My privacy budget ran out ... what now?

[ibarrond]

Hi! I am wondering, in a scenario where the end user Joe controls all the information he discloses and thus has an idea of his own privacy budget, what would Joe do if he were to run out of privacy budget?

Imagine, for example, that Joe gave his DP-protected age and gender to 50 surveys to perform statistics. But now he checks his remaining privacy budget and realizes that he ran out! does this mean that he can never again, by no circumstance, share this information linked together? or is DP rather applied to the results of these surveys?

[znreza]

@ibarrond thanks for the great question! I am quoting the answer from here, page 24.

Suppose a data analyst using a differentially private analysis tool is required to do so while maintaining differential privacy with an overall privacy loss parameter epsilon = 0.1. This requirement for the overall privacy loss parameter may be guided by an interpretation of a regulatory standard, institutional policy, or best practice, among other possibilities. It means that all of the analyst’s analyses, taken together, must have a value of epsilon that is at most 0.1.

Consider how this requirement would play out within the following scenarios:

One-query scenario: The data analyst performs a differentially private analysis with a privacy loss parameter epsilon_1 = 0.1. In this case, the analyst would not be able to perform a second analysis over the data without risking a breach of the policy limiting the overall privacy loss to epsilon = 0.1.

Multiple-query scenario: The data analyst first performs a differentially private analysis with epsilon_1 = 0.01, which falls below the limit of epsilon = 0.1. This means that the analyst can also apply a second differentially private analysis, say with epsilon_2 = 0.02.
After the second analysis, the overall privacy loss amounts to

epsilon_1 + epsilon_2 = 0.01 + 0.02 = 0.03,

which is still less than epsilon = 0.1, and hence allows the analyst to perform additional analyses before exhausting the budget.

The multiple-query scenario can be thought of as if the data analyst has a privacy budget of epsilon = 0.1 that is consumed incrementally as she performs differentially private analyses, until the budget has been exhausted. Performing additional analyses after the overall budget has been exhausted may result in a privacy parameter that is larger (i.e., worse) than epsilon. Any further use
would result in a privacy risk that is too significant.

In the above example of the multiple-query example, we bounded the accumulated privacy risk simply by adding the privacy parameters of each analysis. It is in fact possible to obtain better bounds on the accumulation of the privacy loss parameter than suggested by this example. Various tools for calculating the bounds on the accumulated privacy risks in real-world
settings using more sophisticated approaches are currently under development.

[ibarrond]

Although I understand these two scenarios, I fail to translate it to my original question. if your privacy budget runs out (in either of the scenarios), does this mean you can never again share the data involved for any DP computation whatsoever? with absolutely no-one?

And if you can... how? What would be the relationship with the previous DP computation/budget?