Originally posted this on another site, but think it's very applicable to the discussion at hand.
---
I'm not sure how the privacy laws exactly work in the US (or other countries in question)... but in general, Privacy laws prohibit a government agency from handing over personal information to outside entities.
Even transfer of personal information between government agencies is burdened by some pretty heavy regulations.
Now, a private corporation getting what should be confidential information to me, is a serious breach of privacy. So if in the US, this would mean CBP is likely violating some kind of privacy act.
As far as Rolex is concerned, the only interaction between them and Government/Customs should be...
Government: "Here is a watch sent to an unnamed individual in our jurisdiction. Is it fake?"
Rolex: "Yes, it's fake".
Government: "Thanks for the opinion."
And that's it... if anybody is pursue any action, then it's the government's call. Rolex could go after damages, but legally they would have to know your name first. If privacy laws are being followed the only way that would happen is if you were publicly charged.
Then they would have to investigate to find your address and then send the letter. It sounds like personal information is being handed out just for the asking.