At last, some common sense
This ruling is good news all round. The UK Computer Misuse Act 1990 has no such provision, and the UK Data Protection Act 2018 only offers a defence - and, interestingly, only after mandatory self incrimination as there's a requirement to inform the ICO of the unauthorised act (in that case reversing the anonymisation of personal data). Many of us have for years (ever since the DMCA) been fighting for the right to carry out legitimate investigations in the public interest without threat of prosecution in cases where "authorisation" is not practicable. Maybe the tide of opinion is finally changing - we can but hope.