Data anonymization provides essential technical support for the circulation and sharing of data. Technology variability also brings many obstacles to the legal regulation of data anonymization. Under the current technical background, China’s anonymization of personal information faces risks such as uncertain identification standards and reversible identity re-identification. The technical risks generated by anonymizing personal information significantly challenge personal privacy interests. The current result-oriented regulatory means lack flexibility in the regulation of personal information anonymization, and it is difficult to mitigate the uncertain risks brought about by technology. Balancing the conflict between individual privacy, corporate economic, and public social interests is the ultimate goal of anonymizing personal information. The superiority of the risk control-oriented concept eliminates the shackles between the realistic demands of data protection and ideal value judgments at the conceptual level, replacing the result-oriented concept. It provides a more practical approach to bridging thinking for the endogenous data compliance and self-regulation of information processors, the protection of rights and the use of data of information subject, and offers new possibilities for the legal regulation of the anonymization of personal information. The legal framework of personal information anonymization with the concept of risk control as the core aims to achieve a dynamic balance between the validity and practicability of data and designs legal mechanisms around reducing the risk in the process of anonymization of personal information. The excellent governance of personal information anonymization regulation can be realized by imposing corresponding information processing risk assessment obligation on information processors. Without the support of normative documents, the risk assessment and evaluation standards of anonymizing personal information are difficult to quantify stably in practice. Therefore, in terms of legal regulation of personal information anonymization, it should be advocated that the protection of the rights of personal information subjects should be the core of anonymization processing of personal information, and the rights of the information subject should be realized by giving the information subject corresponding data rights in the process of information processing. The anonymization of personal information is based on the premise that personal information can be identified, and the definition of personal information should be judged on a case-by-case basis based on specific scenarios. Therefore, the identification of anonymous data should also be understood in a dynamic and scenario-based manner. In terms of implementing risk control means for anonymizing personal information, relevant privacy risk assessment mechanism should be established to provide straightforward data utilization guidelines for information processors and regulate the behavior of information processors.