Google decided to replace the concept of private album with unlisted album. Basically anyone can access that album if he knows its title and the Gmail address of the author or the URL of a public album. Google even suggested to choose strange names for the unlisted albums, so they're difficult to guess.
Now Google adds a parameter to the URL of an unlisted albums, like:
http://picasaweb.google.com/[gmail address]/AlbumName?authkey=blabla, and denies you access if you don't specify that authentication key. But there's still a problem: anyone who enters the complete address can see the album, the address can be indexed by search engines if someone links to it. So much for a private album.
More context:
Picasa Web Albums launch
No private albums
Authkey parameter makes its appearance