The report of the 20th Party Congress put forward the goal of establishing a credit-based system in the market economy and strengthening the protection of personal information. Credit governance involving platform enterprises is a governance innovation guided by Chinese-style modernization and has always occupied an important position in the top-level design of the country. As platform enterprises become the key hub of credit governance, personal credit protection faces the dilemma of unclear boundaries of information processing and imbalance of credit system interests. The theoretical roots behind the dilemma of personal credit protection must be carefully explored to prevent the alienation of credit co-governance into credit control. There are gaps in the current credit legal system in terms of rights attribution, procedural design and liability mechanisms, resulting in personal credit constituting only a reflexive interest. The traditional paradigm of power restraint can hardly respond to the need for personal credit protection in the digital age, and new types of information rights are fundamental to solving the dilemma, with data circulation rules helping to address the high cost of rights. The legal framework for personal credit protection should be rebuilt by improving the rules of data circulation around the system of rights of individuals in information processing activities. Firstly, it is important to clearly define the degree of sensitivity of information and its credit judgment value function, and apply hierarchical consent rules to information processing in the credit field: separate consent and eligibility access rules for positive sensitive personal information that benefits the information subject, and application of liability rules; and no-trade rules for negative sensitive personal information that is unfavourable to the information subject in general, except for purposes based on public interest. Secondly, the commercial practice of data circulation in the credit field requires a shift to a behavioural risk regulation model, the implementation of contract-centric rules of domination and the appropriate use of special rules to strengthen the credit protection of individuals. Among them, the data sharing between platforms and economic organisations should have three types of inclined protection measures, namely standard contract text, enhanced platform liability and rules on the allocation of the burden of proof, in addition to the consent rules. The data circulation between platforms and administrative departments should establish a circulation order with subject liability and remedial mechanisms as key elements.