The development of big data and AI has made enterprises rampantly collect, process and use personal data. EU has recognized the protection of personal data also belongs to the protection of human rights in European Human Rights Convention. On May 25, 2018, the implementation of GDPR declares the prelude to personal data protection in the era of big data was unveiled. Though United States also provides protection for information privacy, it shows differences in legislative structure and regulatory framework comparing with EU. This article refers to the norms and regulations of data protection in Europe and the United States, and proposes a new regulatory framework for personal data protection, in order to find a balance between promotion of information flow and protection of individual rights, and also provide amendement suggestion for Taiwan Personal Data Protection law in the near future. The second chapter of this article begins with the famous case of Taiwan Health Insurance Database. It points out that the current law can neither promote the information flow nor protect individual rights and fall into the dilemmas. Therefore, the third chapter discusses the entitlement of personal data by analysising the adquacy of “property rule” and “liability rule”. This article finds personal data should be protected by “property rule” by taking GDPR as an example. In addition, the current law should further amend the relevant provisions in order to comply with the property rule. The fourth chapter discusses the two consent models derived from the principle of "informed consent", one is "opt-in" and the other is "opt-out". These two models are represented by EU and the United States respectively. However, in view of the failure of notice system, the booming business model of "take-it or leave-it"; and the shifting trend of regulatory attitude, this paper believes that Taiwan personal data protection law should adopt the "opt-out" model in the future to facilitate the flow of information. Finally, this paper believes that the current law lacks an ex ante data protection impact assessment risk management mechanism which isn’t enough to cope with high-risk behaviors such as “profiling” and “automated decision-making” in the future, and also lacks ex post regulatory means for mispresentation or omission of notice. Thus, Taiwan Personal Data protection law should adopt EU data protection impact assessment and target “deception” and “unfairness” conducts by referring to US FTC Act.