Rockafeller said:
are WIPO cases binding by law?
No. You are bound solely by your acceptance of UDRP arbitration in the Terms and Conditions of the contract you entered into with your registrar when you registered the domain.
If not, what is the point of them?
To provide a cheaper and more efficient means of solving disputes than the court system.
What does it take for an attorney to get the WhoIs information from a registrar where the domain name shows "Privacy Protection?"
The same as it takes for everyone else:
1) A simple, ideally well-documented complaint to the registrar/privacy service provider can be enough in many cases. Your chances are particularly good if you can provide proof that the registrant violated the Terms and Conditions of the privacy service agreement.
2) A subpoena should also work
There are far superior methods to protect your privacy than these "privacy services", which are probably much better at bilking you out of money than protecting your privacy. A suitable corporate structure set up with privacy protection in mind would probably be a better choice if you really need to be concerned about this.
If you're interested in actual UDRP compliance, try a google search for Joker + UDRP. Some claim there are flaws in the way ICANN enforces UDRP compliance in their relationship towards registrars.