There's this blog post about it, but it doesn't say anything about what will happen to SimpleX. SimpleX will need to comply with local law, as do all companies, but I am unsure of whether or not SimpleX Ltd. is within jurisdiction, as I believe they are based in the UK (which is no longer part of the EU after Brexit). They would, however, need to enforce the law when serving users in the jurisdiction of the EU regardless of if the law were to pass. I'm unsure how SimpleX would choose to handle that (probably just IP-based blocking, as I highly doubt they would consent to scanning), in which case your best bet is a VPN.
With chat control in the UK, there was an exception that applied to SimpleX, so unless the final law is passed, we won't know if the same would be true for the new EU law. Since servers can be self-hosted, you would likely see unofficial instances pop up that are in unaffected countries if main instances went down, but they would also be legally required to comply with the EU law when servicing EU users (though they might be less likely to do so).
I'd like an official response for clarification, but as far as the law is concerned, there's not much SimpleX can do.
How comes? That's rather strange that only simpleX was an exception compared to other messengers? Do you know why, how?
I believe it had to do with the size of SimpleX (fewer than X employees, or fewer than Y users). I can't fully remember, but I asked about it on Reddit (which I think I probably deleted when I switched to Lemmy).
Somehow a gray zone? But a dangerous one... If they get caugh by regulation, what can they expect to get for a sentence by not complying to EU laws?
It would likely be similar to a GDPR violation. The server would have to be reported and investigated, and then a fine will be levied. We will have to wait until we see the final version of the law to be certain, however. SimpleX has new "private routing" servers, which hide your IP address from the SimpleX relays, so perhaps if those become self-hostable, it will be better than a VPN (here's another blog post about that). It would also be incredibly hard to enforce, because the private routing server itself doesn't encrypt your messages, and the SimpleX network has no way of knowing the request came from the EU. That's very much a legal grey area, and I'm not a lawyer, so I don't know how things would actually work out. I still think that using SimpleX's private routing servers would likely not work (since for compliance, my belief is that there would still be IP based blocking), but it's hard to say.
The other side to this is that all encryption happens on the device (hence why SimpleX is safe even on compromised servers, something detailed in their whitepaper if you're interested), so it may just be that downloads are blocked in the EU. Again, it will depend on the final version of the law, and I'm not a lawyer, so this is all speculation. Since all the SimpleX servers do is transport one already encrypted message to some other endpoint, it may be no issue for them to operate as normal. The law may require that the app checks your location before you can send a message however, in which case I'm not sure how things would be handled. The app could either check your IP address (bypassable by VPN), or check your location (bypassable by location spoofing). Regardless of which it would use, I find it likely that you will simply be denied the ability to send files (as I believe this law only pertains to files, not all messages?).
Hopefully this law doesn't pass, but if it does, all of this will likely depend on the final version of the law. It could very well be that SimpleX is unaffected due to exemption, as with chat control in the UK.
It seems that you have gotten a response from a SimpleX contributor that confirms that they can't really say what exactly the law passing would mean for SimpleX. It's far too difficult to predict the wording of the law, and it could change at any point, so trying to prepare in advance isn't a realistic option. SimpleX will likely release a blog post shortly after the law passes (if it does) detailing what it will mean for SimpleX. I'd keep an eye on https://simplex.chat/blog/. It's a difficult situation from a legal standpoint, so this whole thing is really hard to say anything definitive about.
This is an issue we at SimpleX Chat are paying close attention to, and it's difficult to predict what laws might be passed in the future. While we cannot provide legal advice on potential future requirements, we believe that providing end-to-end encryption is necessary for public safety, and that any limitations of privacy would both undermine public safety and also violate the European Convention of Human Rights, specifically Articles 8-10, and because of that this law might be unlikely to pass.
This won't stop anti-privacy lobbyists to try and mislead politicians about the efficacy of such measures in combatting crime, so the role of both the industry and the activists is to engage in an open dialogue, educate politicians about the capabilities and limitations of existing technology, and help figure out alternative solutions that would reduce child abuse online. E.g., we believe that both laws and technology should better support parents in supervising online activities of their young children, without undermining family privacy and end-to-end encryption. That would dramatically reduce the risks for children online.
Many politicians, organizations, developers, researchers, and companies are actively opposing these legislative ideas. If you're interested in supporting this effort, consider signing this open letter highlighting the dangers of compromising encryption.
We also encourage you to share this post about how protecting children's safety requires end-to-end encryption.