I recently came across this article from E-Commerce Times (via a Paul Madsen tweet) that is worth a read. It provides a good high-level summary of legal considerations for federated identity implementations. A quote:
“Many of the legal issues arise when things go wrong, such as incorrect identification, faulty authentication, or misuse of personal data…”
While it is US-based, it highlights many of the issues that we will face with Canadian implementations.