For those not in the know Clearview scraped selfies off the Internet to amass a database of 10 billion of faces to power an identity-matching service it sells to law enforcement.
The Italian watchdog backed that the company must delete any data on Italians it holds and never process citizens' facial biometrics again.
The agency said its investigation was instigated following "complaints and reports," it said, noting that as well as breaches of privacy law it found the company had been tracking Italian citizens and people located in Italy.
"The findings revealed that the personal data held by the company, including biometric and geolocation data, are processed illegally, without an adequate legal basis, which certainly cannot be the legitimate interest of the American company," the Garante said in a press release.
Other General Data Protection Regulation (GDPR) breaches it identified included transparency obligations (on account of Clearview not having adequately informed users of what it was doing with their selfies); violations of purpose limitation and having used user data for purposes other than those for which they were published online; and also breaches of data retention rules with no limit on storage.
"Clearview AI's activity violates the freedoms of the data subjects, including the protection of confidentiality and the right not to be discriminated against," the authority also said.
Clearview CEO Hoan Ton-That shrugged and said that his company did not have an office in Italy or the EU, it does not have any customers in Italy or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR.
Ton-That added: "We only collect public data from the open internet and comply with all standards of privacy and law. I am heartbroken by the misinterpretation by some in Italy, where we do no business, of Clearview AI's technology to society. My intentions and those of my company have always been to help communities and their people to live better safer lives."