Canberra has known for years that it needed to update its privacy laws to guard against the metastisising cancer of identity theft.

Way back in 2004, the Howard Government reviewed the Privacy Act and found it to be hopelessly inadequate in the face of accelerating digital technologies. A Senate inquiry followed in 2005, resulting in another, er, review, this time by the Australian Law Reform Commission, starting in 2006 and reporting in 2008.

It took another year for the then Cabinet Secretary, Joe Ludwig, to release the government’s first stage response to the ALRC’s 295 recommended changes. We’re still waiting on the second stage. Ludwig has gone, having done little to advance the issue, replaced late last year by Brendan O’Connor, the first fully fledged Minster for Privacy.

It wouldn’t be fair to lay blame for the Commonwealth’s tardiness in updating its privacy laws at the feet of O’Connor, but Ludwig surely has some splainin’ to do about why, three years after he took carriage of the ALRC’s reform recommendations, we’re still waiting for action. Especially since the government has accepted most of them.

Privacy law is hugely complicated and not particularly sexy. Most of us think of it in terms of inconvenience, when a bank or utility company won’t talk to us about an account held by a partner or flatmate. But the importance of having robust, coherent and enforceable legislation, and a well funded agency, in this case the Privacy Comish, to do the enforcing has been thrown into stark contrast by last week’s Sony Playstation network breach.