Different jurisdictions have different criminal law attitudes towards the illegal use of personal information, i.e., no criminalisation, selective criminalisation based on specific conditions, or overall criminalisation. China should move from the first approach to a new approach. China’s criminal law has adopted a traditional privacy protection strategy focusing on information transfer. The existing crime of infringing on citizens’ personal information is limited to addressing the illegal acquisition and provision of personal information. Nevertheless, it fails to fully consider the core position of the right to use in the full life cycle of the autonomous operation of personal information. By doctrinal analysis, the urgent and precise risk of further damage to citizens’ personal lives, property, and social order contained in illegal use provides a solid basis for criminal law regulation. According to policy analysis, in jurisdictions where information technology such as big data and AI is widely available, for example, China, the illegal use of personal data particularly disrupts the community’s sense of security. Criminal law should expand its scope, but it must justify its reach. On the one hand, by categorizing the illegal use of personal information, a comprehensive judgement can be made about whether to criminalise certain behaviours according to the degree of infringement on personal information autonomy, the harm to other legal interests, and the level of personal danger posed by the perpetrator. On the other hand, the corresponding reasons for exceptional noncriminalisation should be determined in the respective private, personal, and social spheres to achieve a balance between protecting citizens’ autonomy in using personal information and highlighting the value of data circulation. This investigation process and the results can serve as references for member states of the GDPR and other jurisdictions seeking more rigorous protection of personal data in contemporary society.