Re: muddy the waters
Tha's how I read it too. I read it that Twitter generated a list of advertising targets, twitter account identifiers, having been given a list of various identifiers to try and produce this list. This externally provided list included telephone numbers and email addresses and while it would have been acceptable, to varying degrees of acceptable, to match these to published Twitter account profile records, it was definitely not acceptable to match these against data provided solely for the purpose of account recovery and verification. In other words, while Twitter is correct in that they did not provide these personal details to an external organisation (advertiser) they did process the provided personal data in a manner which was contra to its intended and published and agreed purpose and therefore the processing was in violation of the GDPR. Even if Twitter did not provide the list of advertising targets externally, which I'm reasonably sure that they didn't, the abuse of the personal data that was not provided for this purpose is the issue.