The type of behavior stipulated in Article 253 of the Criminal Law of China on the crime of infringing on citizens' personal information is only limited to the transfer behavior represented by illegal acquisition, sale or provision of personal information, and the illegal use of personal information is not included in the scope of regulation, resulting in loopholes in the criminal regulation, which reflects the defects in understanding the legal interests of one-sided understanding of personal information autonomy as transfer autonomy and neglect of use autonomy. And then only preventing illegal transfer of personal information is taken as the logic of criminalization, making the criminal law protection of personal information legal interests incomplete. At present, personal information has become a key element in network crimes. The phenomenon of illegal use of personal information has become increasingly fierce. Crimes against citizens' personal information have gradually formed a complete black industrial chain of "provider-middleman-illegal use". Each link has a clear division of labor and strict organization, and illegal and criminal activities are carried out through illegal use of personal information. And then the realization of profits is the root cause of the widespread disclosure of personal information and the proliferation of illegal transactions. The criminal law can only crack down on the illegal transfer of personal information, which can only be a temporary solution, leading to poor criminal governance of crimes against personal information. As we enter the stage of deep mining and application of big data, the use value of personal, property, public and other composite legal interest attributes rooted in personal information has become increasingly prominent in context of the vigorous development of the digital economy, making the autonomy of personal information use more of a core legal interest status than the autonomy of personal information transfer. The focus of personal information criminal law protection should be shifted from the transfer link to the use link. The illegal use of personal information belongs to the downstream behavior, which causes great damage or threat to the personal and property safety of citizens and the social management order. Compared with the illegal transfer of personal information in the upstream, the illegal use of personal information has a more serious legal interest infringement, which is manifested in the root, directness and accuracy of legal interest infringement. Therefore, criminal legislation should be demand-oriented, and it is necessary to reasonably determine the incriminating elements and causes of decriminalization of illegal use of personal information on the premise of following the principle of modesty of the criminal law, that is, taking serious cases without the consent of information subject as harmful behavior, taking personal information that is not subject to anonymous treatment as the object of conduct, and taking the situation that conforms to the reasonable use of personal information as the cause of illegal obstruction. It not only standardizes the use of personal information from the source, but also limits the criminal boundary of illegal use of personal information. While protecting the security of personal information, it promotes the orderly and free flow, reasonable and effective use of personal information, balances the independent use interests of information subjects and the legitimate use interests of information processors, and provides a strong criminal rule of law guarantee for the high-quality development of the digital economy.