This work addresses fundamental challenges in integrating active learning (AL) with differential privacy (DP), including their inherent incompatibility, inefficient privacy budget allocation, and suboptimal data utilization. We propose the first unified DP-AL framework under standard learning settings. Our method introduces a “stride amplification” mechanism to increase the effective participation frequency of data points in training; theoretically characterizes the failure boundaries of mainstream acquisition functions under DP constraints, thereby establishing the feasibility and practical limits of DP-AL; and integrates DP-SGD, probabilistic batch sampling, and multi-faceted uncertainty/diversity-based querying strategies. Extensive experiments across CV and NLP benchmarks demonstrate that DP-AL significantly improves model utility and annotation selection accuracy while preserving strict privacy (ε ≤ 8). Crucially, we provide the first quantitative characterization of the intrinsic trade-off among privacy, accuracy, and selection fidelity.

Active learning (AL) is a widely used technique for optimizing data labeling in machine learning by iteratively selecting, labeling, and training on the most informative data. However, its integration with formal privacy-preserving methods, particularly differential privacy (DP), remains largely underexplored. While some works have explored differentially private AL for specialized scenarios like online learning, the fundamental challenge of combining AL with DP in standard learning settings has remained unaddressed, severely limiting AL's applicability in privacy-sensitive domains. This work addresses this gap by introducing differentially private active learning (DP-AL) for standard learning settings. We demonstrate that naively integrating DP-SGD training into AL presents substantial challenges in privacy budget allocation and data utilization. To overcome these challenges, we propose step amplification, which leverages individual sampling probabilities in batch creation to maximize data point participation in training steps, thus optimizing data utilization. Additionally, we investigate the effectiveness of various acquisition functions for data selection under privacy constraints, revealing that many commonly used functions become impractical. Our experiments on vision and natural language processing tasks show that DP-AL can improve performance for specific datasets and model architectures. However, our findings also highlight the limitations of AL in privacy-constrained environments, emphasizing the trade-offs between privacy, model accuracy, and data selection accuracy.