Police forces in England and Wales stored up to 18 million mugshots on a huge database without Home Office approval.
A Newsnight investigation revealed "hundreds of thousands" of innocent people may be on the facial recognition database.
Police forces started building profiles, which included photographs, last year, bypassing the Home Office.
Police say the identification bank complies with the Data Protection Act, but Biometrics Commissioner Alastair MacGregor QC told Newsnight he had concerns over the system.
"These are important issues and it does seem to me surprising that they have not been addressed more carefully," he said.
"I think there is always a danger that if you can do something then you will do it, the technology takes over...without giving the attention to the other issues that arise in relation to it as one should.
"If the facial recognition software throws up a false match, one of the consequences of that could easily send an investigation off into the completely wrong direction."
Leicestershire Police identification manager Andy Ramsay told Newsnight the force has a database with 100,000 custody photos and that the system would save money.
"All three [DNA, fingerprinting and facial recognition] have a place. This is developing. This is going to be, I think, the most cost-effective way of finding criminals."