In recent years, the total amount of global data has grown at an exponential rate, most of it resulting from ″human behaviors″ and thus is ″personal data″. The drive and synchronization of those data are indispensable for the development of a variety of technologies, such as the Internet of Things, Big Data, Cloud Computing and Artificial Intelligence. However, the aggregation and circulation of personal data has the risk of violating individual privacy. Therefore, how to govern personal data in the information age has become a difficult problem. In this regard, we would like to discuss issues in personal data governance for modern states from four aspects. First, a goal of data governance should be to evolve with the development and the needs of the times. And the objectives of privacy protection as well as data circulation and utilization should be balanced and achieved in coordination. Second, the objects of governance need to be distinguished with different systems designed for protecting personal information with the fields of public law and private law. This is because public law concerns the self-restriction of state power, while private law is using public power to regulate private relations. In particular, the actions of handling of personal data by private citizens in a purely personal manner should not be regulated（ex ante) by personal data protection legislation. But it should be appropriate by using（ex post) regulatory means to strengthen criminal deterrence and increase the cost of rights infringement. A possible result of improper（ex ante) regulation may lead to infringement of the most basic freedom of thoughts and freedom of actions of individual citizens that may be viewed as an over-correction. Third, we should focus on innovation in the mechanisms of governance. Data dividends are internal driving forces for companies to collect, use, and exchange data. Relying solely on command-control type of governance cannot alter a company's profit-driven nature. Economic incentives, such as financial supports, tax breaks, and market access, could be used to encourage companies to adhere to the rules of personal data protection. In addition, the government can increase citizens awareness of privacy protection, and thus effectively trigger social supervision mechanisms, forcing companies to abide by the rules of data protection. Fourth, an ″informed consent″ framework needs to be properly designed. It should be noted that the reason why personal data has value is because of its ″reusability″. Therefore, to what extent personal data is protected is a question of how to control data flow. We try to address this issue by constructing a theoretical model of ″data pool″. ″Data pool″ is personal data, with the consent of citizens that can be collected and put into a ″pool″ and then become ″public goods″. Personal data in this ″pool″ can be shared, traded, or used（only) by ″eligible firms″, in a variety of ways without the need for consent from the original data owners. However, tort law, criminal law, and relevant administrative laws and regulations that protect citizens privacy will still constitute the boundaries of handling personal data. The so-called ″eligible firms″ refer to those having met the requirements of safe use of data in all dimensions, such as technical precautions and risk warning, and having obtained ″data access permission″. Whether a party agrees to allow personal data to become public goods depends on factors such as privacy preferences, incentives（for example, commercial discounts), and the enforcement of privacy policies. Legislators should set up ″guiding principles of public goods plus agreed exemptions（which means citizens can grant the usage of their personal data to only one or several companies and restrict the scope of personal data being used)″ to encourage and guide personal data to be circulated as public goods. Those principles should be supplemented by rules of private rights（such as rights to information, amendment and termination), appropriate administrative means of supervision（such as registration of data collection and data transferring, with data transferring restricted among only ″eligible″ companies) and administrative incentives. The above theoretical model should be supported by a unified data resource platform. At this time there are experimental big data trading centers established in China that function as hardware assurance for the above theoretical model.