Police in England and Wales have uploaded 18 million mugshots to a database - despite the fact that many are of innocent people.
While the database complies with the Data Protection Act, a court ruling three years ago found that storing photos of those not charged or cleared of an offence could be illegal.
The files may contain "hundreds of thousands" of innocent people's faces, an independent commissioner told the BBC.
Almost every police force has uploaded pictures to the database, which is used to catch criminals.
It has garnered concern from MPs and even the Met Police Commissioner Sir Benard Hogan-Howe, who admitted that the law needed to be clarified.
The national database could be a useful tool for catching criminals complemented by facial-recognition technology.
However, biometrics commissioner Alistair MacGregor QC warned that the tools are not sophisticated enough to be relied upon.
He said: "If the facial recognition software throws up a false match, one of the consequences of that could easily send an investigation off into the completely wrong direction."
Despite this, a number of police forces - including the Metropolitan Police and Leicestershire Police - have already begun using the technology to catch criminals, alongside DNA and fingerprinting techniques. Border Force at British airports and UK spy agencies also use the technology.
Mike Barton, the head of the Association of Chief Police Officers, said that forces need to use cutting-edge technology.
"I hear much criticism of policing that we are not up to speed and it does come as a surprise to me that we're now being admonished for being ahead of the game.
"If parliament chooses to regulate our use of photographs over and above that which we already have, then I'm more than happy."
Reportedly, police forces began using the technology in 2011, following the London riots.
Sign up for Computerworld eNewsletters.