France has threatened to fine the facial recognition company Clearview AI for unlawfully collecting citizens' data.
The French data protection watchdog (CNIL) said the American company had collected thousands of photos of French citizens without their consent.
The authority has formally ordered Clearview to delete its database of images within two months and stop collecting data.
CNIL said in a statement that the company had violated the European Union's strict General Data Protection Regulation (GDPR).
"The collection and use of biometric data are carried out without a legal basis," the watchdog said on Thursday.
Clearview was also cited for failing to "adequately and effectively address the rights of individuals, including requests for access to their data."
CNIL added they had launched an investigation after first receiving complaints about Clearview's software in May 2020.
The watchdog said it would be permitted to fine the US company if the data had not been deleted in two months' time.
Clearview has previously stated that it has "never had any contracts with any EU customer and is not currently available to EU customers."
What is Clearview AI?
The US software company Clearview AI (artificial intelligence) has branded itself as "the world's largest facial network."
According to France, Clearview has amassed a database of 10 billion images of global citizens. These images have largely been taken or "scraped" from photos and videos uploaded on the Internet -- such as via social media platforms.
The company then markets this data through its facial recognition software, for example selling it to law enforcement bodies to help identify offenders.
But Clearview has been faced criticism for its policies on matching citizens' identities.
"The vast majority of people whose images are captured and entered into the system are unaware that they are affected," CNIL said.
"This company does not obtain the consent of the persons concerned to collect and use their photographs to feed its software," the watchdog added.
"Nor does Clearview AI have a legitimate interest in collecting and using this data, particularly in view of the particularly intrusive and massive nature of the process."
The CNIL said several tens of millions of French internet users had their data scraped by Clearview AI. The company was also cited for restricting people's ability to access their own data.
Further privacy complaints across Europe
The French watchdog is the latest body to begin action against Clearview AI, even though the company claims it is not bound by GDPR.
In November, the UK's independent Information Commissioner's Office (ICO) recommended fining the company over £17 million (€20 million) for data privacy violations.
"The evidence we've gathered and analysed suggests that Clearview AI were and may be continuing to process significant volumes of UK people's information without their knowledge," said Commissioner Elizabeth Denham.
Facebook -- which recently said it will shut down its own face-recognition system -- has also called on Clearview AI to stop harvesting Facebook and Instagram user images.
Privacy campaign groups in the European Union have also filed legal complaints with European regulators against Clearview AI.
Organisations from Austria, Italy, and Greece said in May that the US company had stockpiled biometric data on more than 3 billion people without their permission.
The stockpiling of citizens' photos has raised some concerns in the bloc that the type of surveillance seen in China could also happen in Western democracies.
Under GDPR, data protection authorities in EU member states are permitted to impose fines of up to €20 million, or 4% of a company's global annual revenue.
Clearview AI could also face similar action from any of the bloc's 27 watchdogs, as it has no established base in one particular EU country.