Abstract: The personal information system in the digital age is a pre-emptive protection norm, which aims to prevent the abstract danger that may arise from the abuse of personal information. The risk specification path of personal information protection is in line with the reality of the development of the digital economy and is the best paradigm for personal information protection in the digital age. Risks triggered by personal information processing behaviors can be assessed from the two perspectives of “results” and “behaviors”. The judgment of “high risk” in personal rights violations includes two aspects: the possibility of risk occurrence and the severity of risks. The principle of accountability is the basic principle of the risk regulation path. China’s personal information protection system integrates the two risk regulation paths, i.e., “bottom-up” and “top-down”, but there still exist such problems as differentiated risks, categorized platforms, hierarchical obligations, etc. It is necessary to control the risk path as a whole from the macro level, strengthen the normative guidance of information processors from the meso level, and detail the risk norms under different scenarios on the micro level, so as to form a set of risk controllable, highly efficient and comprehensive protection mechanism.

Key words: personal information protection, risk impact assessment, risk specifications, privacy right, data compliance