, relaxing the pure ε-differential privacy guarantee.
Glossary
(ε, δ)-Differential Privacy

What is (ε, δ)-Differential Privacy?
A relaxed definition of differential privacy that introduces a small failure probability δ, allowing the strict ε-guarantee to be violated with negligible chance to enable more practical and efficient mechanisms.
This relaxation enables the use of the Gaussian mechanism, which adds noise calibrated to the L2-sensitivity, and permits tighter composition under repeated queries compared to pure ε-DP. The δ parameter is typically chosen to be much smaller than 1/N, where N is the dataset size, ensuring the privacy failure probability is negligible relative to the risk of a record being included in the dataset at all.
Core Properties of (ε, δ)-DP
The (ε, δ)-differential privacy framework introduces a failure probability δ, allowing for more efficient mechanisms like the Gaussian mechanism while maintaining a provable, albeit slightly relaxed, privacy guarantee.
The Failure Probability (δ)
The parameter δ represents a small, cryptographically negligible probability that the strict ε-differential privacy guarantee is violated. This allows a mechanism to output a result with a privacy loss exceeding ε, but only with probability at most δ. This relaxation is not a bug but a feature, enabling the use of the Gaussian mechanism and tighter composition theorems, which are essential for iterative algorithms like DP-SGD. A typical choice for δ is much smaller than 1/N, where N is the dataset size, ensuring the violation is statistically unlikely to affect any single individual.
Gaussian Mechanism Enablement
The core motivation for (ε, δ)-DP is that pure ε-DP is incompatible with the Gaussian mechanism. Pure ε-DP requires noise from a Laplace distribution, which has a heavier tail. The Gaussian mechanism adds noise calibrated to the L2-sensitivity of a query, but its privacy loss is unbounded. The δ parameter explicitly accounts for the tail probability where this loss exceeds ε. This is the foundational mechanism for Differentially Private Stochastic Gradient Descent (DP-SGD), where Gaussian noise is added to clipped gradients in every training step.
Advanced Composition
A key property of (ε, δ)-DP is its behavior under composition. When multiple (ε, δ)-DP mechanisms are run on the same dataset, the total privacy loss accumulates. The advanced composition theorem provides a much tighter bound on this accumulation compared to basic composition. For k mechanisms, the total privacy loss is roughly O(√k * ε, kδ + δ'). This sub-linear scaling is critical for training deep learning models over thousands of iterations, allowing a meaningful privacy budget to be tracked and maintained by a moments accountant.
Group Privacy
(ε, δ)-DP provides a graceful degradation of privacy for groups. If a mechanism is (ε, δ)-DP for a single record, it is (kε, k * e^(k-1)ε * δ)-DP for a group of size k. This means the privacy guarantee weakens predictably for correlated data or when protecting a user with multiple records. This property is crucial for defining user-level privacy, where all contributions from a single user must be protected, often requiring a larger privacy budget allocation than item-level privacy.
Post-Processing Immunity
Like pure ε-DP, (ε, δ)-DP is immune to post-processing. Any arbitrary computation applied to the output of an (ε, δ)-DP mechanism cannot weaken the privacy guarantee. An adversary with access to the output cannot increase the ε or δ values, regardless of the auxiliary information they possess or the transformations they apply. This property is vital for system design, as it guarantees that privacy is not compromised by downstream analysis, visualization, or model publishing.
Hypothesis Testing Interpretation
The (ε, δ)-DP guarantee has a powerful operational interpretation in terms of membership inference attacks. An adversary trying to distinguish between two neighboring datasets based on the mechanism's output cannot have both a low false positive rate (Type I error) and a low false negative rate (Type II error). The parameters ε and δ define a trade-off function between these errors, formalized by Gaussian Differential Privacy (GDP). This provides a concrete, semantic meaning to the abstract privacy parameters.
Frequently Asked Questions
Clear answers to the most common questions about the relaxed (ε, δ)-differential privacy definition, its mechanisms, and its practical trade-offs.
(ε, δ)-differential privacy is a relaxed definition of differential privacy that guarantees a randomized mechanism M satisfies Pr[M(D) ∈ S] ≤ e^ε · Pr[M(D') ∈ S] + δ for all neighboring datasets D and D'. Unlike pure ε-differential privacy, which requires the output distributions to be multiplicatively close, this definition allows a small probability δ (typically cryptographically small, like 10^-5 or smaller) of the strict ε-guarantee being violated. This relaxation enables the use of the Gaussian mechanism instead of the Laplace mechanism, which provides better utility under composition and is essential for practical algorithms like DP-SGD. The δ parameter represents the probability that the privacy loss exceeds the ε bound, effectively allowing a 'failure probability' for the privacy guarantee.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding (ε, δ)-Differential Privacy requires familiarity with the core mechanisms that implement it and the mathematical concepts that govern its guarantees.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us