Stimulating the initiative of various local governments and market players through the incentive-compatible mechanism has been one of the successful experiences in China’s reform and opening up process, as well as a general trend of global regulatory reform and the New Public Management Movement. In the age of big data, data controllers have very strong incentive to use personal information but lack the same incentive to protect them. Therefore, legal rules will not be implemented effectively due to incentive incompatibility, if they only impose various prohibitive or compulsory obligations on the data controller. Though EU and U.S. have adopted different approaches to personal information legislation, among other differences, both of them have been pursuing the establishment of incentive compatible personal information protection regime, especially in recent several years alone with the coming of the age of big data. However, this trend of development has been ignored by most Chinese experts. The current legislation on personal information protection in China have such problems as separation between external legal requirements and data controllers’ internal governance structure, disconnection between penal sanctions and other legal remedies, and divorce of behavior obligations from legal consequences. The Personal Information Protection Law should take the fostering of data controllers’ internal governance structure as its objective and the establishment of an effective external deterrence mechanism of law enforcement as its safeguard, so as to encourage proactive implementation of responsibility for data security and punish violation of the law. Meanwhile, the Law should recognize the right of the subject of data to control his/her own information in public law, and should not avoid the discourse of fundamental rights. To realize incentive compatibility, China must ensure that the implementation of the Personal Information Protection Law is consistent with the law-making process, proceed from the risk management of information security, and take an incremental, step-by-step approach to the implementation of the law. In conclusion, promulgation of the Personal Information Protection Law fulfills only half of the task, and the fulfillment of the remaining task depends on how we implement the rules.