Differentially Private Policy Gradient
Alexandre Rio, Merwan Barlier, Igor Colin
TL;DR
This work tackles the privacy risks of reinforcement learning by introducing a practical, scalable framework for differentially private policy gradient with on-policy updates. By reframing DP noise as a mechanism to enforce trust-region constraints, it preserves key properties of non-private policy gradient and TRPO/PPO-like methods, while providing trajectory- and joint-DP guarantees. The authors derive theoretical bounds for update-trust regions under DP noise (using distributions such as non-central $\,\chi^2$) and present a practical algorithm that clips per-user gradients, aggregates them, and injects Gaussian noise to obtain $(\epsilon,\delta)$-DP. Empirical results across tabular and continuous control tasks, personalized dosing, and RLHF demonstrate favorable privacy-utility trade-offs, enabling private RL deployment in real-world scenarios and offering a path toward private RL for LLM alignment.
Abstract
Motivated by the increasing deployment of reinforcement learning in the real world, involving a large consumption of personal data, we introduce a differentially private (DP) policy gradient algorithm. We show that, in this setting, the introduction of Differential Privacy can be reduced to the computation of appropriate trust regions, thus avoiding the sacrifice of theoretical properties of the DP-less methods. Therefore, we show that it is possible to find the right trade-off between privacy noise and trust-region size to obtain a performant differentially private policy gradient algorithm. We then outline its performance empirically on various benchmarks. Our results and the complexity of the tasks addressed represent a significant improvement over existing DP algorithms in online RL.