Legally, there isn't one. White/Black/Grey Hat isn't usually a matter of legality, although there are some cases where the laws are unclear or just haven't been written. Generally though, matters of law are "white" or "black" with little room in between.
Morality is a bit more flexible though, and this is where the "grey" term comes in. Let me give you some examples.
- Hacker who always asks for permission, and discloses vulnerabilities only to the affected parties and/or public per processes approved by the affected parties: White Hat.
- Hacker who rarely, if ever, asks for permission and keeps vulnerability data for his own use or sells it to other malicious actors: Black Hat.
That's as clear-cut as it gets. The greying comes in when you have someone who uses Black Hat methods (e.g.: pentesting without permission) to achieve White Hat goals (e.g.: informing vendors of vulnerabilities in their product).
This is the functional (though not legal) equivalent of someone going around the neighborhood and jiggling door knobs, then telling homeowners that their doors were left unlocked. Is that guy maybe a little creepy? Sure. But you can't argue (with the presumption that this is all that he's done) that his intentions are not noble.
In terms of testing the security of your systems, the grey hats aren't doing much that black hats aren't already doing. The grey hats are just nice enough to not be doing damage while they're at it, and will actually tell you about it when they're done.