BBC Click breaching CMA? I don't think so.
I have to disagree with the lawyers that the program makers could be prosecuted under the Computer Misuse Act 1990. That Act was introduced as a Private Member's Bill as a direct result of the Dr Popp "AIDS Disk Trojan" incident in late 1989 (I am, in fact, the journalist who broke that story in the final edition of PC Business World of that year). Had the Act contained the provisions that were in the draft Bill I saw early in the New Year of 1990 but which was omitted in order to get non-controversial legislation passed, then the lawyers might have a point.
The computers in the botnet used by the BBC were already compromised and were being controlled by their eastern European masters and none of them were in the UK (or the US). BBC Click instructed the botnet to send spam email and then mount a Denial of Service attack that had been pre-arranged and agreed in advance with a security company. Finally the botnet was instructed to replace the Windows Wallpaper with instructions to the machine's owner/user on how to avoid being infected and the trojan programs ordered to self-destruct. Sending spam is not (yet) a criminal offence and mounting the DOS attack was authorised by the site affected. It is only the final two parts of the demonstration that are arguably illegal - changing the wallpaper and getting the trojan to delete itself being an unauthorised modifications. However the BBC can argue that those two acts were a force for good and they acted in the best interest of the user.